2005-03-21 05:08:38 +03:00
/*
Unix SMB / CIFS implementation .
2005-09-29 04:02:38 +04:00
User credentials handling
2005-03-21 05:08:38 +03:00
Copyright ( C ) Jelmer Vernooij 2005
Copyright ( C ) Tim Potter 2001
2005-03-22 11:00:45 +03:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
2005-03-21 05:08:38 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2005-03-21 05:08:38 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-03-21 05:08:38 +03:00
*/
# include "includes.h"
2006-03-16 03:23:11 +03:00
# include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
2006-11-07 03:48:36 +03:00
# include "auth/credentials/credentials.h"
2013-07-31 14:41:40 +04:00
# include "auth/credentials/credentials_internal.h"
2006-03-14 18:03:25 +03:00
# include "libcli/auth/libcli_auth.h"
2011-10-09 16:27:44 +04:00
# include "tevent.h"
2007-09-08 16:42:09 +04:00
# include "param/param.h"
2010-10-11 03:20:42 +04:00
# include "system/filesys.h"
2005-03-21 05:08:38 +03:00
2005-03-27 10:55:03 +04:00
/**
* Create a new credentials structure
* @ param mem_ctx TALLOC_CTX parent for credentials structure
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ struct cli_credentials * cli_credentials_init ( TALLOC_CTX * mem_ctx )
2005-03-21 05:08:38 +03:00
{
2016-12-14 10:50:51 +03:00
struct cli_credentials * cred = talloc_zero ( mem_ctx , struct cli_credentials ) ;
2009-10-15 12:30:07 +04:00
if ( cred = = NULL ) {
2005-03-23 04:30:43 +03:00
return cred ;
}
2016-10-28 16:55:48 +03:00
cred - > winbind_separator = ' \\ ' ;
2005-03-23 04:30:43 +03:00
return cred ;
2005-03-22 11:00:45 +03:00
}
2005-03-22 00:22:07 +03:00
2013-07-31 14:52:17 +04:00
_PUBLIC_ void cli_credentials_set_callback_data ( struct cli_credentials * cred ,
void * callback_data )
{
cred - > priv_data = callback_data ;
}
_PUBLIC_ void * _cli_credentials_callback_data ( struct cli_credentials * cred )
{
return cred - > priv_data ;
}
2007-03-03 02:24:27 +03:00
/**
* Create a new anonymous credential
* @ param mem_ctx TALLOC_CTX parent for credentials structure
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ struct cli_credentials * cli_credentials_init_anon ( TALLOC_CTX * mem_ctx )
2007-03-03 02:24:27 +03:00
{
struct cli_credentials * anon_credentials ;
anon_credentials = cli_credentials_init ( mem_ctx ) ;
cli_credentials_set_anonymous ( anon_credentials ) ;
return anon_credentials ;
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_set_kerberos_state ( struct cli_credentials * creds ,
2006-01-28 15:15:24 +03:00
enum credentials_use_kerberos use_kerberos )
{
creds - > use_kerberos = use_kerberos ;
}
2013-09-16 20:38:09 +04:00
_PUBLIC_ void cli_credentials_set_forced_sasl_mech ( struct cli_credentials * creds ,
const char * sasl_mech )
{
TALLOC_FREE ( creds - > forced_sasl_mech ) ;
creds - > forced_sasl_mech = talloc_strdup ( creds , sasl_mech ) ;
}
2010-09-16 08:12:37 +04:00
_PUBLIC_ void cli_credentials_set_krb_forwardable ( struct cli_credentials * creds ,
enum credentials_krb_forwardable krb_forwardable )
{
creds - > krb_forwardable = krb_forwardable ;
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state ( struct cli_credentials * creds )
2006-01-28 15:15:24 +03:00
{
return creds - > use_kerberos ;
}
2013-09-16 20:38:09 +04:00
_PUBLIC_ const char * cli_credentials_get_forced_sasl_mech ( struct cli_credentials * creds )
{
return creds - > forced_sasl_mech ;
}
2010-09-16 08:12:37 +04:00
_PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable ( struct cli_credentials * creds )
{
return creds - > krb_forwardable ;
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_set_gensec_features ( struct cli_credentials * creds , uint32_t gensec_features )
2006-12-13 00:47:56 +03:00
{
creds - > gensec_features = gensec_features ;
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ uint32_t cli_credentials_get_gensec_features ( struct cli_credentials * creds )
2006-12-13 00:47:56 +03:00
{
return creds - > gensec_features ;
}
2006-01-28 15:15:24 +03:00
2005-03-27 10:55:03 +04:00
/**
* Obtain the username for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ const char * cli_credentials_get_username ( struct cli_credentials * cred )
2005-03-22 11:00:45 +03:00
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
2005-03-24 06:32:25 +03:00
}
2006-05-04 00:56:14 +04:00
if ( cred - > username_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
2007-10-07 02:16:19 +04:00
cred - > callback_running = true ;
2005-03-21 05:08:38 +03:00
cred - > username = cred - > username_cb ( cred ) ;
2007-10-07 02:16:19 +04:00
cred - > callback_running = false ;
2013-07-31 16:32:36 +04:00
if ( cred - > username_obtained = = CRED_CALLBACK ) {
cred - > username_obtained = CRED_CALLBACK_RESULT ;
cli_credentials_invalidate_ccache ( cred , cred - > username_obtained ) ;
}
2005-03-21 05:08:38 +03:00
}
2005-09-22 05:50:58 +04:00
return cred - > username ;
2005-03-21 05:08:38 +03:00
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_username ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * val , enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > username_obtained ) {
cred - > username = talloc_strdup ( cred , val ) ;
cred - > username_obtained = obtained ;
2007-05-22 09:21:59 +04:00
cli_credentials_invalidate_ccache ( cred , cred - > username_obtained ) ;
2007-10-07 02:16:19 +04:00
return true ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-03-21 05:08:38 +03:00
}
2011-10-09 16:27:44 +04:00
_PUBLIC_ bool cli_credentials_set_username_callback ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * ( * username_cb ) ( struct cli_credentials * ) )
{
if ( cred - > username_obtained < CRED_CALLBACK ) {
cred - > username_cb = username_cb ;
cred - > username_obtained = CRED_CALLBACK ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-30 05:19:41 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-30 05:19:41 +04:00
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_bind_dn ( struct cli_credentials * cred ,
2005-12-18 08:01:15 +03:00
const char * bind_dn )
{
cred - > bind_dn = talloc_strdup ( cred , bind_dn ) ;
2007-10-07 02:16:19 +04:00
return true ;
2005-12-18 08:01:15 +03:00
}
/**
