2005-03-21 05:08:38 +03:00
/*
Unix SMB / CIFS implementation .
2005-09-29 04:02:38 +04:00
User credentials handling
2005-03-21 05:08:38 +03:00
Copyright ( C ) Jelmer Vernooij 2005
Copyright ( C ) Tim Potter 2001
2005-03-22 11:00:45 +03:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
2005-03-21 05:08:38 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2006-03-16 03:23:11 +03:00
# include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
2006-01-28 15:15:24 +03:00
# include "auth/gensec/gensec.h"
2006-03-14 18:03:25 +03:00
# include "libcli/auth/libcli_auth.h"
2005-03-21 05:08:38 +03:00
2005-03-27 10:55:03 +04:00
/**
* Create a new credentials structure
* @ param mem_ctx TALLOC_CTX parent for credentials structure
*/
2005-03-22 11:00:45 +03:00
struct cli_credentials * cli_credentials_init ( TALLOC_CTX * mem_ctx )
2005-03-21 05:08:38 +03:00
{
2005-04-10 14:11:36 +04:00
struct cli_credentials * cred = talloc ( mem_ctx , struct cli_credentials ) ;
2005-03-23 04:30:43 +03:00
if ( ! cred ) {
return cred ;
}
2005-04-25 07:03:28 +04:00
cred - > netlogon_creds = NULL ;
2005-04-10 14:11:36 +04:00
cred - > machine_account_pending = False ;
cred - > workstation_obtained = CRED_UNINITIALISED ;
cred - > username_obtained = CRED_UNINITIALISED ;
cred - > password_obtained = CRED_UNINITIALISED ;
cred - > domain_obtained = CRED_UNINITIALISED ;
cred - > realm_obtained = CRED_UNINITIALISED ;
2005-08-29 08:30:22 +04:00
cred - > ccache_obtained = CRED_UNINITIALISED ;
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
cred - > client_gss_creds_obtained = CRED_UNINITIALISED ;
cred - > server_gss_creds_obtained = CRED_UNINITIALISED ;
2005-10-20 07:47:55 +04:00
cred - > keytab_obtained = CRED_UNINITIALISED ;
2005-08-29 08:30:22 +04:00
cred - > principal_obtained = CRED_UNINITIALISED ;
2005-10-20 07:47:55 +04:00
cred - > old_password = NULL ;
cred - > smb_krb5_context = NULL ;
2005-10-20 14:28:16 +04:00
cred - > salt_principal = NULL ;
2005-10-31 03:23:38 +03:00
cred - > machine_account = False ;
2005-10-20 07:47:55 +04:00
2005-12-18 08:01:15 +03:00
cred - > bind_dn = NULL ;
2006-05-03 18:54:57 +04:00
cred - > tries = 3 ;
2006-05-07 22:08:57 +04:00
cred - > callback_running = False ;
2006-05-03 18:54:57 +04:00
2006-01-28 15:15:24 +03:00
cli_credentials_set_kerberos_state ( cred , CRED_AUTO_USE_KERBEROS ) ;
2005-03-23 04:30:43 +03:00
return cred ;
2005-03-22 11:00:45 +03:00
}
2005-03-22 00:22:07 +03:00
2006-01-28 15:15:24 +03:00
void cli_credentials_set_kerberos_state ( struct cli_credentials * creds ,
enum credentials_use_kerberos use_kerberos )
{
creds - > use_kerberos = use_kerberos ;
}
enum credentials_use_kerberos cli_credentials_get_kerberos_state ( struct cli_credentials * creds )
{
return creds - > use_kerberos ;
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the username for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2005-09-22 05:50:58 +04:00
const char * cli_credentials_get_username ( struct cli_credentials * cred )
2005-03-22 11:00:45 +03:00
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
2006-05-04 00:56:14 +04:00
if ( cred - > username_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
cred - > callback_running = True ;
2005-03-21 05:08:38 +03:00
cred - > username = cred - > username_cb ( cred ) ;
2006-05-04 00:56:14 +04:00
cred - > callback_running = False ;
2005-03-21 05:08:38 +03:00
cred - > username_obtained = CRED_SPECIFIED ;
}
2005-09-22 05:50:58 +04:00
return cred - > username ;
2005-03-21 05:08:38 +03:00
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_username ( struct cli_credentials * cred ,
const char * val , enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > username_obtained ) {
cred - > username = talloc_strdup ( cred , val ) ;
cred - > username_obtained = obtained ;
return True ;
}
return False ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_username_callback ( struct cli_credentials * cred ,
const char * ( * username_cb ) ( struct cli_credentials * ) )
{
if ( cred - > username_obtained < CRED_CALLBACK ) {
cred - > username_cb = username_cb ;
cred - > username_obtained = CRED_CALLBACK ;
return True ;
}
return False ;
}
2005-12-18 08:01:15 +03:00
BOOL cli_credentials_set_bind_dn ( struct cli_credentials * cred ,
const char * bind_dn )
{
cred - > bind_dn = talloc_strdup ( cred , bind_dn ) ;
return True ;
}
/**
* Obtain the BIND DN for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will be NULL if not specified explictly
*/
const char * cli_credentials_get_bind_dn ( struct cli_credentials * cred )
{
return cred - > bind_dn ;
}
2005-08-30 05:19:41 +04:00
2005-08-29 08:30:22 +04:00
/**
* Obtain the client principal for this credentials context .
