diff -Nru msktutil-0.5/ChangeLog msktutil-0.5.1/ChangeLog --- msktutil-0.5/ChangeLog 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/ChangeLog 2013-10-25 04:10:07.000000000 +0000 @@ -1,3 +1,20 @@ +Release 0.5.1: + +- Add --keytab-auth-as option (thanks Andrew Deason) +- Add --allow-weak-crypto switch, to support single DES (thanks Andrew + Deason and Mark Pröhl) +- If servicePrincipalName begins with "HOST/", rewrite to "host/" + (thanks Boleslaw Tokarski for the report) +- msktutil manual page fixes (thanks Andrew Deason and Mark Pröhl) +- Fix possible samAccountName corruption bug with uniniatialized + variables (thanks Jaroslaw Polok for the report) +- Adjust --precreate to match ADUC's behavior with long account names + (thanks Erik de Vries) +- Build fixes for HPUX and NetBSD +- Fix issue with private glibc function on RHEL5 (thanks Daniel Kobras) +- Incorporate hardening patches from Debian (thanks Tony Mancill) +- Delete "debian" directory (this will be maintained downstream) + Release 0.5: - New co-maintainer, Olaf Flebbe diff -Nru msktutil-0.5/autom4te.cache/output.0 msktutil-0.5.1/autom4te.cache/output.0 --- msktutil-0.5/autom4te.cache/output.0 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/autom4te.cache/output.0 2013-10-25 04:10:25.000000000 +0000 @@ -1,6 +1,6 @@ @%:@! /bin/sh @%:@ Guess values for system-dependent variables and create Makefiles. -@%:@ Generated by GNU Autoconf 2.59 for msktutil 0.5. +@%:@ Generated by GNU Autoconf 2.59 for msktutil 0.5.1. @%:@ @%:@ Copyright (C) 2003 Free Software Foundation, Inc. @%:@ This configure script is free software; the Free Software Foundation @@ -267,8 +267,8 @@ # Identity of this package. PACKAGE_NAME='msktutil' PACKAGE_TARNAME='msktutil' -PACKAGE_VERSION='0.5' -PACKAGE_STRING='msktutil 0.5' +PACKAGE_VERSION='0.5.1' +PACKAGE_STRING='msktutil 0.5.1' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. @@ -777,7 +777,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures msktutil 0.5 to adapt to many kinds of systems. +\`configure' configures msktutil 0.5.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -834,7 +834,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of msktutil 0.5:";; + short | recursive ) echo "Configuration of msktutil 0.5.1:";; esac cat <<\_ACEOF @@ -955,7 +955,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -msktutil configure 0.5 +msktutil configure 0.5.1 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -969,7 +969,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by msktutil $as_me 0.5, which was +It was created by msktutil $as_me 0.5.1, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -1308,8 +1308,8 @@ ac_config_headers="$ac_config_headers config.h" -PACKAGE_DATE="June 24, 2013" -PACKAGE_AUTHOR="Ken Dreyer" +PACKAGE_DATE="October 11, 2013" +PACKAGE_AUTHOR="Ken Dreyer, Mark Pröhl, Olaf Flebbe" @@ -4218,7 +4218,6 @@ fi - if test "$ac_cv_header_com_err_h"; then echo "$as_me:$LINENO: checking whether com_err.h needs extern \"C\"" >&5 echo $ECHO_N "checking whether com_err.h needs extern \"C\"... $ECHO_C" >&6; @@ -4230,6 +4229,7 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +#include #include int main(void) { @@ -4274,6 +4274,7 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +#include extern "C" { #include } @@ -4947,7 +4948,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by msktutil $as_me 0.5, which was +This file was extended by msktutil $as_me 0.5.1, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -5007,7 +5008,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -msktutil config.status 0.5 +msktutil config.status 0.5.1 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" diff -Nru msktutil-0.5/autom4te.cache/traces.0 msktutil-0.5.1/autom4te.cache/traces.0 --- msktutil-0.5/autom4te.cache/traces.0 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/autom4te.cache/traces.0 2013-10-25 04:10:25.000000000 +0000 @@ -1,4 +1,4 @@ -m4trace:configure.in:4: -1- AC_INIT([msktutil], [0.5]) +m4trace:configure.in:4: -1- AC_INIT([msktutil], [0.5.1]) m4trace:configure.in:4: -1- m4_pattern_forbid([^_?A[CHUM]_]) m4trace:configure.in:4: -1- m4_pattern_forbid([_AC_]) m4trace:configure.in:4: -1- m4_pattern_forbid([^LIBOBJS$], [do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs LIBOBJS']) @@ -141,28 +141,28 @@ m4trace:configure.in:193: -1- AH_OUTPUT([HAVE_LIBLBER], [/* Define to 1 if you have the `lber\' library (-llber). */ #undef HAVE_LIBLBER]) m4trace:configure.in:193: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBLBER]) -m4trace:configure.in:218: -1- AC_DEFINE_TRACE_LITERAL([COM_ERR_NEEDS_EXTERN_C]) -m4trace:configure.in:218: -1- AH_OUTPUT([COM_ERR_NEEDS_EXTERN_C], [/* Does com_err.h need extern "C" around it? */ +m4trace:configure.in:219: -1- AC_DEFINE_TRACE_LITERAL([COM_ERR_NEEDS_EXTERN_C]) +m4trace:configure.in:219: -1- AH_OUTPUT([COM_ERR_NEEDS_EXTERN_C], [/* Does com_err.h need extern "C" around it? */ #undef COM_ERR_NEEDS_EXTERN_C]) -m4trace:configure.in:223: -1- AC_CHECK_FUNCS([vasprintf vsnprintf setenv strtoll]) -m4trace:configure.in:223: -1- AH_OUTPUT([HAVE_VASPRINTF], [/* Define to 1 if you have the `vasprintf\' function. */ +m4trace:configure.in:224: -1- AC_CHECK_FUNCS([vasprintf vsnprintf setenv strtoll]) +m4trace:configure.in:224: -1- AH_OUTPUT([HAVE_VASPRINTF], [/* Define to 1 if you have the `vasprintf\' function. */ #undef HAVE_VASPRINTF]) -m4trace:configure.in:223: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the `vsnprintf\' function. */ +m4trace:configure.in:224: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the `vsnprintf\' function. */ #undef HAVE_VSNPRINTF]) -m4trace:configure.in:223: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the `setenv\' function. */ +m4trace:configure.in:224: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the `setenv\' function. */ #undef HAVE_SETENV]) -m4trace:configure.in:223: -1- AH_OUTPUT([HAVE_STRTOLL], [/* Define to 1 if you have the `strtoll\' function. */ +m4trace:configure.in:224: -1- AH_OUTPUT([HAVE_STRTOLL], [/* Define to 1 if you have the `strtoll\' function. */ #undef HAVE_STRTOLL]) -m4trace:configure.in:226: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96]) -m4trace:configure.in:226: -1- AH_OUTPUT([HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96], [/* Define to 1 if you have the declaration of +m4trace:configure.in:227: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96]) +m4trace:configure.in:227: -1- AH_OUTPUT([HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96], [/* Define to 1 if you have the declaration of `ENCTYPE_AES256_CTS_HMAC_SHA1_96\', and to 0 if you don\'t. */ #undef HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96]) -m4trace:configure.in:226: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96]) -m4trace:configure.in:226: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96]) -m4trace:configure.in:226: -1- AH_OUTPUT([HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96], [/* Define to 1 if you have the declaration of +m4trace:configure.in:227: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES256_CTS_HMAC_SHA1_96]) +m4trace:configure.in:227: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96]) +m4trace:configure.in:227: -1- AH_OUTPUT([HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96], [/* Define to 1 if you have the declaration of `ENCTYPE_AES128_CTS_HMAC_SHA1_96\', and to 0 if you don\'t. */ #undef HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96]) -m4trace:configure.in:226: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96]) -m4trace:configure.in:228: -1- AC_CONFIG_FILES([Makefile]) -m4trace:configure.in:229: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs]) -m4trace:configure.in:229: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs]) +m4trace:configure.in:227: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DECL_ENCTYPE_AES128_CTS_HMAC_SHA1_96]) +m4trace:configure.in:229: -1- AC_CONFIG_FILES([Makefile]) +m4trace:configure.in:230: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs]) +m4trace:configure.in:230: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs]) diff -Nru msktutil-0.5/configure msktutil-0.5.1/configure --- msktutil-0.5/configure 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/configure 2013-10-25 04:10:25.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for msktutil 0.5. +# Generated by GNU Autoconf 2.59 for msktutil 0.5.1. # # Copyright (C) 2003 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation @@ -267,8 +267,8 @@ # Identity of this package. PACKAGE_NAME='msktutil' PACKAGE_TARNAME='msktutil' -PACKAGE_VERSION='0.5' -PACKAGE_STRING='msktutil 0.5' +PACKAGE_VERSION='0.5.1' +PACKAGE_STRING='msktutil 0.5.1' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. @@ -777,7 +777,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures msktutil 0.5 to adapt to many kinds of systems. +\`configure' configures msktutil 0.5.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -834,7 +834,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of msktutil 0.5:";; + short | recursive ) echo "Configuration of msktutil 0.5.1:";; esac cat <<\_ACEOF @@ -955,7 +955,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -msktutil configure 0.5 +msktutil configure 0.5.1 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. @@ -969,7 +969,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by msktutil $as_me 0.5, which was +It was created by msktutil $as_me 0.5.1, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ @@ -1308,8 +1308,8 @@ ac_config_headers="$ac_config_headers config.h" -PACKAGE_DATE="June 24, 2013" -PACKAGE_AUTHOR="Ken Dreyer" +PACKAGE_DATE="October 11, 2013" +PACKAGE_AUTHOR="Ken Dreyer, Mark Pröhl, Olaf Flebbe" @@ -4218,7 +4218,6 @@ fi - if test "$ac_cv_header_com_err_h"; then echo "$as_me:$LINENO: checking whether com_err.h needs extern \"C\"" >&5 echo $ECHO_N "checking whether com_err.h needs extern \"C\"... $ECHO_C" >&6; @@ -4230,6 +4229,7 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +#include #include int main(void) { @@ -4274,6 +4274,7 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +#include extern "C" { #include } @@ -4947,7 +4948,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by msktutil $as_me 0.5, which was +This file was extended by msktutil $as_me 0.5.1, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -5007,7 +5008,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -msktutil config.status 0.5 +msktutil config.status 0.5.1 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" diff -Nru msktutil-0.5/configure.in msktutil-0.5.1/configure.in --- msktutil-0.5/configure.in 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/configure.in 2013-10-25 04:10:08.000000000 +0000 @@ -1,11 +1,11 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.53) -AC_INIT(msktutil, 0.5) +AC_INIT(msktutil, 0.5.1) AC_CONFIG_HEADER([config.h]) -PACKAGE_DATE="June 24, 2013" -PACKAGE_AUTHOR="Ken Dreyer" +PACKAGE_DATE="October 11, 2013" +PACKAGE_AUTHOR="Ken