* Obtain the BIND DN for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will be NULL if not specified explictly
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ const char * cli_credentials_get_bind_dn ( struct cli_credentials * cred )
2005-12-18 08:01:15 +03:00
{
return cred - > bind_dn ;
}
2005-08-30 05:19:41 +04:00
2005-08-29 08:30:22 +04:00
/**
* Obtain the client principal for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2016-12-29 17:26:00 +03:00
_PUBLIC_ char * cli_credentials_get_principal_and_obtained ( struct cli_credentials * cred , TALLOC_CTX * mem_ctx , enum credentials_obtained * obtained )
2005-08-29 08:30:22 +04:00
{
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
2005-08-29 08:30:22 +04:00
}
2006-05-04 00:56:14 +04:00
if ( cred - > principal_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
2007-10-07 02:16:19 +04:00
cred - > callback_running = true ;
2006-05-07 22:08:57 +04:00
cred - > principal = cred - > principal_cb ( cred ) ;
2007-10-07 02:16:19 +04:00
cred - > callback_running = false ;
2013-07-31 16:32:36 +04:00
if ( cred - > principal_obtained = = CRED_CALLBACK ) {
cred - > principal_obtained = CRED_CALLBACK_RESULT ;
cli_credentials_invalidate_ccache ( cred , cred - > principal_obtained ) ;
}
2005-08-29 08:30:22 +04:00
}
2010-05-01 04:33:08 +04:00
if ( cred - > principal_obtained < cred - > username_obtained
| | cred - > principal_obtained < MAX ( cred - > domain_obtained , cred - > realm_obtained ) ) {
2016-12-15 13:04:02 +03:00
const char * effective_username = NULL ;
const char * effective_realm = NULL ;
enum credentials_obtained effective_obtained ;
effective_username = cli_credentials_get_username ( cred ) ;
if ( effective_username = = NULL | | strlen ( effective_username ) = = 0 ) {
* obtained = cred - > username_obtained ;
return NULL ;
}
2005-09-21 01:29:29 +04:00
if ( cred - > domain_obtained > cred - > realm_obtained ) {
2016-12-15 13:04:02 +03:00
effective_realm = cli_credentials_get_domain ( cred ) ;
effective_obtained = MIN ( cred - > domain_obtained ,
cred - > username_obtained ) ;
2005-09-21 01:29:29 +04:00
} else {
2016-12-15 13:04:02 +03:00
effective_realm = cli_credentials_get_realm ( cred ) ;
effective_obtained = MIN ( cred - > realm_obtained ,
cred - > username_obtained ) ;
}
if ( effective_realm = = NULL | | strlen ( effective_realm ) = = 0 ) {
effective_realm = cli_credentials_get_domain ( cred ) ;
effective_obtained = MIN ( cred - > domain_obtained ,
cred - > username_obtained ) ;
}
if ( effective_realm ! = NULL & & strlen ( effective_realm ) ! = 0 ) {
* obtained = effective_obtained ;
2005-09-21 01:29:29 +04:00
return talloc_asprintf ( mem_ctx , " %s@%s " ,
2016-12-15 13:04:02 +03:00
effective_username ,
effective_realm ) ;
2005-09-21 01:29:29 +04:00
}
2005-08-29 08:30:22 +04:00
}
2010-05-01 04:33:08 +04:00
* obtained = cred - > principal_obtained ;
2013-07-31 14:33:25 +04:00
return talloc_strdup ( mem_ctx , cred - > principal ) ;
2005-08-29 08:30:22 +04:00
}
2010-05-01 04:33:08 +04:00
/**
* Obtain the client principal for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2016-12-29 17:26:00 +03:00
_PUBLIC_ char * cli_credentials_get_principal ( struct cli_credentials * cred , TALLOC_CTX * mem_ctx )
2010-05-01 04:33:08 +04:00
{
enum credentials_obtained obtained ;
return cli_credentials_get_principal_and_obtained ( cred , mem_ctx , & obtained ) ;
}
2011-10-09 16:27:44 +04:00
_PUBLIC_ bool cli_credentials_set_principal ( struct cli_credentials * cred ,
2005-09-02 03:24:47 +04:00
const char * val ,
enum credentials_obtained obtained )
2005-08-29 08:30:22 +04:00
{
if ( obtained > = cred - > principal_obtained ) {
cred - > principal = talloc_strdup ( cred , val ) ;
2016-10-06 09:16:57 +03:00
if ( cred - > principal = = NULL ) {
return false ;
}
2005-08-29 08:30:22 +04:00
cred - > principal_obtained = obtained ;
2016-10-06 09:16:57 +03:00
2007-05-22 09:21:59 +04:00
cli_credentials_invalidate_ccache ( cred , cred - > principal_obtained ) ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-29 08:30:22 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-29 08:30:22 +04:00
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
/* Set a callback to get the principal. This could be a popup dialog,
* a terminal prompt or similar . */
2011-10-09 16:27:44 +04:00
_PUBLIC_ bool cli_credentials_set_principal_callback ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * ( * principal_cb ) ( struct cli_credentials * ) )
{
if ( cred - > principal_obtained < CRED_CALLBACK ) {
cred - > principal_cb = principal_cb ;
cred - > principal_obtained = CRED_CALLBACK ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-30 05:19:41 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-30 05:19:41 +04:00
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
/* Some of our tools are 'anonymous by default'. This is a single
* function to determine if authentication has been explicitly
* requested */
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_authentication_requested ( struct cli_credentials * cred )
2005-08-29 08:30:22 +04:00
{
2005-12-18 08:01:15 +03:00
if ( cred - > bind_dn ) {
2007-10-07 02:16:19 +04:00
return true ;
2005-12-18 08:01:15 +03:00
}
2013-09-18 00:09:07 +04:00
/*
* If we forced the mech we clearly want authentication . E . g . to use
* SASL / EXTERNAL which has no credentials .
*/
if ( cred - > forced_sasl_mech ) {
return true ;
}
2006-06-14 08:00:42 +04:00
if ( cli_credentials_is_anonymous ( cred ) ) {
2007-10-07 02:16:19 +04:00
return false ;
2005-12-14 10:22:25 +03:00
}
2005-08-29 08:38:37 +04:00
if ( cred - > principal_obtained > = CRED_SPECIFIED ) {
2007-10-07 02:16:19 +04:00
return true ;
2005-08-29 08:30:22 +04:00
}
if ( cred - > username_obtained > = CRED_SPECIFIED ) {
2007-10-07 02:16:19 +04:00
return true ;
2005-08-29 08:30:22 +04:00
}
2007-02-19 19:43:56 +03:00
if ( cli_credentials_get_kerberos_state ( cred ) = = CRED_MUST_USE_KERBEROS ) {
2007-10-07 02:16:19 +04:00
return true ;
2007-02-19 19:43:56 +03:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-29 08:30:22 +04:00
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the password for this credentials context .