* @ param cred credentials context
* @ retval The username set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
const char * cli_credentials_get_principal ( struct cli_credentials * cred , TALLOC_CTX * mem_ctx )
{
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
2006-05-04 00:56:14 +04:00
if ( cred - > principal_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
cred - > callback_running = True ;
2006-05-07 22:08:57 +04:00
cred - > principal = cred - > principal_cb ( cred ) ;
cred - > callback_running = False ;
2005-08-29 08:30:22 +04:00
cred - > principal_obtained = CRED_SPECIFIED ;
}
if ( cred - > principal_obtained < cred - > username_obtained ) {
2005-09-21 01:29:29 +04:00
if ( cred - > domain_obtained > cred - > realm_obtained ) {
2005-09-22 05:50:58 +04:00
return talloc_asprintf ( mem_ctx , " %s@%s " ,
cli_credentials_get_username ( cred ) ,
cli_credentials_get_domain ( cred ) ) ;
2005-09-21 01:29:29 +04:00
} else {
return talloc_asprintf ( mem_ctx , " %s@%s " ,
2005-09-22 05:50:58 +04:00
cli_credentials_get_username ( cred ) ,
2005-09-21 01:29:29 +04:00
cli_credentials_get_realm ( cred ) ) ;
}
2005-08-29 08:30:22 +04:00
}
return talloc_reference ( mem_ctx , cred - > principal ) ;
}
2005-09-02 03:24:47 +04:00
BOOL cli_credentials_set_principal ( struct cli_credentials * cred ,
const char * val ,
enum credentials_obtained obtained )
2005-08-29 08:30:22 +04:00
{
if ( obtained > = cred - > principal_obtained ) {
cred - > principal = talloc_strdup ( cred , val ) ;
cred - > principal_obtained = obtained ;
return True ;
}
return False ;
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
/* Set a callback to get the principal. This could be a popup dialog,
* a terminal prompt or similar . */
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_principal_callback ( struct cli_credentials * cred ,
const char * ( * principal_cb ) ( struct cli_credentials * ) )
{
if ( cred - > principal_obtained < CRED_CALLBACK ) {
cred - > principal_cb = principal_cb ;
cred - > principal_obtained = CRED_CALLBACK ;
return True ;
}
return False ;
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
/* Some of our tools are 'anonymous by default'. This is a single
* function to determine if authentication has been explicitly
* requested */
2005-08-29 08:30:22 +04:00
BOOL cli_credentials_authentication_requested ( struct cli_credentials * cred )
{
2005-12-18 08:01:15 +03:00
if ( cred - > bind_dn ) {
return True ;
}
2005-12-14 10:22:25 +03:00
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
2005-08-29 08:38:37 +04:00
if ( cred - > principal_obtained > = CRED_SPECIFIED ) {
2005-08-29 08:30:22 +04:00
return True ;
}
if ( cred - > username_obtained > = CRED_SPECIFIED ) {
return True ;
}
return False ;
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the password for this credentials context .
