Merge pull request #5 from vruello/single_keytab

Support for storing multiple GMSAs secrets in a single keytab file
cea-sec · Sep 21, 2023 · 53395fc · 53395fc
2 parents 86ae555 + f3aa025
commit 53395fc
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,16 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+##  [Unreleased]
+
+### Added
+
+- Support for storing multiple GMSAs secrets in a single keytab file (#5)
+
+## [0.1.0] - 2023-06-05
+
+Initial commit
diff --git a/gmsad.conf.sample b/gmsad.conf.sample
@@ -22,6 +22,7 @@ check_interval = 60
 #
 # # File where to store the keytab of the gMSA. gmsad needs to
 # # have read and write permissions on it.
+# # You can use the same destination keytab for multiple gMSAs
 # gMSA_keytab = /etc/semoule.keytab
 #
 # # Mask that contains the encryption types present in the keytab in Windows format.

diff --git a/gmsad/__init__.py b/gmsad/__init__.py
@@ -4,6 +4,7 @@
 
 from gmsad.utils import every
 from gmsad.gmsa import GMSAState
+from gmsad.keytab import Keytab
 
 def run(config: configparser.ConfigParser) -> int:
     state = init_state(config)
@@ -26,8 +27,16 @@ def update_loop(config: configparser.ConfigParser, state: dict) -> None:
 
 def init_state(config: configparser.ConfigParser) -> dict:
     state = {}
+    # It is possible to store the secrets of multiple GMSAs in a single keytab file.
+    # For this to work, each keytab file must be managed by a single "Keytab" instance.
+    keytabs = {}
     for section in config.sections():
         if section == 'gmsad':
             continue
-        state[section] = GMSAState(config[section])
+        keytab_path = config[section]['gMSA_keytab']
+        if not keytab_path in keytabs:
+            keytab = Keytab()
+            keytab.open(keytab_path)
+            keytabs[keytab_path] = keytab
+        state[section] = GMSAState(config[section], keytabs[keytab_path])
     return state
diff --git a/gmsad/gmsa.py b/gmsad/gmsa.py
@@ -21,12 +21,11 @@ class GMSAState:
     unchanged_password_date: datetime
     keytab: Keytab
 
-    def __init__(self, config: configparser.SectionProxy) -> None:
+    def __init__(self, config: configparser.SectionProxy, keytab: Keytab) -> None:
         self.config = config
         self.current_password = bytes()
         self.previous_password = bytes()
-        self.keytab = Keytab()
-        self.keytab.open(self.config['gMSA_keytab'])
+        self.keytab = keytab
         self.query_password_date = datetime.fromtimestamp(0).astimezone()
         self.unchanged_password_date = datetime.fromtimestamp(0).astimezone()
 

diff --git a/tests/test_gmsa.py b/tests/test_gmsa.py
@@ -32,7 +32,8 @@ class TestGMSA(unittest.TestCase):
     def setUp(self):
         config = configparser.ConfigParser()
         config.read_string(SAMPLE_CONFIG)
-        self.gmsa_state = GMSAState(config["sample"])
+        keytabs = {}
+        self.gmsa_state = GMSAState(config["sample"], keytabs)
 
     def test_managedpassword_too_short(self):
         blob = bytes([0]*31)