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ const char * cli_credentials_get_password ( struct cli_credentials * cred )
2005-03-21 05:08:38 +03:00
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
2005-03-24 06:32:25 +03:00
}
2006-05-04 00:56:14 +04:00
if ( cred - > password_obtained = = CRED_CALLBACK & &
2016-12-14 12:02:10 +03:00
! cred - > callback_running & &
! cred - > password_will_be_nt_hash ) {
2013-09-21 03:49:08 +04:00
cred - > callback_running = true ;
2006-05-07 22:08:57 +04:00
cred - > password = cred - > password_cb ( cred ) ;
2013-09-21 03:49:08 +04:00
cred - > callback_running = false ;
2013-07-31 16:32:36 +04:00
if ( cred - > password_obtained = = CRED_CALLBACK ) {
cred - > password_obtained = CRED_CALLBACK_RESULT ;
cli_credentials_invalidate_ccache ( cred , cred - > password_obtained ) ;
}
2005-03-21 05:08:38 +03:00
}
return cred - > password ;
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
/* Set a password on the credentials context, including an indication
* of ' how ' the password was obtained */
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_password ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > password_obtained ) {
2016-12-14 10:52:12 +03:00
cred - > lm_response = data_blob_null ;
cred - > nt_response = data_blob_null ;
cred - > nt_hash = NULL ;
cred - > password = NULL ;
cli_credentials_invalidate_ccache ( cred , obtained ) ;
2013-07-31 16:25:54 +04:00
cred - > password_tries = 0 ;
2016-12-14 10:52:12 +03:00
if ( val = = NULL ) {
cred - > password_obtained = obtained ;
return true ;
}
2016-12-14 12:02:10 +03:00
if ( cred - > password_will_be_nt_hash ) {
struct samr_Password * nt_hash = NULL ;
size_t val_len = strlen ( val ) ;
size_t converted ;
nt_hash = talloc ( cred , struct samr_Password ) ;
if ( nt_hash = = NULL ) {
return false ;
}
converted = strhex_to_str ( ( char * ) nt_hash - > hash ,
sizeof ( nt_hash - > hash ) ,
val , val_len ) ;
if ( converted ! = sizeof ( nt_hash - > hash ) ) {
TALLOC_FREE ( nt_hash ) ;
return false ;
}
cred - > nt_hash = nt_hash ;
cred - > password_obtained = obtained ;
return true ;
}
2005-03-21 05:08:38 +03:00
cred - > password = talloc_strdup ( cred , val ) ;
2016-12-14 10:52:12 +03:00
if ( cred - > password = = NULL ) {
return false ;
2012-08-31 05:19:54 +04:00
}
2016-12-14 10:52:12 +03:00
/* Don't print the actual password in talloc memory dumps */
talloc_set_name_const ( cred - > password ,
" password set via cli_credentials_set_password " ) ;
2005-03-21 05:08:38 +03:00
cred - > password_obtained = obtained ;
2005-06-17 17:12:13 +04:00
2007-10-07 02:16:19 +04:00
return true ;
2005-06-17 17:12:13 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-06-17 17:12:13 +04:00
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_password_callback ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * ( * password_cb ) ( struct cli_credentials * ) )
{
if ( cred - > password_obtained < CRED_CALLBACK ) {
2013-07-31 16:25:54 +04:00
cred - > password_tries = 3 ;
2005-08-30 05:19:41 +04:00
cred - > password_cb = password_cb ;
cred - > password_obtained = CRED_CALLBACK ;
2007-05-22 09:21:59 +04:00
cli_credentials_invalidate_ccache ( cred , cred - > password_obtained ) ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-30 05:19:41 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-30 05:19:41 +04:00
}
2005-10-20 07:47:55 +04:00
/**
* Obtain the ' old ' password for this credentials context ( used for join accounts ) .
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
2011-10-09 16:27:44 +04:00
_PUBLIC_ const char * cli_credentials_get_old_password ( struct cli_credentials * cred )
2005-10-20 07:47:55 +04:00
{
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
2005-10-20 07:47:55 +04:00
}
return cred - > old_password ;
}
2011-10-09 16:27:44 +04:00
_PUBLIC_ bool cli_credentials_set_old_password ( struct cli_credentials * cred ,
2005-10-20 07:47:55 +04:00
const char * val ,
enum credentials_obtained obtained )
{
cred - > old_password = talloc_strdup ( cred , val ) ;
2012-08-31 05:19:54 +04:00
if ( cred - > old_password ) {
/* Don't print the actual password in talloc memory dumps */
talloc_set_name_const ( cred - > old_password , " password set via cli_credentials_set_old_password " ) ;
}
2015-02-09 11:04:42 +03:00
cred - > old_nt_hash = NULL ;
2007-10-07 02:16:19 +04:00
return true ;
2005-10-20 07:47:55 +04:00
}
2005-06-17 17:12:13 +04:00
/**
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
* Obtain the password , in the form MD4 ( unicode ( password ) ) for this credentials context .
*
* Sometimes we only have this much of the password , while the rest of
* the time this call avoids calling E_md4hash themselves .
*
2005-06-17 17:12:13 +04:00
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
2013-08-09 12:15:05 +04:00
_PUBLIC_ struct samr_Password * cli_credentials_get_nt_hash ( struct cli_credentials * cred ,
TALLOC_CTX * mem_ctx )
2005-06-17 17:12:13 +04:00
{
2016-12-14 12:02:10 +03:00
enum credentials_obtained password_obtained ;
enum credentials_obtained ccache_threshold ;
enum credentials_obtained client_gss_creds_threshold ;
bool password_is_nt_hash ;
2014-12-16 16:58:11 +03:00
const char * password = NULL ;
2016-12-14 12:02:10 +03:00
struct samr_Password * nt_hash = NULL ;
2005-06-17 17:12:13 +04:00
2014-12-16 16:58:11 +03:00
if ( cred - > nt_hash ! = NULL ) {
2016-12-14 12:02:10 +03:00
/*
* If we already have a hash it ' s easy .
*/
goto return_hash ;
}
2013-08-09 12:15:05 +04:00
2016-12-14 12:02:10 +03:00
/*
* This is a bit tricky , with password_will_be_nt_hash
* we still need to get the value via the password_callback
* but if we did that we should not remember it ' s state
* in the long run so we need to undo it .