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
2005-03-21 05:08:38 +03:00
const char * cli_credentials_get_password ( struct cli_credentials * cred )
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
2006-05-04 00:56:14 +04:00
if ( cred - > password_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
cred - > callback_running = True ;
2006-05-07 22:08:57 +04:00
cred - > password = cred - > password_cb ( cred ) ;
cred - > callback_running = False ;
2006-05-03 18:54:57 +04:00
cred - > password_obtained = CRED_CALLBACK_RESULT ;
2005-03-21 05:08:38 +03:00
}
return cred - > password ;
}
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
/* Set a password on the credentials context, including an indication
* of ' how ' the password was obtained */
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_password ( struct cli_credentials * cred ,
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > password_obtained ) {
cred - > password = talloc_strdup ( cred , val ) ;
cred - > password_obtained = obtained ;
2005-06-17 17:12:13 +04:00
cred - > nt_hash = NULL ;
return True ;
}
return False ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_password_callback ( struct cli_credentials * cred ,
const char * ( * password_cb ) ( struct cli_credentials * ) )
{
if ( cred - > password_obtained < CRED_CALLBACK ) {
cred - > password_cb = password_cb ;
cred - > password_obtained = CRED_CALLBACK ;
return True ;
}
return False ;
}
2005-10-20 07:47:55 +04:00
/**
* Obtain the ' old ' password for this credentials context ( used for join accounts ) .
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
const char * cli_credentials_get_old_password ( struct cli_credentials * cred )
{
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
return cred - > old_password ;
}
BOOL cli_credentials_set_old_password ( struct cli_credentials * cred ,
const char * val ,
enum credentials_obtained obtained )
{
cred - > old_password = talloc_strdup ( cred , val ) ;
return True ;
}
2005-06-17 17:12:13 +04:00
/**
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
* Obtain the password , in the form MD4 ( unicode ( password ) ) for this credentials context .
*
* Sometimes we only have this much of the password , while the rest of
* the time this call avoids calling E_md4hash themselves .
*
2005-06-17 17:12:13 +04:00
* @ param cred credentials context
* @ retval If set , the cleartext password , otherwise NULL
*/
const struct samr_Password * cli_credentials_get_nt_hash ( struct cli_credentials * cred ,
TALLOC_CTX * mem_ctx )
{
const char * password = cli_credentials_get_password ( cred ) ;
if ( password ) {
struct samr_Password * nt_hash = talloc ( mem_ctx , struct samr_Password ) ;
if ( ! nt_hash ) {
return NULL ;
}
E_md4hash ( password , nt_hash - > hash ) ;
return nt_hash ;
} else {
return cred - > nt_hash ;
}
}
BOOL cli_credentials_set_nt_hash ( struct cli_credentials * cred ,
const struct samr_Password * nt_hash ,
enum credentials_obtained obtained )
{
if ( obtained > = cred - > password_obtained ) {
cli_credentials_set_password ( cred , NULL , obtained ) ;
cred - > nt_hash = talloc ( cred , struct samr_Password ) ;
* cred - > nt_hash = * nt_hash ;
2005-03-21 05:08:38 +03:00
return True ;
}
return False ;
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the ' short ' or ' NetBIOS ' domain for this credentials context .
* @ param cred credentials context
* @ retval The domain set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2005-03-21 05:08:38 +03:00
const char * cli_credentials_get_domain ( struct cli_credentials * cred )
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
2006-05-04 00:56:14 +04:00
if ( cred - > domain_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
cred - > callback_running = True ;
2005-03-21 05:08:38 +03:00
cred - > domain = cred - > domain_cb ( cred ) ;
2006-05-04 00:56:14 +04:00
cred - > callback_running = False ;
2005-03-21 05:08:38 +03:00
cred - > domain_obtained = CRED_SPECIFIED ;
}
return cred - > domain ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_domain ( struct cli_credentials * cred ,
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > domain_obtained ) {
2005-10-28 09:17:19 +04:00
/* it is important that the domain be in upper case,
* particularly for the sensitive NTLMv2
* calculations */
cred - > domain = strupper_talloc ( cred , val ) ;
2005-03-21 05:08:38 +03:00
cred - > domain_obtained = obtained ;
return True ;
}
return False ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_domain_callback ( struct cli_credentials * cred ,
const char * ( * domain_cb ) ( struct cli_credentials * ) )
{
if ( cred - > domain_obtained < CRED_CALLBACK ) {
cred - > domain_cb = domain_cb ;
cred - > domain_obtained = CRED_CALLBACK ;
return True ;
}
return False ;
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the Kerberos realm for this credentials context .