Dreyer, Mark Pröhl, Olaf Flebbe" AC_SUBST(PACKAGE_DATE) AC_SUBST(PACKAGE_AUTHOR) @@ -192,11 +192,11 @@ # AC_CHECK_LIB([lber], [ber_alloc], , [AC_MSG_WARN([liblber not found])]) - if test "$ac_cv_header_com_err_h"; then AC_MSG_CHECKING([whether com_err.h needs extern "C"]); AC_LINK_IFELSE([AC_LANG_SOURCE([ +#include #include int main(void) { @@ -205,6 +205,7 @@ ])], [AC_MSG_RESULT(no); com_err_needs_extern_c=no], [ AC_LINK_IFELSE([AC_LANG_SOURCE([ +#include extern "C" { #include } diff -Nru msktutil-0.5/debian/changelog msktutil-0.5.1/debian/changelog --- msktutil-0.5/debian/changelog 2013-08-11 23:39:19.000000000 +0000 +++ msktutil-0.5.1/debian/changelog 2013-12-08 01:46:57.000000000 +0000 @@ -1,3 +1,12 @@ +msktutil (0.5.1-1) unstable; urgency=low + + * New upstream release + - Remove hardening patches incorporated upstream. + * Bumps Standards-Version to 3.9.5 (no changes) + * Update manpage (Closes: #731139) + + -- tony mancill Sat, 07 Dec 2013 16:57:13 -0800 + msktutil (0.5-1) unstable; urgency=low * New upstream release. diff -Nru msktutil-0.5/debian/control msktutil-0.5.1/debian/control --- msktutil-0.5/debian/control 2013-08-11 23:39:19.000000000 +0000 +++ msktutil-0.5.1/debian/control 2013-12-08 01:46:57.000000000 +0000 @@ -5,7 +5,7 @@ Maintainer: tony mancill Uploaders: Jurjen Bokma Build-Depends: debhelper (>= 9), libldap2-dev, libkrb5-dev, libsasl2-dev, autoconf -Standards-Version: 3.9.4 +Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/collab-maint/pkg-msktutil.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/pkg-msktutil.git diff -Nru msktutil-0.5/debian/cron-daily.sh msktutil-0.5.1/debian/cron-daily.sh --- msktutil-0.5/debian/cron-daily.sh 2013-08-11 23:39:19.000000000 +0000 +++ msktutil-0.5.1/debian/cron-daily.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -#!/bin/sh - -test -x /usr/sbin/msktutil || exit 0 - -# These options are overridden in /etc/default/msktutil. -# Edit there, not here. -AUTOUPDATE_ENABLED="false" -AUTOUPDATE_OPTIONS="" - -[ -r /etc/default/msktutil ] && . /etc/default/msktutil - -[ "$AUTOUPDATE_ENABLED" = "true" ] || exit 0 -exec /usr/sbin/msktutil --auto-update $AUTOUPDATE_OPTIONS diff -Nru msktutil-0.5/debian/patches/Makefile.in.patch msktutil-0.5.1/debian/patches/Makefile.in.patch --- msktutil-0.5/debian/patches/Makefile.in.patch 1970-01-01 00:00:00.000000000 +0000 +++ msktutil-0.5.1/debian/patches/Makefile.in.patch 2013-12-08 01:46:57.000000000 +0000 @@ -0,0 +1,11 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -36,7 +36,7 @@ + clean : + @$(RM) $(PROG) $(objects) + distclean: clean +- @$(RM) Makefile config.h config.log config.cache config.status autom4te.cache config.h~ config.h.in~ ++ @$(RM) Makefile config.h config.log config.cache config.status config.h~ config.h.in~ + + install: all + @$(MKDIR) -p $(DESTDIR)$(sbindir) diff -Nru msktutil-0.5/debian/patches/fix_AC_LANG_SOURCE_in_configure_dot_in msktutil-0.5.1/debian/patches/fix_AC_LANG_SOURCE_in_configure_dot_in --- msktutil-0.5/debian/patches/fix_AC_LANG_SOURCE_in_configure_dot_in 2013-08-11 23:39:19.000000000 +0000 +++ msktutil-0.5.1/debian/patches/fix_AC_LANG_SOURCE_in_configure_dot_in 2013-12-08 01:46:57.000000000 +0000 @@ -6,5 +6,5 @@ AC_CHECK_LIB([lber], [ber_alloc], , [AC_MSG_WARN([liblber not found])]) +AC_CHECK_LIB([com_err], [error_message], , [AC_MSG_ERROR([libcom_err not found])]) - if test "$ac_cv_header_com_err_h"; then + AC_MSG_CHECKING([whether com_err.h needs extern "C"]); diff -Nru msktutil-0.5/debian/patches/replace_manpage_template.patch msktutil-0.5.1/debian/patches/replace_manpage_template.patch --- msktutil-0.5/debian/patches/replace_manpage_template.patch 1970-01-01 00:00:00.000000000 +0000 +++ msktutil-0.5.1/debian/patches/replace_manpage_template.patch 2013-12-08 01:46:57.000000000 +0000 @@ -0,0 +1,186 @@ +--- a/msktutil.M ++++ b/msktutil.M +@@ -1,20 +1,20 @@ +-.TH REPLACE_PROGNAME 1 REPLACE_VERSION ++.TH msktutil 1 0.5.1 + .SH NAME +-REPLACE_PROGNAME \- fetches and manages kerberos keytabs in an Active Directory environment ++msktutil \- fetches and manages kerberos keytabs in an Active Directory environment + .SH SYNOPSIS +-.B REPLACE_PROGNAME ++.B msktutil + [command 1] [command 2] [command 3] ... + .SH DESCRIPTION +-REPLACE_PROGNAME is a Unix/Linux keytab client for Microsoft Active Directory environments. This program is ++msktutil is a Unix/Linux keytab client for Microsoft Active Directory environments. This program is + capable of creating accounts in Active Directory, adding service principals to those accounts, and + creating local keytab files so that kerberizied services can utilize Active directory as a Kerberos realm. +-REPLACE_PROGNAME will create and manage machine accounts by default. The --use-service-account option +-lets REPLACE_PROGNAME operate on service accounts. REPLACE_PROGNAME requires that the Kerberos client ++msktutil will create and manage machine accounts by default. The --use-service-account option ++lets msktutil operate on service accounts. msktutil requires that the Kerberos client + libraries are properly installed and configured to use Active Directory as a realm. + .PP + Whenever a principal is added or a keytab is updated, the secret password for the corresponding + account is changed. By default, the password is not stored, so it needs to be reset each time +-REPLACE_PROGNAME is executed. All entries in the keytab will be automatically updated whenever the ++msktutil is executed. All entries in the keytab will be automatically updated