Fix

truenas · May 24, 2024 · 99c5b70 · 99c5b70
1 parent 50ca52f
commit 99c5b70
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 15 deletions.
diff --git a/src/middlewared/middlewared/plugins/kerberos.py b/src/middlewared/middlewared/plugins/kerberos.py
@@ -25,6 +25,7 @@
 )
 from middlewared.utils.directoryservices.krb5 import (
     extract_from_keytab,
+    keytab_services,
     klist_impl,
     ktutil_list_impl
 )
@@ -925,28 +926,20 @@ async def kerberos_principal_choices(self):
         return sorted(kerberos_principals)
 
     @private
-    async def has_nfs_principal(self):
+    def has_nfs_principal(self):
         """
         This method checks whether the kerberos keytab contains an nfs service principal
         """
-        principals = await self.kerberos_principal_choices()
-        for p in principals:
-            if p.startswith("nfs/"):
-                return True
-
-        return False
+        try:
+            return 'nfs' in keytab_services(KRB_Keytab.SYSTEM.value)
+        except FileNotFoundError:
+            return False
 
     @private
     def store_ad_keytab(self):
         """
-        Samba will automatically generate system keytab entries for the AD machine account
-        (netbios name with '$' appended), and maintain them through machine account password changes.
-
-        Copy the system keytab, parse it, and update the corresponding keytab entry in the freenas configuration
-        database.
-
-        The current system kerberos keytab and compare with a cached copy before overwriting it when a new
-        keytab is generated through middleware 'etc.generate kerberos'.
+        libads automatically generates a system keytab during domain join process. This
+        method parses the system keytab and inserts as the AD_MACHINE_ACCOUNT keytab.
         """
         if not os.path.exists(KRB_Keytab.SYSTEM.value):
             return

diff --git a/src/middlewared/middlewared/utils/directoryservices/krb5.py b/src/middlewared/middlewared/utils/directoryservices/krb5.py
@@ -1,3 +1,12 @@
+# This is a collection of utilities related to kerberos tickets
+# and keytabs.
+#
+# Tests that do not require access to an actual KDC are provided
+# in src/middlewared/middlewared/pytest/unit/utils/test_krb5.py
+#
+# Tests that require access to a KDC are provided as part of API
+# test suite.
+
 import os
 import subprocess
 import time
@@ -133,6 +142,18 @@ def ktutil_list_impl(keytab_file: str) -> list:
     return parse_keytab(kt_lines[3:])
 
 
+def keytab_services(keytab_file: str) -> list:
+    """
+    Return list of services provided by keytab
+    """
+    keytab_data = filter_list(kutil_list_impl(keytab_file), [['/', 'in', 'principal']])
+    services = []
+    for principal in keytab_data:
+        services.append(principal.split('/')[0])
+
+    return services
+
+
 def extract_from_keytab(
     keytab_file: str,
     filters: list
@@ -143,6 +164,13 @@ def extract_from_keytab(
     kt_list = ktutil_list_impl(keytab_file)
     to_keep = filter_list(kt_list, filters)
     to_remove = [entry['slot'] for entry in kt_list if entry not in to_keep]
+
+    if len(kt_list) == len(to_remove):
+        # Let caller know that keytab would be empty. If we were to follow
+        # through with this, caller would receive # keytab containing only
+        # `b'\x05\x02'`
+        return None
+
     tmp_keytab = __tmp_krb5_keytab()
 
     rkt = f'rkt {keytab_file}'