* @ param cred credentials context
* @ retval The realm set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2005-03-21 05:08:38 +03:00
const char * cli_credentials_get_realm ( struct cli_credentials * cred )
2005-03-22 00:22:07 +03:00
{
2005-03-24 06:32:25 +03:00
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
2005-03-22 00:22:07 +03:00
}
2006-05-04 00:56:14 +04:00
if ( cred - > realm_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
cred - > callback_running = True ;
2005-03-21 05:08:38 +03:00
cred - > realm = cred - > realm_cb ( cred ) ;
2006-05-04 00:56:14 +04:00
cred - > callback_running = False ;
2005-03-21 05:08:38 +03:00
cred - > realm_obtained = CRED_SPECIFIED ;
}
return cred - > realm ;
}
2005-05-10 13:51:55 +04:00
/**
* Set the realm for this credentials context , and force it to
* uppercase for the sainity of our local kerberos libraries
*/
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_realm ( struct cli_credentials * cred ,
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > realm_obtained ) {
2005-05-10 13:51:55 +04:00
cred - > realm = strupper_talloc ( cred , val ) ;
2005-03-21 05:08:38 +03:00
cred - > realm_obtained = obtained ;
return True ;
}
return False ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_realm_callback ( struct cli_credentials * cred ,
const char * ( * realm_cb ) ( struct cli_credentials * ) )
{
if ( cred - > realm_obtained < CRED_CALLBACK ) {
cred - > realm_cb = realm_cb ;
cred - > realm_obtained = CRED_CALLBACK ;
return True ;
}
return False ;
}
2005-03-27 10:55:03 +04:00
/**
* Obtain the ' short ' or ' NetBIOS ' workstation name for this credentials context .
*
* @ param cred credentials context
* @ retval The workstation name set on this context .
* @ note Return value will never be NULL except by programmer error .
*/
2005-03-21 05:08:38 +03:00
const char * cli_credentials_get_workstation ( struct cli_credentials * cred )
{
2006-05-04 00:56:14 +04:00
if ( cred - > workstation_obtained = = CRED_CALLBACK & &
! cred - > callback_running ) {
cred - > callback_running = True ;
2005-03-21 05:08:38 +03:00
cred - > workstation = cred - > workstation_cb ( cred ) ;
2006-05-04 00:56:14 +04:00
cred - > callback_running = False ;
2005-03-21 05:08:38 +03:00
cred - > workstation_obtained = CRED_SPECIFIED ;
}
return cred - > workstation ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_workstation ( struct cli_credentials * cred ,
const char * val ,
enum credentials_obtained obtained )
2005-03-21 05:08:38 +03:00
{
if ( obtained > = cred - > workstation_obtained ) {
cred - > workstation = talloc_strdup ( cred , val ) ;
cred - > workstation_obtained = obtained ;
return True ;
}
return False ;
}
2005-08-30 05:19:41 +04:00
BOOL cli_credentials_set_workstation_callback ( struct cli_credentials * cred ,
const char * ( * workstation_cb ) ( struct cli_credentials * ) )
{
if ( cred - > workstation_obtained < CRED_CALLBACK ) {
cred - > workstation_cb = workstation_cb ;
cred - > workstation_obtained = CRED_CALLBACK ;
return True ;
}
return False ;
}
2005-03-27 10:55:03 +04:00
/**
* Given a string , typically obtained from a - U argument , parse it into domain , username , realm and password fields
*
* The format accepted is [ domain \ \ ] user [ % password ] or user [ @ realm ] [ % password ]
*
* @ param credentials Credentials structure on which to set the password
* @ param data the string containing the username , password etc
* @ param obtained This enum describes how ' specified ' this password is
*/
2005-03-21 05:08:38 +03:00
void cli_credentials_parse_string ( struct cli_credentials * credentials , const char * data , enum credentials_obtained obtained )
{
char * uname , * p ;
2005-04-26 11:10:43 +04:00
if ( strcmp ( " % " , data ) = = 0 ) {
cli_credentials_set_anonymous ( credentials ) ;
