Big changeset that includes the work around keytab management.

Following the changelog history from my dev tree, some comments are useful imo

------------------------------------------------------

user:        Simo Sorce <ssorce@redhat.com>
date:        Fri Dec 21 03:05:36 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Remove remnants of the initial test tool

changeset:   563:4fe574b7bdf1
user:        Simo Sorce <ssorce@redhat.com>
date:        Fri Dec 21 02:58:37 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Maybe actually encrypting the keys will help :-)

changeset:   562:488ded41242a
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 23:53:50 2007 -0500
files:       ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif
description:
Fixes

changeset:   561:4518f6f5ecaf
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 23:53:32 2007 -0500
files:       ipa-admintools/Makefile ipa-admintools/ipa-addservice
description:
transform the old ipa-getkeytab in a tool to add services as the new
ipa-getkeytab won't do it (and IMO it makes more sense to keep the
two functions separate anyway).

changeset:   559:25a7f8ee973d
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 23:48:59 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
Bugfixes

changeset:   558:28fcabe4aeba
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 23:48:29 2007 -0500
files:       ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c
description:
Configure fixes
Add ipa-getkeytab to spec
Client fixes

changeset:   557:e92a4ffdcda4
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 20:57:10 2007 -0500
files:       ipa-client/Makefile.am ipa-client/configure.ac
description:
Try to make ipa-getkeytab build via autotools

changeset:   556:224894175d6b
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 20:35:56 2007 -0500
files:       ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c
description:
Messed a bit with hg commands.
To make it short:
- Remove the python ipa-getkeytab program
- Rename the keytab plugin test program to ipa-getkeytab
- Put the program in ipa-client as it should be distributed with the client
  tools

changeset:   555:5e1a068f2e90
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 20:20:40 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Polish the client program

changeset:   554:0a5b19a167cf
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 18:53:49 2007 -0500
files:       ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py
description:
Support retrieving enctypes from LDAP
Filter enctypes
Update test program

changeset:   553:f75d7886cb91
user:        Simo Sorce <ssorce@redhat.com>
date:        Thu Dec 20 00:17:40 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Fix ber generation and remove redundant keys

changeset:   552:0769cafe6dcd
user:        Simo Sorce <ssorce@redhat.com>
date:        Wed Dec 19 19:31:37 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
Avoid stupid segfault

changeset:   551:1acd5fdb5788
user:        Simo Sorce <ssorce@redhat.com>
date:        Wed Dec 19 18:39:12 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
description:
If ber_peek_tag() returns LBER_ERROR it may just be that we are at the
end of the buffer. Unfortunately ber_scanf is broken in the sense that
it doesn't actually really consider sequence endings (due probably to the fact
they are just representation and do not reflect in the underlieing DER
encoding.)

changeset:   550:e974fb2726a4
user:        Simo Sorce <ssorce@redhat.com>
date:        Wed Dec 19 18:35:07 2007 -0500
files:       ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c
description:
First shot at the new method