*/
2005-06-17 17:12:13 +04:00
2016-12-14 12:02:10 +03:00
password_obtained = cred - > password_obtained ;
ccache_threshold = cred - > ccache_threshold ;
client_gss_creds_threshold = cred - > client_gss_creds_threshold ;
password_is_nt_hash = cred - > password_will_be_nt_hash ;
2014-12-16 16:58:11 +03:00
2016-12-14 12:02:10 +03:00
cred - > password_will_be_nt_hash = false ;
2014-12-16 16:58:11 +03:00
password = cli_credentials_get_password ( cred ) ;
2013-08-09 12:15:05 +04:00
2016-12-14 12:02:10 +03:00
cred - > password_will_be_nt_hash = password_is_nt_hash ;
if ( password_is_nt_hash & & password_obtained = = CRED_CALLBACK ) {
/*
* We got the nt_hash as string via the callback ,
* so we need to undo the state change .
*
* And also don ' t remember it as plaintext password .
*/
cred - > client_gss_creds_threshold = client_gss_creds_threshold ;
cred - > ccache_threshold = ccache_threshold ;
cred - > password_obtained = password_obtained ;
cred - > password = NULL ;
}
if ( password = = NULL ) {
return NULL ;
}
nt_hash = talloc ( cred , struct samr_Password ) ;
if ( nt_hash = = NULL ) {
return NULL ;
}
if ( password_is_nt_hash ) {
size_t password_len = strlen ( password ) ;
size_t converted ;
converted = strhex_to_str ( ( char * ) nt_hash - > hash ,
sizeof ( nt_hash - > hash ) ,
password , password_len ) ;
if ( converted ! = sizeof ( nt_hash - > hash ) ) {
TALLOC_FREE ( nt_hash ) ;
return false ;
}
} else {
2014-12-16 16:58:11 +03:00
E_md4hash ( password , nt_hash - > hash ) ;
2016-12-14 12:02:10 +03:00
}
cred - > nt_hash = nt_hash ;
nt_hash = NULL ;
2013-08-09 12:15:05 +04:00
2016-12-14 12:02:10 +03:00
return_hash :
nt_hash = talloc ( mem_ctx , struct samr_Password ) ;
if ( nt_hash = = NULL ) {
return NULL ;
2005-06-17 17:12:13 +04:00
}
2013-08-09 12:15:05 +04:00
2016-12-14 12:02:10 +03:00
* nt_hash = * cred - > nt_hash ;
return nt_hash ;
2005-06-17 17:12:13 +04:00
}
2015-02-09 11:04:42 +03:00
/**
* Obtain the old password , in the form MD4 ( unicode ( password ) ) for this credentials context .
*
* Sometimes we only have this much of the password , while the rest of
* the time this call avoids calling E_md4hash themselves .
*
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
_PUBLIC_ struct samr_Password * cli_credentials_get_old_nt_hash ( struct cli_credentials * cred ,
TALLOC_CTX * mem_ctx )
{
const char * old_password = NULL ;
if ( cred - > old_nt_hash ! = NULL ) {
struct samr_Password * nt_hash = talloc ( mem_ctx , struct samr_Password ) ;
if ( ! nt_hash ) {
return NULL ;
}
* nt_hash = * cred - > old_nt_hash ;
return nt_hash ;
}
old_password = cli_credentials_get_old_password ( cred ) ;
if ( old_password ) {
struct samr_Password * nt_hash = talloc ( mem_ctx , struct samr_Password ) ;
if ( ! nt_hash ) {
return NULL ;
}
E_md4hash ( old_password , nt_hash - > hash ) ;
return nt_hash ;
}
return NULL ;
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the ' short ' or ' NetBIOS ' domain for this credentials context .
* @ param cred credentials context
* @ retval The domain set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ const char * cli_credentials_get_domain ( struct cli_credentials * cred )
2005-03-21 05:08:38 +03:00
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
2005-03-24 06:32:25 +03:00
}
2006-05-04 00:56:14 +04:00
if ( cred - > domain_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
2007-10-07 02:16:19 +04:00
cred - > callback_running = true ;
2005-03-21 05:08:38 +03:00
cred - > domain = cred - > domain_cb ( cred ) ;
2007-10-07 02:16:19 +04:00
cred - > callback_running = false ;
2013-07-31 16:32:36 +04:00
if ( cred - > domain_obtained = = CRED_CALLBACK ) {
cred - > domain_obtained = CRED_CALLBACK_RESULT ;
cli_credentials_invalidate_ccache ( cred , cred - > domain_obtained ) ;
}
2005-03-21 05:08:38 +03:00
}
return cred - > domain ;
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_domain ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > domain_obtained ) {
2005-10-28 09:17:19 +04:00
/* it is important that the domain be in upper case,
* particularly for the sensitive NTLMv2
* calculations */
cred - > domain = strupper_talloc ( cred , val ) ;
2005-03-21 05:08:38 +03:00
cred - > domain_obtained = obtained ;
2012-05-24 16:17:40 +04:00
/* setting domain does not mean we have to invalidate ccache
* because domain in not used for Kerberos operations .
* If ccache invalidation is required , one will anyway specify
* a password to kinit , and that will force invalidation of the ccache
*/
2007-10-07 02:16:19 +04:00
return true ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
bool cli_credentials_set_domain_callback ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * ( * domain_cb ) ( struct cli_credentials * ) )
{
if ( cred - > domain_obtained < CRED_CALLBACK ) {
cred - > domain_cb = domain_cb ;
cred - > domain_obtained = CRED_CALLBACK ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-30 05:19:41 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-30 05:19:41 +04:00
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the Kerberos realm for this credentials context .
* @ param cred credentials context
* @ retval The realm set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ const char * cli_credentials_get_realm ( struct cli_credentials * cred )
2005-03-22 00:22:07 +03:00
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
2005-03-22 00:22:07 +03:00
}
2006-05-04 00:56:14 +04:00
if ( cred - > realm_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
2007-10-07 02:16:19 +04:00
cred - > callback_running = true ;
2005-03-21 05:08:38 +03:00
cred - > realm = cred - > realm_cb ( cred ) ;
2007-10-07 02:16:19 +04:00
cred - > callback_running = false ;
2013-07-31 16:32:36 +04:00
if ( cred - > realm_obtained = = CRED_CALLBACK ) {
cred - > realm_obtained = CRED_CALLBACK_RESULT ;
cli_credentials_invalidate_ccache ( cred , cred - > realm_obtained ) ;
}
2005-03-21 05:08:38 +03:00
}
return cred - > realm ;
}
2005-05-10 13:51:55 +04:00
/**
* Set the realm for this credentials context , and force it to
* uppercase for the sainity of our local kerberos libraries
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_realm ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > realm_obtained ) {
2005-05-10 13:51:55 +04:00
cred - > realm = strupper_talloc ( cred , val ) ;
2005-03-21 05:08:38 +03:00
cred - > realm_obtained = obtained ;
2007-05-22 09:21:59 +04:00
cli_credentials_invalidate_ccache ( cred , cred - > realm_obtained ) ;
2007-10-07 02:16:19 +04:00
return true ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
bool cli_credentials_set_realm_callback ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * ( * realm_cb ) ( struct cli_credentials * ) )
{
if ( cred - > realm_obtained < CRED_CALLBACK ) {
cred - > realm_cb = realm_cb ;
cred - > realm_obtained = CRED_CALLBACK ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-30 05:19:41 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-30 05:19:41 +04:00
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the ' short ' or ' NetBIOS ' workstation name for this credentials context .