return ;
}
2005-03-21 05:08:38 +03:00
uname = talloc_strdup ( credentials , data ) ;
2005-03-22 11:00:45 +03:00
if ( ( p = strchr_m ( uname , ' % ' ) ) ) {
2005-03-21 05:08:38 +03:00
* p = 0 ;
2005-03-22 11:00:45 +03:00
cli_credentials_set_password ( credentials , p + 1 , obtained ) ;
2005-03-21 05:08:38 +03:00
}
if ( ( p = strchr_m ( uname , ' @ ' ) ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_set_principal ( credentials , uname , obtained ) ;
2005-03-21 05:08:38 +03:00
* p = 0 ;
cli_credentials_set_realm ( credentials , p + 1 , obtained ) ;
2005-08-29 08:30:22 +04:00
return ;
2005-03-22 11:00:45 +03:00
} else if ( ( p = strchr_m ( uname , ' \\ ' ) ) | | ( p = strchr_m ( uname , ' / ' ) ) ) {
2005-03-21 05:08:38 +03:00
* p = 0 ;
2005-03-22 11:00:45 +03:00
cli_credentials_set_domain ( credentials , uname , obtained ) ;
uname = p + 1 ;
2005-03-21 05:08:38 +03:00
}
2005-03-22 11:00:45 +03:00
cli_credentials_set_username ( credentials , uname , obtained ) ;
2005-03-21 05:08:38 +03:00
}
2006-05-04 00:23:19 +04:00
/**
2006-05-04 00:31:24 +04:00
* Given a a credentials structure , print it as a string
2006-05-04 00:23:19 +04:00
*
2006-05-04 00:31:24 +04:00
* The format output is [ domain \ \ ] user [ % password ] or user [ @ realm ] [ % password ]
2006-05-04 00:23:19 +04:00
*
* @ param credentials Credentials structure on which to set the password
2006-05-04 00:31:24 +04:00
* @ param mem_ctx The memory context to place the result on
2006-05-04 00:23:19 +04:00
*/
const char * cli_credentials_get_unparsed_name ( struct cli_credentials * credentials , TALLOC_CTX * mem_ctx )
{
const char * bind_dn = cli_credentials_get_bind_dn ( credentials ) ;
const char * domain ;
const char * username ;
const char * name ;
if ( bind_dn ) {
name = talloc_reference ( mem_ctx , bind_dn ) ;
} else {
cli_credentials_get_ntlm_username_domain ( credentials , mem_ctx , & username , & domain ) ;
if ( domain & & domain [ 0 ] ) {
name = talloc_asprintf ( mem_ctx , " %s \\ %s " ,
domain , username ) ;
} else {
name = talloc_asprintf ( mem_ctx , " %s " ,
username ) ;
}
}
return name ;
}
2005-03-27 10:55:03 +04:00
/**
* Specifies default values for domain , workstation and realm
* from the smb . conf configuration file
*
* @ param cred Credentials structure to fill in
*/
2005-03-24 06:32:25 +03:00
void cli_credentials_set_conf ( struct cli_credentials * cred )
{
2005-08-29 08:30:22 +04:00
cli_credentials_set_username ( cred , " " , CRED_UNINITIALISED ) ;
cli_credentials_set_domain ( cred , lp_workgroup ( ) , CRED_UNINITIALISED ) ;
cli_credentials_set_workstation ( cred , lp_netbios_name ( ) , CRED_UNINITIALISED ) ;
cli_credentials_set_realm ( cred , lp_realm ( ) , CRED_UNINITIALISED ) ;
2005-03-24 06:32:25 +03:00
}
2005-03-27 10:55:03 +04:00
/**
* Guess defaults for credentials from environment variables ,
* and from the configuration file
*
* @ param cred Credentials structure to fill in
*/
2005-03-21 05:08:38 +03:00
void cli_credentials_guess ( struct cli_credentials * cred )
{
char * p ;
2005-03-24 06:32:25 +03:00
cli_credentials_set_conf ( cred ) ;
2005-03-21 05:08:38 +03:00
if ( getenv ( " LOGNAME " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_set_username ( cred , getenv ( " LOGNAME " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
}
if ( getenv ( " USER " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_parse_string ( cred , getenv ( " USER " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
if ( ( p = strchr_m ( getenv ( " USER " ) , ' % ' ) ) ) {
2005-03-22 02:35:58 +03:00
memset ( p , 0 , strlen ( cred - > password ) ) ;
2005-03-21 05:08:38 +03:00
}
}
if ( getenv ( " DOMAIN " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_set_domain ( cred , getenv ( " DOMAIN " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