1 files changed, 495 insertions, 0 deletions

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
new file mode 100644
index 000000000..c032aa1dd
--- /dev/null
+++ b/ipa-client/ipa-getkeytab.c
@@ -0,0 +1,495 @@
+/* (C) Simo Sorce */
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+#include <krb5.h>
+#include <ldap.h>
+#include <sasl/sasl.h>
+#include <popt.h>
+
+static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
+{
+	sasl_interact_t *in = NULL;
+	int ret = LDAP_OTHER;
+	krb5_principal princ = (krb5_principal)priv_data;
+
+	if (!ld) return LDAP_PARAM_ERROR;
+
+	for (in = sit; in && in->id != SASL_CB_LIST_END; in++) {
+		switch(in->id) {
+		case SASL_CB_USER:
+			in->result = princ->data[0].data;
+			in->len = princ->data[0].length;
+			ret = LDAP_SUCCESS;
+			break;
+		case SASL_CB_GETREALM:
+			in->result = princ->realm.data;
+			in->len = princ->realm.length;
+			ret = LDAP_SUCCESS;
+			break;
+		default:
+			in->result = NULL;
+			in->len = 0;
+			ret = LDAP_OTHER;
+		}
+	}
+        return ret;
+}
+
+#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
+#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.3.2"
+
+static void free_keys(krb5_context krbctx, krb5_keyblock *keys, int num_keys)
+{
+	int i;
+
+	for (i = 0; i < num_keys; i++) {
+		krb5_free_keyblock_contents(krbctx, &keys[i]);
+	}
+	free(keys);
+}
+
+static int create_keys(krb5_context krbctx, krb5_keyblock **keys)
+{
+	krb5_error_code krberr;
+	krb5_enctype *ktypes;
+	krb5_keyblock *key;
+	int i, j, k, max_keys;
+
+	krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
+	if (krberr) {
+		fprintf(stderr, "No preferred enctypes ?!\n");
+		return 0;
+	}
+
+	for (i = 0; ktypes[i]; i++) /* count max encodings */ ;
+	max_keys = i;
+	if (!max_keys) {
+		krb5_free_ktypes(krbctx, ktypes);
+		fprintf(stderr, "No preferred enctypes ?!\n");
+		return 0;
+	}
+
+	key = calloc(max_keys, sizeof(krb5_keyblock));
+	if (!key) {
+		krb5_free_ktypes(krbctx, ktypes);
+		fprintf(stderr, "Out of Memory!\n");
+		return 0;
+	}
+
+	k = 0; /* effective number of keys */
+
+	for (i = 0; i < max_keys; i++) {
+		krb5_boolean similar;
+
+		/* Check we don't already have a key with a similar encoding,
+		 * it would just produce redundant data and this is what the
+		 * kerberos libs do anyway */
+		similar = 0;
+		for (j = 0; j < i; j++) {
+			krberr = krb5_c_enctype_compare(krbctx, ktypes[i],
+							ktypes[j], &similar);
+			if (krberr) {
+				krb5_free_ktypes(krbctx, ktypes);
+				free_keys(krbctx, key, i);
+				fprintf(stderr, "Enctype comparison failed!\n");
+				return 0;
+			}
+			if (similar) break;
+		}
+		if (similar) continue;
+
+		krberr = krb5_c_make_random_key(krbctx, ktypes[i], &key[k]);
+		if (krberr) {
+			krb5_free_ktypes(krbctx, ktypes);
+			free_keys(krbctx, key, k);
+			fprintf(stderr, "Making random key failed!\n");
+			return 0;
+		}
+		k++;
+	}
+
+	krb5_free_ktypes(krbctx, ktypes);
+
+	*keys = key;
+	return k;
+}
+
+static struct berval *create_key_control(krb5_keyblock *keys, int num_keys, const char *principalName)
+{
+	struct berval *bval;
+	BerElement *be;
+	int ret, i;
+
+	be = ber_alloc_t(LBER_USE_DER);
+	if (!be) {
+		return NULL;
+	}
+
+	ret = ber_printf(be, "{s{", principalName);
+	if (ret == -1) {
+		ber_free(be, 1);
+		return NULL;
+	}
+
+	for (i = 0; i < num_keys; i++) {
+
+		/* we set only the EncryptionKey, no salt or s2kparams */
+		ret = ber_printf(be, "{t[{t[i]t[o]}]}",
+				 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
+				 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
+				 (ber_int_t)keys[i].enctype,
+				 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
+				 (char *)keys[i].contents, (ber_len_t)keys[i].length);
+
+		if (ret == -1) {
+			ber_free(be, 1);
+			return NULL;
+		}
+	}
+
+	ret = ber_printf(be, "}}");
+	if (ret == -1) {
+		ber_free(be, 1);
+		return NULL;
+	}
+
+	ret = ber_flatten(be, &bval);
+	if (ret == -1) {
+		ber_free(be, 1);
+		return NULL;
+	}
+
+	ber_free(be, 1);
+	return bval;
+}
+