whenever the + password is reset. The previous entries will be left in the keytab, so sessions using the older key + versions will not break. This behavior is similar to the way Windows hosts handle machine password + changes. +@@ -25,18 +25,18 @@ + invoke the program with such credentials, you can create a new computer account or service account + from scratch. + .PP +-The second is to pre-create the accounts with such credentials, and then invoke REPLACE_PROGNAME on ++The second is to pre-create the accounts with such credentials, and then invoke msktutil on + a machine without any special permissions. When the computer account or service account exists already, +-REPLACE_PROGNAME will attempt to authenticate as that account using either the existing keytab, or ++msktutil will attempt to authenticate as that account using either the existing keytab, or + if that fails, a default password. When that default password is not specified with the option +---old-account-password, REPLACE_PROGNAME will use the default machine password. It will then change ++--old-account-password, msktutil will use the default machine password. It will then change + the password and update the keytab appropriately. This is usually the more convenient option when joining + many computers to the domain. + .PP + To pre-create a computer account, you may use the Active Directory Users and Computers GUI, select + "new computer" from the right click menu, and type the short DNS name, then right click on the newly + created object and select "Reset account" to set the password to the default value. Another +-alternative is to invoke REPLACE_PROGNAME with the --precreate argument. Both methods accomplish the ++alternative is to invoke msktutil with the --precreate argument. Both methods accomplish the + same thing. + .PP + To pre-create a service account, you may use the Active Directory Users and Computers GUI, select +@@ -49,19 +49,19 @@ + 30 days, and thus many domains have a 90-day password expiry window, after which your keytab will + stop working. There are two ways to deal with this: + .PP +-a) (Preferred): Make sure you're running a daily cron job to run REPLACE_PROGNAME --auto-update, which ++a) (Preferred): Make sure you're running a daily cron job to run msktutil --auto-update, which + will change the password automatically 30 days after it was last changed and update the keytab. + .PP + b) (Not preferred): disable password expiry for the account via the --dont-expire-password option (or + otherwise setting DONT_EXPIRE_PASSWORD flag in userAccountControl in AD). + .SH PASSWORD POLICY ISSUES + .PP +-This section only applies to REPLACE_PROGNAME --use-service-account. ++This section only applies to msktutil --use-service-account. + .PP + While machine account passwords may be changed at any time, service accounts are user accounts and + your Active Directory domain may have special password policies for those user accounts. E.g., + "minimum password age" is typically set to 1 day, which means that you will have to wait for that +-time to pass until you may invoke REPLACE_PROGNAME --update --use-service-account. ++time to pass until you may invoke msktutil --update --use-service-account. + .SH OTHER NOTES + .PP + Unlike other kerberos implementations, Active Directory has only a single key for all of the +@@ -80,15 +80,15 @@ + computer account credentials). Both 'computername$' and the value of userPrincipalName are treated + as valid account names to kinit as. + .PP +-REPLACE_PROGNAME will use kerberized LDAP operations to talk to domain controllers. To obtain a LDAP service ++msktutil will use kerberized LDAP operations to talk to domain controllers. To obtain a LDAP service + ticket, the DNS service will be used to construct the domain controllers LDAP principal name. If DNS is + mis-configured, this construction may fail. To work around this issue, you may specify the fully + qualified DNS name of your domain controller with the --server option and additionally use the + --no-reverse-lookups option. + .PP + Samba (www.samba.org) provides the net command that can be used to manage kerberos keytabs as +-well. Using REPLACE_PROGNAME and commands like "net ads join" or "net ads keytab" together can lead to +-trouble. With the --set-samba-secret option, REPLACE_PROGNAME can be used as a replacement for net. ++well. Using msktutil and commands like "net ads join" or "net ads keytab" together can lead to ++trouble. With the --set-samba-secret option, msktutil can be used as a replacement for net. + .PP + Active Directory includes authorization data (e.g. information about group memberships) in Kerberos tickets. + This information is called PAC and may lead to very large ticket sizes. Especially HTTP services are +@@ -153,7 +153,7 @@ + .TP + --old-account-password + Use supplied account password for authentication. This is useful if the keytab does not yet exist +-but the password of the computer account is known. This password will be changed by REPLACE_PROGNAME in order ++but the password of the computer account is known. This password will be changed by msktutil in order + to create or update the keytab + .TP + -h, --hostname +@@ -170,8 +170,8 @@ + account password. Default: /etc/krb5.keytab + --keytab-auth-as + Specifies which principal name we should try to use, when we authenticate from a keytab. Normally, +-REPLACE_PROGNAME will try to use the account name or the host principal for the current host. If +-this option is