*
* @ param cred credentials context
* @ retval The workstation name set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ const char * cli_credentials_get_workstation ( struct cli_credentials * cred )
2005-03-21 05:08:38 +03:00
{
2006-05-04 00:56:14 +04:00
if ( cred - > workstation_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
2007-10-07 02:16:19 +04:00
cred - > callback_running = true ;
2005-03-21 05:08:38 +03:00
cred - > workstation = cred - > workstation_cb ( cred ) ;
2007-10-07 02:16:19 +04:00
cred - > callback_running = false ;
2013-07-31 16:32:36 +04:00
if ( cred - > workstation_obtained = = CRED_CALLBACK ) {
cred - > workstation_obtained = CRED_CALLBACK_RESULT ;
}
2005-03-21 05:08:38 +03:00
}
return cred - > workstation ;
}
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_set_workstation ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > workstation_obtained ) {
cred - > workstation = talloc_strdup ( cred , val ) ;
cred - > workstation_obtained = obtained ;
2007-10-07 02:16:19 +04:00
return true ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-03-21 05:08:38 +03:00
}
2007-10-07 02:16:19 +04:00
bool cli_credentials_set_workstation_callback ( struct cli_credentials * cred ,
2005-08-30 05:19:41 +04:00
const char * ( * workstation_cb ) ( struct cli_credentials * ) )
{
if ( cred - > workstation_obtained < CRED_CALLBACK ) {
cred - > workstation_cb = workstation_cb ;
cred - > workstation_obtained = CRED_CALLBACK ;
2007-10-07 02:16:19 +04:00
return true ;
2005-08-30 05:19:41 +04:00
}
2007-10-07 02:16:19 +04:00
return false ;
2005-08-30 05:19:41 +04:00
}
2005-03-27 10:55:03 +04:00
/**
* Given a string , typically obtained from a - U argument , parse it into domain , username , realm and password fields
*
* The format accepted is [ domain \ \ ] user [ % password ] or user [ @ realm ] [ % password ]
*
* @ param credentials Credentials structure on which to set the password
* @ param data the string containing the username , password etc
* @ param obtained This enum describes how ' specified ' this password is
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_parse_string ( struct cli_credentials * credentials , const char * data , enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
char * uname , * p ;
2005-04-26 11:10:43 +04:00
if ( strcmp ( " % " , data ) = = 0 ) {
cli_credentials_set_anonymous ( credentials ) ;
return ;
}
2005-03-21 05:08:38 +03:00
uname = talloc_strdup ( credentials , data ) ;
2005-03-22 11:00:45 +03:00
if ( ( p = strchr_m ( uname , ' % ' ) ) ) {
2005-03-21 05:08:38 +03:00
* p = 0 ;
2005-03-22 11:00:45 +03:00
cli_credentials_set_password ( credentials , p + 1 , obtained ) ;
2005-03-21 05:08:38 +03:00
}
if ( ( p = strchr_m ( uname , ' @ ' ) ) ) {
2016-12-09 14:20:19 +03:00
/*
* We also need to set username and domain
* in order to undo the effect of
* cli_credentials_guess ( ) .
*/
cli_credentials_set_username ( credentials , uname , obtained ) ;
cli_credentials_set_domain ( credentials , " " , obtained ) ;
2005-08-29 08:30:22 +04:00
cli_credentials_set_principal ( credentials , uname , obtained ) ;
2005-03-21 05:08:38 +03:00
* p = 0 ;
cli_credentials_set_realm ( credentials , p + 1 , obtained ) ;
2005-08-29 08:30:22 +04:00
return ;
2016-10-28 16:55:48 +03:00
} else if ( ( p = strchr_m ( uname , ' \\ ' ) )
| | ( p = strchr_m ( uname , ' / ' ) )
| | ( p = strchr_m ( uname , credentials - > winbind_separator ) ) )
{
2016-12-14 18:47:57 +03:00
const char * domain = NULL ;
domain = uname ;
2005-03-21 05:08:38 +03:00
* p = 0 ;
2005-03-22 11:00:45 +03:00
uname = p + 1 ;
2016-12-14 18:47:57 +03:00
if ( obtained = = credentials - > realm_obtained & &
! strequal_m ( credentials - > domain , domain ) )
{
/*
* We need to undo a former set with the same level
* in order to get the expected result from
* cli_credentials_get_principal ( ) .
*
* But we only need to do that if the domain
* actually changes .
*/
cli_credentials_set_realm ( credentials , domain , obtained ) ;
}
cli_credentials_set_domain ( credentials , domain , obtained ) ;
}
if ( obtained = = credentials - > principal_obtained & &
! strequal_m ( credentials - > username , uname ) )
{
/*
* We need to undo a former set with the same level
* in order to get the expected result from
* cli_credentials_get_principal ( ) .
*
* But we only need to do that if the username
* actually changes .