+int filter_keys(krb5_context krbctx, krb5_keyblock *keys, int *num_keys, ber_int_t *enctypes)
+{
+	int ret, i, j, k;
+
+	k = *num_keys;
+
+	for (i = 0; i < k; i++) {
+		for (j = 0; enctypes[j]; j++) {
+			if (keys[i].enctype == enctypes[j]) break;
+		}
+		if (enctypes[j] == 0) { /* unsupported one */
+			krb5_free_keyblock_contents(krbctx, &keys[i]);
+			/* remove unsupported one */
+			k--;
+			for (j = i; j < k; j++) {
+				keys[j] = keys[j + 1];
+			}
+			/* new key has been moved to this position, make sure
+			 * we do not skip it, by neutralizing next i increment */
+			i--;
+		}
+	}
+
+	if (k == 0) {
+		return -1;
+	}
+
+	*num_keys = k;
+	return 0;
+}
+
+static int ldap_set_keytab(const char *servername,
+			   const char *principal_name,
+			   krb5_principal princ,
+			   krb5_keyblock *keys,
+			   int num_keys,
+			   ber_int_t **enctypes)
+{
+	int version;
+	LDAP *ld = NULL;
+	BerElement *ctrl = NULL;
+	BerElement *sctrl = NULL;
+	struct berval *control = NULL;
+	char *ldap_uri = NULL;
+	struct berval **ncvals;
+	char *ldap_base = NULL;
+	char *retoid = NULL;
+	struct berval *retdata = NULL;
+	struct timeval tv;
+	LDAPMessage *entry, *res = NULL;
+	LDAPControl **srvctrl = NULL;
+	LDAPControl *pprc = NULL;
+	char *err = NULL;
+	int msgid;
+	int ret, rc;
+	int kvno, i;
+	ber_tag_t rtag;
+	struct berval bv;
+	ber_int_t *encs = NULL;
+
+	/* cant' return more than num_keys, sometimes less */
+	encs = calloc(num_keys + 1, sizeof(ber_int_t));
+	if (!encs) {
+		fprintf(stderr, "Out of Memory!\n");
+		return 0;
+	}
+
+	/* build password change control */
+	control = create_key_control(keys, num_keys, principal_name);
+	if (!control) {
+		fprintf(stderr, "Failed to create control!\n");
+		goto error_out;
+	}
+
+	/* connect to ldap server */
+	ret = asprintf(&ldap_uri, "ldap://%s:389", servername);
+	if (ret == -1) {
+		fprintf(stderr, "Unable to determine server URI!\n");
+		goto error_out;
+	}
+
+	/* TODO: support referrals ? */
+	ret = ldap_initialize(&ld, ldap_uri);
+	if(ret != LDAP_SUCCESS) {
+		fprintf(stderr, "Unable to initialize ldap library!\n");
+		goto error_out;
+	}
+
+	version = LDAP_VERSION3;
+	ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+        if (ret != LDAP_OPT_SUCCESS) {
+		fprintf(stderr, "Unable to set ldap options!\n");
+		goto error_out;
+	}
+
+	ret = ldap_sasl_interactive_bind_s(ld,
+					   NULL, "GSSAPI",
+					   NULL, NULL,
+					   LDAP_SASL_AUTOMATIC,
+					   ldap_sasl_interact, princ);
+	if (ret != LDAP_SUCCESS) {
+		fprintf(stderr, "SASL Bind failed!\n");
+		goto error_out;
+	}
+
+	/* find base dn */
+	/* TODO: address the case where we have multiple naming contexts */
+	tv.tv_sec = 10;
+	tv.tv_usec = 0; 
+
+	/* perform password change */
+	ret = ldap_extended_operation(ld,
+					KEYTAB_SET_OID,
+					control, NULL, NULL,
+					&msgid);
+	if (ret != LDAP_SUCCESS) {
+		fprintf(stderr, "Operation failed! %s\n", ldap_err2string(ret));
+		goto error_out;
+	}
+
+	ber_bvfree(control);
+
+	tv.tv_sec = 10;
+	tv.tv_usec = 0; 
+
+	ret = ldap_result(ld, msgid, 1, &tv, &res);
+	if (ret == -1) {
+		fprintf(stderr, "Operation failed! %s\n", ldap_err2string(ret));
+		goto error_out;
+	}
+
+	ret = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
+	if(ret != LDAP_SUCCESS) {
+		fprintf(stderr, "Operation failed! %s\n", ldap_err2string(ret));
+		goto error_out;
+	}
+	
+	ret = ldap_parse_result(ld, res, &rc, NULL, &err, NULL, &srvctrl, 0);
+        if(ret != LDAP_SUCCESS || rc != LDAP_SUCCESS) {
+		fprintf(stderr, "Operation failed! %s\n", err?err:ldap_err2string(ret));
+		goto error_out;
+        }
+
+	if (!srvctrl) {
+		fprintf(stderr, "Missing reply control!\n");
+		goto error_out;
+	}
+
+	for (i = 0; srvctrl[i]; i++) {
+		if (0 == strcmp(srvctrl[i]->ldctl_oid, KEYTAB_RET_OID)) {
+			pprc = srvctrl[i];
+		}
+	}
+	if (!pprc) {
+		fprintf(stderr, "Missing reply control!\n");
+		goto error_out;
+	}
+
+	sctrl = ber_init(&pprc->ldctl_value);
+
+	if (!sctrl) {
+		fprintf(stderr, "ber_init() failed, Invalid control ?!\n");