specified, instead REPLACE_PROGNAME will try to use the given principal name first, ++msktutil will try to use the account name or the host principal for the current host. If ++this option is specified, instead msktutil will try to use the given principal name first, + and only fall back to the default behavior if we fail to authenticate with the given name. This + option can be useful if you do not know the current password for the relevant account, do not have + a keytab with the account principal, but you do have a keytab with a service principal associated +@@ -293,14 +293,14 @@ + For unprivileged users the most common invocations are: + .PP + .nf +-REPLACE_PROGNAME --update --service host --service HTTP ++msktutil --update --service host --service HTTP + .fi + .PP + This will update a computer account in Active Directory with a new password, write out a new keytab, + and ensure that it has both "host" and "HTTP" service principals are on it for the hostname. + .PP + .nf +-REPLACE_PROGNAME --auto-update ++msktutil --auto-update + .fi + .PP + This is useful in a daily cron job to check and rotate the password automatically when it's 30 days +@@ -310,30 +310,30 @@ + For users with admin privileges in AD, some common uses: + .PP + .nf +-REPLACE_PROGNAME --create --service host --service HTTP ++msktutil --create --service host --service HTTP + .fi + .PP + This will create a computer account in Active Directory with a new password, write out a new keytab, + and ensure that it has both "host" and "HTTP" service principals are on it for the hostname. + .PP + .nf +-REPLACE_PROGNAME --precreate --host computer1.example.com ++msktutil --precreate --host computer1.example.com + .fi + .PP + This will pre-create an account for computer1 with the default password using your credentials. This + can be done on a central host, e.g. to script the addition of many hosts. You can then use +-REPLACE_PROGNAME --create on the hosts themselves (without special credentials) to join them to the ++msktutil --create on the hosts themselves (without special credentials) to join them to the + domain. + .PP + .nf +-REPLACE_PROGNAME --host afs --service afs --enctypes 0x03 ++msktutil --host afs --service afs --enctypes 0x03 + .fi + .PP + This will create an afs/cell.name@REALM principal, and associate that principal with a computer + account called 'afs'. The principal will be marked as DES-only, which is required for AFS. + .PP + .nf +-REPLACE_PROGNAME --create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --accountname srv-http --no-pac ++msktutil --create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --accountname srv-http --no-pac + .fi + .PP + This will create an HTTP/hostname.example.com@REALM principal, and associate that principal with a service +@@ -341,7 +341,7 @@ + The size of Kerberos tickets for that service will stay small because no PAC information will be included. + .PP + .nf +-REPLACE_PROGNAME --create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4 ++msktutil --create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4 + .fi + .PP + This will create a computer account in Active Directory that is compatible with Samba. The command creates +@@ -351,4 +351,7 @@ + As Samba (version 3) only supports arcfour-encrypted Kerberos tickets the --enctypes option must be used + to select only that encryption type. + .SH AUTHOR +-REPLACE_AUTHOR ++ (C) 2004-2006 Dan Perry ++ (C) 2006 Brian Elliott Finley (finley@anl.gov) ++ (C) 2009-2010 Doug Engert (deengert@anl.gov) ++ (C) 2010 James Knight diff -Nru msktutil-0.5/debian/patches/series msktutil-0.5.1/debian/patches/series --- msktutil-0.5/debian/patches/series 2013-08-11 23:39:19.000000000 +0000 +++ msktutil-0.5.1/debian/patches/series 2013-12-08 01:46:57.000000000 +0000 @@ -1,3 +1,5 @@ +replace_manpage_template.patch +Makefile.in.patch fix_AC_LANG_SOURCE_in_configure_dot_in -build_hardening_01 -no_format_arguments +#build_hardening_01 +#no_format_arguments diff -Nru msktutil-0.5/debian/rules msktutil-0.5.1/debian/rules --- msktutil-0.5/debian/rules 2013-08-11 23:39:19.000000000 +0000 +++ msktutil-0.5.1/debian/rules 2013-12-08 01:46:57.000000000 +0000 @@ -20,5 +20,5 @@ dh_installman msktutil.M override_dh_clean: - rm -f ./configure - dh_clean + #rm -f ./configure + dh_clean -Xautom4te.cache diff -Nru msktutil-0.5/msktconf.cpp msktutil-0.5.1/msktconf.cpp --- msktutil-0.5/msktconf.cpp 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktconf.cpp 2013-10-25 04:10:07.000000000 +0000 @@ -30,6 +30,43 @@ #include +std::string create_default_machine_password(const std::string &samaccountname) +{ + std::string machine_password(samaccountname); + + /* Default machine password after 'reset account' is created with the + * following algorithm: + * + * 1) Remove trailing $ from sAMAcountName + * 2) Truncate to first 14 characters + * 3) Convert all characters to lowercase + * + */ + + // Remove trailing '$' + if ( machine_password[machine_password.size() - 1] == '$' ) + { + machine_password.resize(machine_password.size() - 1); + } + + // Truncate to first 14 characters + if ( machine_password.size() > MAX_DEF_MACH_PASS_LEN ) + { + machine_password.resize(MAX_DEF_MACH_PASS_LEN); + } + + // Convert all characters to lowercase + for ( size_t i = 0; i < machine_password.size(); i++ ) + { + machine_password[i] = std::tolower(machine_password[i]); + } + + VERBOSE("Default machine password for %s is %s", samaccountname.c_str(), machine_password.c_str()); + + return machine_password; +} + + /* Filenames