*/
credentials - > principal_obtained = CRED_UNINITIALISED ;
credentials - > principal = NULL ;
2005-03-21 05:08:38 +03:00
}
2005-03-22 11:00:45 +03:00
cli_credentials_set_username ( credentials , uname , obtained ) ;
2005-03-21 05:08:38 +03:00
}
2006-05-04 00:23:19 +04:00
/**
2006-05-04 00:31:24 +04:00
* Given a a credentials structure , print it as a string
2006-05-04 00:23:19 +04:00
*
2006-05-04 00:31:24 +04:00
* The format output is [ domain \ \ ] user [ % password ] or user [ @ realm ] [ % password ]
2006-05-04 00:23:19 +04:00
*
* @ param credentials Credentials structure on which to set the password
2006-05-04 00:31:24 +04:00
* @ param mem_ctx The memory context to place the result on
2006-05-04 00:23:19 +04:00
*/
2016-12-29 17:26:00 +03:00
_PUBLIC_ char * cli_credentials_get_unparsed_name ( struct cli_credentials * credentials , TALLOC_CTX * mem_ctx )
2006-05-04 00:23:19 +04:00
{
const char * bind_dn = cli_credentials_get_bind_dn ( credentials ) ;
2016-12-29 17:26:00 +03:00
const char * domain = NULL ;
const char * username = NULL ;
char * name = NULL ;
2006-05-04 00:23:19 +04:00
if ( bind_dn ) {
2013-07-31 14:33:25 +04:00
name = talloc_strdup ( mem_ctx , bind_dn ) ;
2006-05-04 00:23:19 +04:00
} else {
cli_credentials_get_ntlm_username_domain ( credentials , mem_ctx , & username , & domain ) ;
if ( domain & & domain [ 0 ] ) {
name = talloc_asprintf ( mem_ctx , " %s \\ %s " ,
domain , username ) ;
} else {
name = talloc_asprintf ( mem_ctx , " %s " ,
username ) ;
}
}
return name ;
}
2005-03-27 10:55:03 +04:00
/**
* Specifies default values for domain , workstation and realm
* from the smb . conf configuration file
*
* @ param cred Credentials structure to fill in
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_set_conf ( struct cli_credentials * cred ,
2007-09-28 05:17:46 +04:00
struct loadparm_context * lp_ctx )
2005-03-24 06:32:25 +03:00
{
2016-10-28 16:55:48 +03:00
const char * sep = NULL ;
2016-12-15 13:04:02 +03:00
const char * realm = lpcfg_realm ( lp_ctx ) ;
2016-10-28 16:55:48 +03:00
2005-08-29 08:30:22 +04:00
cli_credentials_set_username ( cred , " " , CRED_UNINITIALISED ) ;
2011-10-18 01:41:46 +04:00
if ( lpcfg_parm_is_cmdline ( lp_ctx , " workgroup " ) ) {
cli_credentials_set_domain ( cred , lpcfg_workgroup ( lp_ctx ) , CRED_SPECIFIED ) ;
} else {
cli_credentials_set_domain ( cred , lpcfg_workgroup ( lp_ctx ) , CRED_UNINITIALISED ) ;
}
if ( lpcfg_parm_is_cmdline ( lp_ctx , " netbios name " ) ) {
cli_credentials_set_workstation ( cred , lpcfg_netbios_name ( lp_ctx ) , CRED_SPECIFIED ) ;
} else {
cli_credentials_set_workstation ( cred , lpcfg_netbios_name ( lp_ctx ) , CRED_UNINITIALISED ) ;
}
2016-12-15 13:04:02 +03:00
if ( realm ! = NULL & & strlen ( realm ) = = 0 ) {
realm = NULL ;
}
2011-10-18 01:41:46 +04:00
if ( lpcfg_parm_is_cmdline ( lp_ctx , " realm " ) ) {
2016-12-15 13:04:02 +03:00
cli_credentials_set_realm ( cred , realm , CRED_SPECIFIED ) ;
2011-10-18 01:41:46 +04:00
} else {
2016-12-15 13:04:02 +03:00
cli_credentials_set_realm ( cred , realm , CRED_UNINITIALISED ) ;
2011-10-18 01:41:46 +04:00
}
2016-10-28 16:55:48 +03:00
sep = lpcfg_winbind_separator ( lp_ctx ) ;
if ( sep ! = NULL & & sep [ 0 ] ! = ' \0 ' ) {
cred - > winbind_separator = * lpcfg_winbind_separator ( lp_ctx ) ;
}
2005-03-24 06:32:25 +03:00
}
2005-03-27 10:55:03 +04:00
/**
* Guess defaults for credentials from environment variables ,
* and from the configuration file
*
* @ param cred Credentials structure to fill in
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_guess ( struct cli_credentials * cred ,
2007-12-04 01:33:09 +03:00
struct loadparm_context * lp_ctx )
2005-03-21 05:08:38 +03:00
{
char * p ;
2010-02-25 08:16:33 +03:00
const char * error_string ;
2005-03-21 05:08:38 +03:00
2007-12-04 01:33:09 +03:00
if ( lp_ctx ! = NULL ) {
2007-12-04 02:12:03 +03:00
cli_credentials_set_conf ( cred , lp_ctx ) ;
2007-12-04 01:33:09 +03:00
}
2005-03-24 06:32:25 +03:00
2005-03-21 05:08:38 +03:00
if ( getenv ( " LOGNAME " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_set_username ( cred , getenv ( " LOGNAME " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
}
if ( getenv ( " USER " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_parse_string ( cred , getenv ( " USER " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
if ( ( p = strchr_m ( getenv ( " USER " ) , ' % ' ) ) ) {
2005-03-22 02:35:58 +03:00
memset ( p , 0 , strlen ( cred - > password ) ) ;
2005-03-21 05:08:38 +03:00
}
}
if ( getenv ( " PASSWD " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_set_password ( cred , getenv ( " PASSWD " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
}
if ( getenv ( " PASSWD_FD " ) ) {
2007-09-28 05:17:46 +04:00
cli_credentials_parse_password_fd ( cred , atoi ( getenv ( " PASSWD_FD " ) ) ,
CRED_GUESS_FILE ) ;
2005-03-21 05:08:38 +03:00
}
2007-03-07 07:20:10 +03:00
p = getenv ( " PASSWD_FILE " ) ;
if ( p & & p [ 0 ] ) {
cli_credentials_parse_password_file ( cred , p , CRED_GUESS_FILE ) ;
2005-03-21 05:08:38 +03:00
}
2006-05-04 00:23:19 +04:00
if ( cli_credentials_get_kerberos_state ( cred ) ! = CRED_DONT_USE_KERBEROS ) {
2010-10-11 09:53:08 +04:00
cli_credentials_set_ccache ( cred , lp_ctx , NULL , CRED_GUESS_FILE ,
2010-02-25 08:16:33 +03:00
& error_string ) ;
2006-05-04 00:23:19 +04:00
}
2005-03-21 05:08:38 +03:00
}
2005-03-22 02:35:58 +03:00
2005-03-27 10:55:03 +04:00
/**
* Attach NETLOGON credentials for use with SCHANNEL
*/
2005-03-24 06:32:25 +03:00
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_set_netlogon_creds ( struct cli_credentials * cred ,
2009-04-06 16:54:44 +04:00
struct netlogon_creds_CredentialState * netlogon_creds )
2005-03-24 06:32:25 +03:00
{
2013-09-20 06:33:07 +04:00
TALLOC_FREE ( cred - > netlogon_creds ) ;
if ( netlogon_creds = = NULL ) {
return ;
}
cred - > netlogon_creds = netlogon_creds_copy ( cred , netlogon_creds ) ;
2005-03-24 06:32:25 +03:00
}
2005-03-27 10:55:03 +04:00
/**
* Return attached NETLOGON credentials
*/
2005-03-24 06:32:25 +03:00
2011-10-09 16:27:44 +04:00
