Improve keytab code to select the right principal.

Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

4 files changed, 20 insertions, 9 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 5ca155dcf..9c62f0560 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -104,6 +104,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset)
 
 Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
                                         struct ipapwd_data *data,
+                                        char *preferred_principal,
                                         int num_encsalts,
                                         krb5_key_salt_tuple *encsalts,
                                         char **errMesg)
@@ -128,12 +129,20 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
 
     kvno = ipapwd_get_cur_kvno(data->target);
 
-    krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
-                                                    "krbPrincipalName");
-    if (!krbPrincipalName) {
-        *errMesg = "no krbPrincipalName present in this entry\n";
-        LOG_FATAL("%s", *errMesg);
-        goto enc_error;
+    if (preferred_principal) {
+        krbPrincipalName = slapi_ch_strdup(preferred_principal);
+    } else {
+        krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
+                                                        "krbCanonicalName");
+        if (!krbPrincipalName) {
+            krbPrincipalName = slapi_entry_attr_get_charptr(data->target,
+                                                        "krbPrincipalName");
+        }
+        if (!krbPrincipalName) {
+            *errMesg = "no krbPrincipalName present in this entry\n";
+            LOG_FATAL("%s", *errMesg);
+            goto enc_error;
+        }
     }
 
     krberr = krb5_parse_name(krbctx, krbPrincipalName, &princ);
@@ -215,7 +224,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
 
     if (is_krb) {
 
-        *svals = ipapwd_encrypt_encode_key(krbcfg, data,
+        *svals = ipapwd_encrypt_encode_key(krbcfg, data, NULL,
                                            krbcfg->num_pref_encsalts,
                                            krbcfg->pref_encsalts,
                                            errMesg);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index dc657cc4e..440e22117 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -661,6 +661,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
     Slapi_PBlock *pb = NULL;
     char *attrlist[] = { "krbPrincipalKey", "krbLastPwdChange",
                          "userPassword", "krbPrincipalName",
+                         "krbCanonicalName",
                          "enrolledBy", NULL };
     Slapi_Entry **es = NULL;
     int res, ret, i;
@@ -1648,7 +1649,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         data.target = target_entry;
         data.password = password;
 
-        svals = ipapwd_encrypt_encode_key(krbcfg, &data,
+        svals = ipapwd_encrypt_encode_key(krbcfg, &data, service_name,
                                           kenctypes ? num_kenctypes :
                                                 krbcfg->num_pref_encsalts,
                                           kenctypes ? kenctypes :
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 2e9d4fe86..83c022263 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -143,6 +143,7 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
 
 Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
                                         struct ipapwd_data *data,
+                                        char *preferred_principal,
                                         int num_encsalts,
                                         krb5_key_salt_tuple *encsalts,
                                         char **errMesg);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index f830e3bfe..c1fc7fe33 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1386,7 +1386,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     static const char *attrs_list[] = {
         SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid",
         "krbprincipalname", "objectclass", "passwordexpirationtime",
-        "passwordhistory", "krbprincipalexpiration",
+        "passwordhistory", "krbprincipalexpiration", "krbcanonicalname",
         NULL
     };
     struct berval *credentials = NULL;