to delete on exit (temporary config / ccaches) */ static std::string g_config_filename; static std::string g_ccache_filename; @@ -57,7 +94,25 @@ << " default_realm = " << flags->realm_name << "\n" << " dns_lookup_kdc = false\n" << " udp_preference_limit = 1\n"; + + if (flags->allow_weak_crypto) { + file << " allow_weak_crypto = true\n"; + } + if (flags->enctypes == VALUE_ON) { + file << " default_tkt_enctypes ="; + if (flags->supportedEncryptionTypes & 0x1) + file << " des-cbc-crc"; + if (flags->supportedEncryptionTypes & 0x2) + file << " des-cbc-md5"; + if (flags->supportedEncryptionTypes & 0x4) + file << " arcfour-hmac-md5"; + if (flags->supportedEncryptionTypes & 0x8) + file << " aes128-cts"; + if (flags->supportedEncryptionTypes & 0x10) + file << " aes256-cts"; + file << "\n"; + } if (flags->no_reverse_lookups) file << " rdns = false\n"; @@ -128,7 +183,7 @@ switch_default_ccache(ccache_name); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("Authentication with keytab failed"); return false; } @@ -138,14 +193,14 @@ try { VERBOSE("Trying to authenticate for %s with password.", flags->samAccountName.c_str()); KRB5Principal principal(flags->samAccountName); - KRB5Creds creds(principal, /*password:*/ flags->samAccountName_nodollar); + KRB5Creds creds(principal, /*password:*/ create_default_machine_password(flags->samAccountName)); KRB5CCache ccache(ccache_name); ccache.initialize(principal); ccache.store(creds); switch_default_ccache(ccache_name); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("Authentication with password failed"); return false; } @@ -162,7 +217,7 @@ switch_default_ccache(ccache_name); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); if (e.err() == KRB5KDC_ERR_KEY_EXP) { VERBOSE("Password needs to be changed"); flags->password_expired = true; @@ -186,7 +241,7 @@ switch_default_ccache(ccache_name.c_str()); return true; } catch (KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("Authentication with password failed"); return false; } @@ -201,7 +256,7 @@ return true; } catch(KRB5Exception &e) { - VERBOSE(e.what()); + VERBOSE("%s", e.what()); VERBOSE("User ticket cache was not valid."); return false; } @@ -233,6 +288,8 @@ g_ccache_filename = get_tempfile_name(".mskt_krb5_ccache"); std::string ccache_name = "FILE:" + g_ccache_filename; + if (!flags->keytab_auth_princ.empty() && try_machine_keytab_princ(flags, flags->keytab_auth_princ, ccache_name.c_str())) + return AUTH_FROM_EXPLICIT_KEYTAB; if (try_machine_keytab_princ(flags, flags->samAccountName, ccache_name.c_str())) return AUTH_FROM_SAM_KEYTAB; if (try_machine_keytab_princ(flags, host_princ, ccache_name.c_str())) diff -Nru msktutil-0.5/msktldap.cpp msktutil-0.5.1/msktldap.cpp --- msktutil-0.5/msktldap.cpp 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktldap.cpp 2013-10-25 04:10:07.000000000 +0000 @@ -31,10 +31,11 @@ #include LDAPConnection::LDAPConnection(const std::string &server) : m_ldap() { + int ret = 0; #ifndef SOLARIS_LDAP_KERBEROS std::string ldap_url = "ldap://" + server; VERBOSEldap("calling ldap_initialize"); - int ret = ldap_initialize(&m_ldap, ldap_url.c_str()); + ret = ldap_initialize(&m_ldap, ldap_url.c_str()); #else VERBOSEldap("calling ldap_init"); m_ldap = ldap_init(flags->server.c_str(), LDAP_PORT); @@ -417,7 +418,7 @@ VERBOSE("DEE dn=%s old=%d new=%d\n", dn.c_str(), flags->ad_supportedEncryptionTypes, flags->supportedEncryptionTypes); - int ret = ldap_simple_set_attr(flags->ldap.get(), dn, "msDs-supportedEncryptionTypes", + ret = ldap_simple_set_attr(flags->ldap.get(), dn, "msDs-supportedEncryptionTypes", supportedEncryptionTypes); if (ret == LDAP_SUCCESS) { @@ -738,6 +739,10 @@ mesg = ldap_first_entry(flags->ldap->m_ldap, mesg); std::vector vals = flags->ldap->get_all_vals(mesg, "servicePrincipalName"); for (size_t i = 0; i < vals.size(); ++i) { + // translate HOST/ to host/ + if (vals[i].compare(0, 5, "HOST/") == 0) { + vals[i].replace(0, 5, "host/"); + } flags->ad_principals.push_back(vals[i]); VERBOSE(" Found Principal: %s", vals[i].c_str()); } diff -Nru msktutil-0.5/msktname.cpp msktutil-0.5.1/msktname.cpp --- msktutil-0.5/msktname.cpp 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktname.cpp 2013-10-25 04:10:09.000000000 +0000 @@ -31,6 +31,16 @@ #define NS_MAXMSG 65535 #endif +/* A quirk in glibc < 2.9 makes us pick up a symbol marked GLIBC_PRIVATE + * if we use ns_get16 from libresolv, leading to a broken RPM + * that can only be installed with --nodeps. As a workaround, + * use a private version of ns_get16--it's simple enough. + */ +static unsigned int msktutil_ns_get16(const unsigned char *src) +{ + return (unsigned int) (((uint16_t)src[0] << 8) | ((uint16_t)src[1])); +} + std::string complete_hostname(const std::string &hostname) { // Ask the kerberos lib to canonicalize the hostname, and then pull it out of the principal. @@ -127,9 +137,9 @@ // Process DNS SRV RR // TTL Class Type Priority Weight Port Target // _kerberos._tcp.my.realm. 