_PUBLIC_ struct netlogon_creds_CredentialState * cli_credentials_get_netlogon_creds ( struct cli_credentials * cred )
2005-03-24 06:32:25 +03:00
{
return cred - > netlogon_creds ;
}
2005-05-01 23:29:00 +04:00
/**
* Set NETLOGON secure channel type
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_set_secure_channel_type ( struct cli_credentials * cred ,
2005-05-01 23:29:00 +04:00
enum netr_SchannelType secure_channel_type )
{
cred - > secure_channel_type = secure_channel_type ;
}
2010-05-17 07:41:01 +04:00
/**
* Return NETLOGON secure chanel type
*/
_PUBLIC_ time_t cli_credentials_get_password_last_changed_time ( struct cli_credentials * cred )
{
return cred - > password_last_changed_time ;
}
/**
* Set NETLOGON secure channel type
*/
_PUBLIC_ void cli_credentials_set_password_last_changed_time ( struct cli_credentials * cred ,
time_t last_changed_time )
{
cred - > password_last_changed_time = last_changed_time ;
}
2005-05-01 23:29:00 +04:00
/**
* Return NETLOGON secure chanel type
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type ( struct cli_credentials * cred )
2005-05-01 23:29:00 +04:00
{
return cred - > secure_channel_type ;
}
2005-03-27 10:55:03 +04:00
/**
* Fill in a credentials structure as the anonymous user
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ void cli_credentials_set_anonymous ( struct cli_credentials * cred )
2005-03-22 11:00:45 +03:00
{
cli_credentials_set_username ( cred , " " , CRED_SPECIFIED ) ;
cli_credentials_set_domain ( cred , " " , CRED_SPECIFIED ) ;
2005-03-22 13:33:53 +03:00
cli_credentials_set_password ( cred , NULL , CRED_SPECIFIED ) ;
2016-10-22 12:19:05 +03:00
cli_credentials_set_principal ( cred , NULL , CRED_SPECIFIED ) ;
2007-12-10 20:41:55 +03:00
cli_credentials_set_realm ( cred , NULL , CRED_SPECIFIED ) ;
2007-12-10 20:42:07 +03:00
cli_credentials_set_workstation ( cred , " " , CRED_UNINITIALISED ) ;
2015-06-25 21:30:43 +03:00
cli_credentials_set_kerberos_state ( cred , CRED_DONT_USE_KERBEROS ) ;
2005-03-22 11:00:45 +03:00
}
2005-03-27 10:55:03 +04:00
/**
* Describe a credentials context as anonymous or authenticated
2007-10-07 02:16:19 +04:00
* @ retval true if anonymous , false if a username is specified
2005-03-27 10:55:03 +04:00
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_is_anonymous ( struct cli_credentials * cred )
2005-03-22 02:35:58 +03:00
{
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
const char * username ;
2009-10-09 23:30:51 +04:00
/* if bind dn is set it's not anonymous */
if ( cred - > bind_dn ) {
return false ;
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
if ( cred - > machine_account_pending ) {
2007-12-14 00:46:17 +03:00
cli_credentials_set_machine_account ( cred ,
cred - > machine_account_pending_lp_ctx ) ;
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
}
2015-05-07 17:12:03 +03:00
/* if principal is set, it's not anonymous */
if ( ( cred - > principal ! = NULL ) & & cred - > principal_obtained > = cred - > username_obtained ) {
return false ;
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
username = cli_credentials_get_username ( cred ) ;
2005-08-29 08:30:22 +04:00
2005-03-24 06:32:25 +03:00
/* Yes, it is deliberate that we die if we have a NULL pointer
2005-03-26 04:08:59 +03:00
* here - anonymous is " " , not NULL , which is ' never specified ,
2005-03-24 06:32:25 +03:00
* never guessed ' , ie programmer bug */
2005-08-29 08:30:22 +04:00
if ( ! username [ 0 ] ) {
2007-10-07 02:16:19 +04:00
return true ;
2005-08-29 08:30:22 +04:00
}
2005-10-14 19:55:51 +04:00
2007-10-07 02:16:19 +04:00
return false ;
2005-03-22 02:35:58 +03:00
}
2006-05-03 18:15:31 +04:00
/**
* Mark the current password for a credentials struct as wrong . This will
* cause the password to be prompted again ( if a callback is set ) .
*
2006-05-04 00:23:19 +04:00
* This will decrement the number of times the password can be tried .
2006-05-03 18:15:31 +04:00
*
* @ retval whether the credentials struct is finished
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ bool cli_credentials_wrong_password ( struct cli_credentials * cred )
2006-05-03 18:15:31 +04:00
{
if ( cred - > password_obtained ! = CRED_CALLBACK_RESULT ) {
2007-10-07 02:16:19 +04:00
return false ;
2006-05-03 18:15:31 +04:00
}
2013-07-31 16:25:54 +04:00
if ( cred - > password_tries = = 0 ) {
return false ;
}
cred - > password_tries - - ;
2006-05-03 18:15:31 +04:00
2013-07-31 16:25:54 +04:00
if ( cred - > password_tries = = 0 ) {
return false ;
}
cred - > password_obtained = CRED_CALLBACK ;
return true ;
2006-05-03 18:15:31 +04:00
}
2010-10-11 03:20:42 +04:00
_PUBLIC_ void cli_credentials_get_ntlm_username_domain ( struct cli_credentials * cred , TALLOC_CTX * mem_ctx ,
const char * * username ,
const char * * domain )
{
if ( cred - > principal_obtained > cred - > username_obtained ) {
* domain = talloc_strdup ( mem_ctx , " " ) ;
* username = cli_credentials_get_principal ( cred , mem_ctx ) ;
} else {
* domain = cli_credentials_get_domain ( cred ) ;
* username = cli_credentials_get_username ( cred ) ;
}
}
/**
* Read a named file , and parse it for username , domain , realm and password
*
* @ param credentials Credentials structure on which to set the password
* @ param file a named file to read the details from
* @ param obtained This enum describes how ' specified ' this password is
*/
_PUBLIC_ bool cli_credentials_parse_file ( struct cli_credentials * cred , const char * file , enum credentials_obtained obtained )
{
uint16_t len = 0 ;
char * ptr , * val , * param ;
char * * lines ;
int i , numlines ;
2016-12-15 14:41:58 +03:00
const char * realm = NULL ;
const char * domain = NULL ;
const char * password = NULL ;
const char * username = NULL ;
2010-10-11 03:20:42 +04:00
lines = file_lines_load ( file , & numlines , 0 , NULL ) ;
if ( lines = = NULL )
{
/* fail if we can't open the credentials file */
d_printf ( " ERROR: Unable to open credentials file! \n " ) ;
return false ;
}
for ( i = 0 ; i < numlines ; i + + ) {
len = strlen ( lines [ i ] ) ;
if ( len = = 0 )
continue ;
/* break up the line into parameter & value.