}
if ( getenv ( " PASSWD " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_set_password ( cred , getenv ( " PASSWD " ) , CRED_GUESS_ENV ) ;
2005-03-21 05:08:38 +03:00
}
if ( getenv ( " PASSWD_FD " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_parse_password_fd ( cred , atoi ( getenv ( " PASSWD_FD " ) ) , CRED_GUESS_FILE ) ;
2005-03-21 05:08:38 +03:00
}
if ( getenv ( " PASSWD_FILE " ) ) {
2005-08-29 08:30:22 +04:00
cli_credentials_parse_password_file ( cred , getenv ( " PASSWD_FILE " ) , CRED_GUESS_FILE ) ;
2005-03-21 05:08:38 +03:00
}
2006-05-04 00:23:19 +04:00
if ( cli_credentials_get_kerberos_state ( cred ) ! = CRED_DONT_USE_KERBEROS ) {
cli_credentials_set_ccache ( cred , NULL , CRED_GUESS_FILE ) ;
}
2005-03-21 05:08:38 +03:00
}
2005-03-22 02:35:58 +03:00
2005-03-27 10:55:03 +04:00
/**
* Attach NETLOGON credentials for use with SCHANNEL
*/
2005-03-24 06:32:25 +03:00
void cli_credentials_set_netlogon_creds ( struct cli_credentials * cred ,
struct creds_CredentialState * netlogon_creds )
{
cred - > netlogon_creds = talloc_reference ( cred , netlogon_creds ) ;
}
2005-03-27 10:55:03 +04:00
/**
* Return attached NETLOGON credentials
*/
2005-03-24 06:32:25 +03:00
struct creds_CredentialState * cli_credentials_get_netlogon_creds ( struct cli_credentials * cred )
{
return cred - > netlogon_creds ;
}
2005-05-01 23:29:00 +04:00
/**
* Set NETLOGON secure channel type
*/
void cli_credentials_set_secure_channel_type ( struct cli_credentials * cred ,
enum netr_SchannelType secure_channel_type )
{
cred - > secure_channel_type = secure_channel_type ;
}
/**
* Return NETLOGON secure chanel type
*/
enum netr_SchannelType cli_credentials_get_secure_channel_type ( struct cli_credentials * cred )
{
return cred - > secure_channel_type ;
}
2005-03-27 10:55:03 +04:00
/**
* Fill in a credentials structure as the anonymous user
*/
2005-03-22 11:00:45 +03:00
void cli_credentials_set_anonymous ( struct cli_credentials * cred )
{
cli_credentials_set_username ( cred , " " , CRED_SPECIFIED ) ;
cli_credentials_set_domain ( cred , " " , CRED_SPECIFIED ) ;
2005-03-22 13:33:53 +03:00
cli_credentials_set_password ( cred , NULL , CRED_SPECIFIED ) ;
2005-03-22 11:00:45 +03:00
}
2005-03-27 10:55:03 +04:00
/**
* Describe a credentials context as anonymous or authenticated
* @ retval True if anonymous , False if a username is specified
*/
2005-03-24 06:32:25 +03:00
BOOL cli_credentials_is_anonymous ( struct cli_credentials * cred )
2005-03-22 02:35:58 +03:00
{
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
const char * username ;
if ( cred - > machine_account_pending ) {
cli_credentials_set_machine_account ( cred ) ;
}
username = cli_credentials_get_username ( cred ) ;
2005-08-29 08:30:22 +04:00
2005-03-24 06:32:25 +03:00
/* Yes, it is deliberate that we die if we have a NULL pointer
2005-03-26 04:08:59 +03:00
* here - anonymous is " " , not NULL , which is ' never specified ,
2005-03-24 06:32:25 +03:00
* never guessed ' , ie programmer bug */
2005-08-29 08:30:22 +04:00
if ( ! username [ 0 ] ) {
2005-03-22 02:35:58 +03:00
return True ;
2005-08-29 08:30:22 +04:00
}
2005-10-14 19:55:51 +04:00
2005-03-22 02:35:58 +03:00
return False ;
}
2006-05-03 18:15:31 +04:00
/**
* Mark the current password for a credentials struct as wrong . This will
* cause the password to be prompted again ( if a callback is set ) .
*
2006-05-04 00:23:19 +04:00
* This will decrement the number of times the password can be tried .
2006-05-03 18:15:31 +04:00
*
* @ retval whether the credentials struct is finished
*/
BOOL cli_credentials_wrong_password ( struct cli_credentials * cred )
{
if ( cred - > password_obtained ! = CRED_CALLBACK_RESULT ) {
return False ;
}
cred - > password_obtained = CRED_CALLBACK ;
cred - > tries - - ;
return ( cred - > tries > 0 ) ;
}