600 IN SRV 0 10000 88 dcserverXX.my.realm. - alldcs[j].priority = ns_get16(ns_rr_rdata(rr)); - alldcs[j].weight = ns_get16(ns_rr_rdata(rr) + NS_INT16SZ); - alldcs[j].port = ns_get16(ns_rr_rdata(rr) + 2*NS_INT16SZ); // we do not really need it... + alldcs[j].priority = msktutil_ns_get16(ns_rr_rdata(rr)); + alldcs[j].weight = msktutil_ns_get16(ns_rr_rdata(rr) + NS_INT16SZ); + alldcs[j].port = msktutil_ns_get16(ns_rr_rdata(rr) + 2*NS_INT16SZ); // we do not really need it... dn_expand(ns_msg_base(reshandle),ns_msg_base(reshandle)+ns_msg_size(reshandle), ns_rr_rdata(rr) + 3*NS_INT16SZ, alldcs[j].srvname, sizeof(char)*NS_MAXDNAME); @@ -198,7 +208,7 @@ VERBOSE("Canonicalizing DC through forward/reverse lookup..."); for (i = 0; host->h_addr_list[i]; i++) { - memcpy(&(addr.sin_addr.s_addr), host->h_addr_list[i], sizeof(host->h_addr_list[i])); + memcpy(&(addr.sin_addr.s_addr), host->h_addr_list[i], host->h_length); hp = gethostbyaddr((char *) &addr.sin_addr.s_addr, sizeof(addr.sin_addr.s_addr), AF_INET); if (!hp) { fprintf(stderr, "Error: gethostbyaddr failed \n"); diff -Nru msktutil-0.5/msktpass.cpp msktutil-0.5.1/msktpass.cpp --- msktutil-0.5/msktpass.cpp 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktpass.cpp 2013-10-25 04:10:07.000000000 +0000 @@ -150,10 +150,13 @@ KRB5Creds creds; /* Use the machine's credentials */ if (flags->auth_type == AUTH_FROM_SAM_KEYTAB || + flags->auth_type == AUTH_FROM_EXPLICIT_KEYTAB || flags->auth_type == AUTH_FROM_HOSTNAME_KEYTAB) { std::string princ_name; if (flags->auth_type == AUTH_FROM_SAM_KEYTAB) princ_name = flags->samAccountName; + else if (flags->auth_type == AUTH_FROM_EXPLICIT_KEYTAB) + princ_name = flags->keytab_auth_princ; else princ_name = "host/" + flags->hostname; VERBOSE("Try using keytab for %s to change password\n", princ_name.c_str()); @@ -166,7 +169,7 @@ VERBOSE("Try using default password for %s to change password\n", flags->samAccountName.c_str()); KRB5Principal principal(flags->samAccountName); - KRB5Creds local_creds(principal, flags->samAccountName_nodollar, "kadmin/changepw"); + KRB5Creds local_creds(principal, create_default_machine_password(flags->samAccountName), "kadmin/changepw"); creds.move_from(local_creds); } else if ((flags->auth_type == AUTH_FROM_SUPPLIED_PASSWORD) || (flags->auth_type == AUTH_FROM_SUPPLIED_EXPIRED_PASSWORD)) { diff -Nru msktutil-0.5/msktutil.M msktutil-0.5.1/msktutil.M --- msktutil-0.5/msktutil.M 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktutil.M 2013-10-25 04:10:07.000000000 +0000 @@ -80,7 +80,7 @@ computer account credentials). Both 'computername$' and the value of userPrincipalName are treated as valid account names to kinit as. .PP -msktutil will use kerberized LDAP operations to talk to domain controllers. To obtain a LDAP service +REPLACE_PROGNAME will use kerberized LDAP operations to talk to domain controllers. To obtain a LDAP service ticket, the DNS service will be used to construct the domain controllers LDAP principal name. If DNS is mis-configured, this construction may fail. To work around this issue, you may specify the fully qualified DNS name of your domain controller with the --server option and additionally use the @@ -153,7 +153,7 @@ .TP --old-account-password Use supplied account password for authentication. This is useful if the keytab does not yet exist -but the password of the computer account is known. This password will be changed by msktutil in order +but the password of the computer account is known. This password will be changed by REPLACE_PROGNAME in order to create or update the keytab .TP -h, --hostname @@ -168,6 +168,14 @@ MSKTUTIL_KEYTAB environment variable to the name of the desired keytab file. This keytab is both read from, in order to authenticate as the given account, and written to, after updating the account password. Default: /etc/krb5.keytab +--keytab-auth-as +Specifies which principal name we should try to use, when we authenticate from a keytab. Normally, +REPLACE_PROGNAME will try to use the account name or the host principal for the current host. If +this option is specified, instead REPLACE_PROGNAME will try to use the given principal name first, +and only fall back to the default behavior if we fail to authenticate with the given name. This +option can be useful if you do not know the current password for the relevant account, do not have +a keytab with the account principal, but you do have a keytab with a service principal associated +with that account. .TP --server Specifies to use as the domain controller. This affects both kerberos and ldap operations. @@ -185,6 +193,9 @@ Specifies to use as kerberos realm. Default: use the default_realm from [libdefaults] section of krb5.conf. .TP +--site +Find and use domain controller in specific AD site. This option is ignored if option --server is used. +.TP -N, --no-reverse-lookup Do not attempt to canonicalize the name of the domain controller via DNS reverse lookups. You may need to do this if your client cannot resolve the PTR records for a domain controller or your DNS @@ -236,7 +247,7 @@ 0x1=des-cbc-crc 0x2=des-cbc-md5 0x4=rc4-hmac-md5 - 0x8=aes128-ctc-hmac-sha1 + 0x8=aes128-cts-hmac-sha1 0x10=aes256-cts-hmac-sha1 This value is used to determine which encryption types AD will offer to use, and which encryption @@ -251,6 +262,9 @@ Default: sets the value to 0x1C: that is, use anything but DES. .TP +--allow-weak-crypto +Enables the usage of DES keys for authentication. This is equivalent to MIT's krb5.conf parameter allow_weak_crypto. +.TP --no-pac Specifies that service tickets for this account should not contain a PAC. This modifies the userAccountControl attribute. See Microsoft Knowledge Base article #832575 for details. This diff -Nru msktutil-0.5/msktutil.cpp msktutil-0.5.1/msktutil.cpp --- msktutil-0.5/msktutil.cpp 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktutil.cpp 2013-10-25 04:10:07.000000000 +0000 @@ -104,7 +104,7 @@ { msktutil_flags *flags = exec->flags; int ret; - + char *temp_realm; if (flags->realm_name.empty()) { if (krb5_get_default_realm(g_context.get(), &temp_realm)) { @@ -302,6 +302,10 @@ fprintf(stdout, " This option is mutually exclusive with --user-creds-only.\n"); fprintf(stdout, " -h, --hostname Use as current hostname.\n"); fprintf(stdout, " -k, --keytab Use for the keytab (both read and write).\n"); + fprintf(stdout, " --keytab-auth-as \n"); + fprintf(stdout, " First try to authenticate to AD as principal , using\n"); + fprintf(stdout, " creds from the keytab, instead of using the account name\n"); + fprintf(stdout, " principal or the host principal, etc.\n"); fprintf(stdout, " --server