* will need to eat a little whitespace possibly */
param = lines [ i ] ;
if ( ! ( ptr = strchr_m ( lines [ i ] , ' = ' ) ) )
continue ;
val = ptr + 1 ;
* ptr = ' \0 ' ;
/* eat leading white space */
while ( ( * val ! = ' \0 ' ) & & ( ( * val = = ' ' ) | | ( * val = = ' \t ' ) ) )
val + + ;
if ( strwicmp ( " password " , param ) = = 0 ) {
2016-12-15 14:41:58 +03:00
password = val ;
2010-10-11 03:20:42 +04:00
} else if ( strwicmp ( " username " , param ) = = 0 ) {
2016-12-15 14:41:58 +03:00
username = val ;
2010-10-11 03:20:42 +04:00
} else if ( strwicmp ( " domain " , param ) = = 0 ) {
2016-12-15 14:41:58 +03:00
domain = val ;
2010-10-11 03:20:42 +04:00
} else if ( strwicmp ( " realm " , param ) = = 0 ) {
2016-12-15 14:41:58 +03:00
realm = val ;
2010-10-11 03:20:42 +04:00
}
2016-12-15 14:41:58 +03:00
/*
* We need to readd ' = ' in order to let
* the strlen ( ) work in the last loop
* that clears the memory .
*/
* ptr = ' = ' ;
}
if ( realm ! = NULL & & strlen ( realm ) ! = 0 ) {
/*
* only overwrite with a valid string
*/
cli_credentials_set_realm ( cred , realm , obtained ) ;
}
if ( domain ! = NULL & & strlen ( domain ) ! = 0 ) {
/*
* only overwrite with a valid string
*/
cli_credentials_set_domain ( cred , domain , obtained ) ;
2010-10-11 03:20:42 +04:00
}
2016-12-15 14:41:58 +03:00
if ( password ! = NULL ) {
/*
* Here we allow " " .
*/
cli_credentials_set_password ( cred , password , obtained ) ;
}
if ( username ! = NULL ) {
/*
* The last " username " line takes preference
* if the string also contains domain , realm or
* password .
*/
cli_credentials_parse_string ( cred , username , obtained ) ;
}
for ( i = 0 ; i < numlines ; i + + ) {
len = strlen ( lines [ i ] ) ;
memset ( lines [ i ] , 0 , len ) ;
}
2010-10-11 03:20:42 +04:00
talloc_free ( lines ) ;
return true ;
}
/**
* Read a named file , and parse it for a password
*
* @ param credentials Credentials structure on which to set the password
* @ param file a named file to read the password from
* @ param obtained This enum describes how ' specified ' this password is
*/
_PUBLIC_ bool cli_credentials_parse_password_file ( struct cli_credentials * credentials , const char * file , enum credentials_obtained obtained )
{
int fd = open ( file , O_RDONLY , 0 ) ;
bool ret ;
if ( fd < 0 ) {
fprintf ( stderr , " Error opening password file %s: %s \n " ,
file , strerror ( errno ) ) ;
return false ;
}
ret = cli_credentials_parse_password_fd ( credentials , fd , obtained ) ;
close ( fd ) ;
return ret ;
}
/**
* Read a file descriptor , and parse it for a password ( eg from a file or stdin )
*
* @ param credentials Credentials structure on which to set the password
* @ param fd open file descriptor to read the password from
* @ param obtained This enum describes how ' specified ' this password is
*/
_PUBLIC_ bool cli_credentials_parse_password_fd ( struct cli_credentials * credentials ,
int fd , enum credentials_obtained obtained )
{
char * p ;
char pass [ 128 ] ;
for ( p = pass , * p = ' \0 ' ; /* ensure that pass is null-terminated */
p & & p - pass < sizeof ( pass ) ; ) {
switch ( read ( fd , p , 1 ) ) {
case 1 :
if ( * p ! = ' \n ' & & * p ! = ' \0 ' ) {
* + + p = ' \0 ' ; /* advance p, and null-terminate pass */
break ;
}
/* fall through */
case 0 :
if ( p - pass ) {
* p = ' \0 ' ; /* null-terminate it, just in case... */
p = NULL ; /* then force the loop condition to become false */
break ;
} else {
fprintf ( stderr , " Error reading password from file descriptor %d: %s \n " , fd , " empty password \n " ) ;
return false ;
}
default :
fprintf ( stderr , " Error reading password from file descriptor %d: %s \n " ,
fd , strerror ( errno ) ) ;
return false ;
}
}
cli_credentials_set_password ( credentials , pass , obtained ) ;
return true ;
}
2017-06-20 23:10:30 +03:00
/**
* Encrypt a data blob using the session key and the negotiated encryption
* algorithm
*
* @ param state Credential state , contains the session key and algorithm
* @ param data Data blob containing the data to be encrypted .
*
*/
_PUBLIC_ NTSTATUS netlogon_creds_session_encrypt (
struct netlogon_creds_CredentialState * state ,
DATA_BLOB data )
{
if ( data . data = = NULL | | data . length = = 0 ) {
DBG_ERR ( " Nothing to encrypt "
" data.data == NULL or data.length == 0 " ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
/*
* Don ' t crypt an all - zero password it will give away the
* NETLOGON pipe session key .
*/
if ( all_zero ( data . data , data . length ) ) {
DBG_ERR ( " Supplied data all zeros, could leak session key " ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
if ( state - > negotiate_flags & NETLOGON_NEG_SUPPORTS_AES ) {
netlogon_creds_aes_encrypt ( state ,
data . data ,
data . length ) ;
} else if ( state - > negotiate_flags & NETLOGON_NEG_ARCFOUR ) {
netlogon_creds_arcfour_crypt ( state ,
data . data ,
data . length ) ;
} else {
DBG_ERR ( " Unsupported encryption option negotiated " ) ;
return NT_STATUS_NOT_SUPPORTED ;
}
return NT_STATUS_OK ;
}