+		goto error_out;
+	}
+
+	/* Format of response
+	 *
+	 * KeytabGetRequest ::= SEQUENCE {
+	 * 	new_kvno	Int32
+	 * 	SEQUENCE OF	KeyTypes
+	 * }
+	 *
+	 * * List of accepted enctypes *
+	 * KeyTypes ::= SEQUENCE {
+	 * 	enctype		Int32
+	 * }
+	 */
+
+	rtag = ber_scanf(sctrl, "{i{", &kvno);
+	if (rtag == LBER_ERROR) {
+		fprintf(stderr, "ber_scanf() failed, Invalid control ?!\n");
+		goto error_out;
+	}
+
+	for (i = 0; i < num_keys; i++) {
+		ret = ber_scanf(sctrl, "{i}", &encs[i]);
+		if (ret == LBER_ERROR) break;
+	} 
+	*enctypes = encs;
+
+	if (err) ldap_memfree(err);
+	ber_free(sctrl, 1);
+	ldap_controls_free(srvctrl);
+	ldap_msgfree(res);
+	ldap_unbind_ext_s(ld, NULL, NULL);
+	free(ldap_uri);
+	return kvno;
+
+error_out:
+	if (sctrl) ber_free(sctrl, 1);
+	if (srvctrl) ldap_controls_free(srvctrl);
+	if (err) ldap_memfree(err);
+	if (res) ldap_msgfree(res);
+	if (ld) ldap_unbind_ext_s(ld, NULL, NULL);
+	if (ldap_uri) free(ldap_uri);
+	if (control) ber_bvfree(control);
+	if (encs) free(encs);
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	static const char *server = NULL;
+	static const char *principal = NULL;
+	static const char *keytab = NULL;
+        struct poptOption options[] = {
+                { "server", 's', POPT_ARG_STRING, &server, 0, "Contact this specific KDC Server", "Server Name" },
+                { "principal", 'p', POPT_ARG_STRING, &principal, 0, "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", "Kerberos Service Principal Name" },
+                { "keytab", 'k', POPT_ARG_STRING, &keytab, 0, "File were to store the keytab information", "Keytab File Name" },
+		{ NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL }
+	};
+	poptContext pc;
+	char *ktname;
+	krb5_context krbctx;
+	krb5_ccache ccache;
+	krb5_principal uprinc;
+	krb5_principal sprinc;
+	krb5_error_code krberr;
+	krb5_keyblock *keys = NULL;
+	int num_keys = 0;
+	ber_int_t *enctypes;
+	krb5_keytab kt;
+	int kvno;
+	int i, ret;
+
+	pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
+	ret = poptGetNextOpt(pc);
+	if (ret != -1 || !server || !principal || !keytab) {
+		poptPrintUsage(pc, stderr, 0);
+		exit(1);
+	}
+
+	ret = asprintf(&ktname, "WRFILE:%s", keytab);
+	if (ret == -1) {
+		exit(2);
+	}
+
+	krberr = krb5_init_context(&krbctx);
+	if (krberr) {
+		fprintf(stderr, "Kerberos context initialization failed\n");
+		exit(3);
+	}
+
+	krberr = krb5_parse_name(krbctx, principal, &sprinc);
+	if (krberr) {
+		fprintf(stderr, "Invalid Service Principal Name\n");
+		exit(4);
+	}
+
+	krberr = krb5_cc_default(krbctx, &ccache);
+	if (krberr) {
+		fprintf(stderr, "Kerberos Credential Cache not found\nDo you have a Kerberos Ticket?\n");
+		exit(5);
+	}
+	
+	krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
+	if (krberr) {
+		fprintf(stderr, "Kerberos User Principal not found\nDo you have a valid Credential Cache?\n");
+		exit(6);
+	}
+
+	krberr = krb5_kt_resolve(krbctx, ktname, &kt);
+	if (krberr) {
+		fprintf(stderr, "Failed to open Keytab\n");
+		exit(7);
+	}
+
+	/* create key material */
+	num_keys = create_keys(krbctx, &keys);
+	if (!num_keys) {
+		fprintf(stderr, "Failed to create random key material\n");
+		exit(8);
+	}
+
+	kvno = ldap_set_keytab(server, principal, uprinc, keys, num_keys, &enctypes);
+	if (!kvno) {
+		exit(9);
+	}
+
+	ret = filter_keys(krbctx, keys, &num_keys, enctypes);
+	if (ret == -1) {
+		fprintf(stderr, "No keys accepted by the KDC!\n");
+		exit(10);
+	}
+
+	for (i = 0; i < num_keys; i++) {
+		krb5_keytab_entry kt_entry;
+		memset((char *)&kt_entry, 0, sizeof(kt_entry));
+		kt_entry.principal = sprinc;
+		kt_entry.key = keys[i];
+		kt_entry.vno = kvno;
+
+		krberr = krb5_kt_add_entry(krbctx, kt, &kt_entry);
+		if (krberr) {
+			fprintf(stderr, "Failed to add key to the keytab\n");
+			exit (11);
+		}
+	}
+
+	free_keys(krbctx, keys, num_keys);
+
+	krberr = krb5_kt_close(krbctx, kt);
+	if (krberr) {
+		fprintf(stderr, "Failed to close the keytab\n");
+		exit (12);
+	}
+
+	exit(0);
+}