Use a specific domain controller instead of looking\n"); fprintf(stdout, " up in DNS based upon realm.\n"); fprintf(stdout, " --server-behind-nat Ignore server IP validation error caused by NAT.\n"); @@ -327,9 +331,10 @@ fprintf(stdout, " --do-expire-password Undisables (puts back to default) password expiration.\n"); fprintf(stdout, " --enctypes Sets msDs-supportedEncryptionTypes\n"); fprintf(stdout, " (OR of: 0x1=des-cbc-crc 0x2=des-cbc-md5\n"); - fprintf(stdout, " 0x4=rc4-hmac-md5 0x8=aes128-ctc-hmac-sha1\n"); + fprintf(stdout, " 0x4=rc4-hmac-md5 0x8=aes128-cts-hmac-sha1\n"); fprintf(stdout, " 0x10=aes256-cts-hmac-sha1)\n"); fprintf(stdout, " Sets des-only in userAccountControl if set to 0x3.\n"); + fprintf(stdout, " --allow-weak-crypto Enables the usage of DES keys for authentication\n"); fprintf(stdout, " --no-pac Sets the service principal to not include a PAC.\n"); fprintf(stdout, " --disable-no-pac Sets the service principal to include a PAC.\n"); fprintf(stdout, " -s, --service Adds the service for the current host or the\n"); @@ -376,7 +381,7 @@ } else if (exec->mode == MODE_CREATE || exec->mode == MODE_UPDATE || exec->mode == MODE_AUTO_UPDATE) { if (exec->mode == MODE_AUTO_UPDATE) { // Don't bother doing anything if the auth was from the keytab (and not e.g. default password), and the - if (exec->flags->auth_type == AUTH_FROM_SAM_KEYTAB) { + if (exec->flags->auth_type == AUTH_FROM_SAM_KEYTAB || exec->flags->auth_type == AUTH_FROM_EXPLICIT_KEYTAB) { std::string pwdLastSet = ldap_get_pwdLastSet(exec->flags); // Windows timestamp is in 100-nanoseconds-since-1601. (or, tenths of microseconds) long long windows_timestamp = strtoll(pwdLastSet.c_str(), NULL, 10); @@ -426,7 +431,7 @@ return ret; } else if (exec->mode == MODE_PRECREATE) { // Change account password to default value: - flags->password = flags->samAccountName_nodollar; + flags->password = create_default_machine_password(flags->samAccountName); // Check if computer account exists, update if so, create if not. ldap_check_account(flags); @@ -572,6 +577,12 @@ continue; } + /* Re-activate DES encryption in fake krb5.conf */ + if (!strcmp(argv[i], "--allow-weak-crypto")) { + exec->flags->allow_weak_crypto = true; + continue; + } + /* Disable the PAC ? */ if (!strcmp(argv[i], "--no-pac")) { exec->flags->no_pac = VALUE_ON; @@ -709,6 +720,16 @@ continue; } + if (!strcmp(argv[i], "--keytab-auth-as")) { + if (++i < argc) { + exec->flags->keytab_auth_princ = argv[i]; + } else { + fprintf(stderr, "Error: No principal given after '%s'\n", argv[i - 1]); + goto error; + } + continue; + } + /* Display Verbose Messages */ if (!strcmp(argv[i], "--verbose")) { do_verbose(); @@ -770,15 +791,29 @@ msktutil_flags::msktutil_flags() : - password(), ldap(), set_description(false), set_userPrincipalName(false), - dont_expire_password(VALUE_IGNORE), no_pac(VALUE_IGNORE), delegate(VALUE_IGNORE), - ad_userAccountControl(0), ad_enctypes(VALUE_IGNORE), ad_supportedEncryptionTypes(0), + password(), + ldap(), + set_description(false), + set_userPrincipalName(false), + no_reverse_lookups(false), + server_behind_nat(false), + set_samba_secret(false), + dont_expire_password(VALUE_IGNORE), + no_pac(VALUE_IGNORE), + delegate(VALUE_IGNORE), + ad_userAccountControl(0), + ad_enctypes(VALUE_IGNORE), + ad_supportedEncryptionTypes(0), enctypes(VALUE_IGNORE), /* default values we *want* to support */ supportedEncryptionTypes(MS_KERB_ENCTYPE_RC4_HMAC_MD5 | MS_KERB_ENCTYPE_AES128_CTC_HMAC_SHA1_96 | MS_KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96), - auth_type(0), user_creds_only(false), password_expired(false) + auth_type(0), + user_creds_only(false), + use_service_account(false), + allow_weak_crypto(false), + password_expired(false) {} msktutil_flags::~msktutil_flags() { diff -Nru msktutil-0.5/msktutil.h msktutil-0.5.1/msktutil.h --- msktutil-0.5/msktutil.h 2013-07-02 01:13:08.000000000 +0000 +++ msktutil-0.5.1/msktutil.h 2013-10-25 04:10:08.000000000 +0000 @@ -77,6 +77,7 @@ #define MAX_HOSTNAME_LEN 255 #define MAX_TRIES 10 #define MAX_SAM_ACCOUNT_LEN 20 +#define MAX_DEF_MACH_PASS_LEN 14 #define MAX_DOMAIN_CONTROLLERS 20 @@ -134,6 +135,7 @@ AUTH_FROM_USER_CREDS, AUTH_FROM_SUPPLIED_PASSWORD, AUTH_FROM_SUPPLIED_EXPIRED_PASSWORD, + AUTH_FROM_EXPLICIT_KEYTAB, }; class LDAPConnection; @@ -159,6 +161,7 @@ std::string keytab_file; std::string keytab_writename; std::string keytab_readname; + std::string keytab_auth_princ; std::string ldap_ou; std::string hostname; std::string description; @@ -198,6 +201,7 @@ int auth_type; bool user_creds_only; bool use_service_account; + bool allow_weak_crypto; bool password_expired; msktutil_flags(); ~msktutil_flags(); @@ -221,6 +225,7 @@ }; /* Prototypes */ +extern std::string create_default_machine_password(const std::string &samaccountname); extern void ldap_cleanup(msktutil_flags *); extern void init_password(msktutil_flags *); extern std::string get_default_hostname();