sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-27 22:50:26 +03:00
Code

auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2020-08-19 15:46:11 +02:00 committed by Andrew Bartlett
parent a00726593c
commit 521f77c667
29 changed files with 126 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
auth/credentials/credentials.c
View File

@ -44,7 +44,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->winbind_separator = '\\';
cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
cred->kerberos_state = CRED_USE_KERBEROS_DESIRED;
cred->signing_state = SMB_SIGNING_DEFAULT;
@ -108,10 +108,18 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
return anon_credentials;
}
_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos)
_PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos kerberos_state,
enum credentials_obtained obtained)
{
creds->use_kerberos = use_kerberos;
if (obtained >= creds->kerberos_state_obtained) {
creds->kerberos_state = kerberos_state;
creds->kerberos_state_obtained = obtained;
return true;
}
return false;
}
_PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
@ -129,7 +137,7 @@ _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
{
return creds->use_kerberos;
return creds->kerberos_state;
}
_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
@ -982,6 +990,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
cred->encryption_state_obtained = CRED_SMB_CONF;
}
if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
/* Will be set to default for invalid smb.conf values */
cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
cred->kerberos_state_obtained = CRED_SMB_CONF;
}
}
/**
@ -1105,7 +1119,9 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(cred,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
/**
@ -1592,8 +1608,9 @@ _PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds)
creds->self_service);
DBG_ERR(" Target service: %s\n",
creds->target_service);
DBG_ERR(" Kerberos state: %s\n",
krb5_state_to_str(creds->use_kerberos));
DBG_ERR(" Kerberos state: %s - %s\n",
krb5_state_to_str(creds->kerberos_state),
obtained_to_str(creds->kerberos_state_obtained));
DBG_ERR(" Kerberos forwardable ticket: %s\n",
krb5_fwd_to_str(creds->krb_forwardable));
DBG_ERR(" Signing state: %s - %s\n",

5
auth/credentials/credentials.h
View File

@ -132,8 +132,9 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
const char **error_string);
void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
const char *sasl_mech);
void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos);
bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos kerberos_state,
enum credentials_obtained obtained);
void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
enum credentials_krb_forwardable krb_forwardable);
bool cli_credentials_set_domain(struct cli_credentials *cred,

3
auth/credentials/credentials_internal.h
View File

@ -40,6 +40,7 @@ struct cli_credentials {
enum credentials_obtained signing_state_obtained;
enum credentials_obtained ipc_signing_state_obtained;
enum credentials_obtained encryption_state_obtained;
enum credentials_obtained kerberos_state_obtained;
/* Threshold values (essentially a MAX() over a number of the
* above) for the ccache and GSS credentials, to ensure we
@ -101,7 +102,7 @@ struct cli_credentials {
bool machine_account;
/* Should we be trying to use kerberos? */
enum credentials_use_kerberos use_kerberos;
enum credentials_use_kerberos kerberos_state;
/* Should we get a forwardable ticket? */
enum credentials_krb_forwardable krb_forwardable;

4
auth/credentials/credentials_krb5.c
View File

@ -1433,7 +1433,9 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *
cred->impersonate_principal = talloc_strdup(cred, principal);
talloc_free(cred->self_service);
cred->self_service = talloc_strdup(cred, self_service);
cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
cli_credentials_set_kerberos_state(cred,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
}
/*

2
auth/credentials/credentials_ntlm.c
View File

@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
const struct samr_Password *nt_hash = NULL;
int rc;
if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
if (cred->kerberos_state == CRED_USE_KERBEROS_REQUIRED) {
TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER_MIX;
}

4
auth/credentials/credentials_secrets.c
View File

@ -391,7 +391,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
break;
}
}
cli_credentials_set_kerberos_state(cred, use_kerberos);
cli_credentials_set_kerberos_state(cred,
use_kerberos,
CRED_SPECIFIED);
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);

2
auth/credentials/pycredentials.c
View File

@ -569,7 +569,7 @@ static PyObject *py_creds_set_kerberos_state(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "i", &state))
return NULL;
cli_credentials_set_kerberos_state(creds, state);
cli_credentials_set_kerberos_state(creds, state, CRED_SPECIFIED);
Py_RETURN_NONE;
}

8
auth/credentials/tests/simple.c
View File

@ -73,7 +73,9 @@ static bool test_guess(struct torture_context *tctx)
const char *passwd_fd = getenv("PASSWD_FD");
const char *passwd_file = getenv("PASSWD_FILE");
cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
unsetenv("USER");
unsetenv("PASSWD_FD");
@ -98,7 +100,9 @@ static bool test_guess(struct torture_context *tctx)
if (passwd_file != NULL) {
setenv("PASSWD_FILE", passwd_file, 1);
}
cli_credentials_set_kerberos_state(creds, old_kerb_state);
cli_credentials_set_kerberos_state(creds,
old_kerb_state,
CRED_SPECIFIED);
return true;
}

3
examples/winexe/winexe.c
View File

@ -284,7 +284,8 @@ static void parse_args(int argc, const char *argv[],
cli_credentials_set_kerberos_state(cred,
strcmp(opt_kerberos, "yes")
? CRED_USE_KERBEROS_REQUIRED
: CRED_USE_KERBEROS_DISABLED);
: CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
if (options->runas == NULL && options->runas_file != NULL) {

8
source3/auth/auth_generic.c
View File

@ -349,9 +349,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,

4
source3/lib/netapi/cm.c
View File

@ -105,7 +105,9 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
if (username != NULL && username[0] != '\0' &&
password != NULL && password[0] != '\0' &&
krb5_state == CRED_USE_KERBEROS_REQUIRED) {
cli_credentials_set_kerberos_state(ctx->creds, CRED_USE_KERBEROS_DESIRED);
cli_credentials_set_kerberos_state(ctx->creds,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
}
status = cli_cm_open(ctx, NULL,

3
source3/lib/netapi/netapi.c
View File

@ -342,7 +342,8 @@ NET_API_STATUS libnetapi_set_creds(struct libnetapi_ctx *ctx,
NET_API_STATUS libnetapi_set_use_kerberos(struct libnetapi_ctx *ctx)
{
cli_credentials_set_kerberos_state(ctx->creds,
CRED_USE_KERBEROS_REQUIRED);
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
return NET_API_STATUS_SUCCESS;
}

8
source3/lib/util_cmdline.c
View File

@ -312,7 +312,9 @@ void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info,
krb5_state = CRED_USE_KERBEROS_DISABLED;
}
cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
cli_credentials_set_kerberos_state(auth_info->creds,
krb5_state,
CRED_SPECIFIED);
}
bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info)
@ -351,7 +353,9 @@ void set_cmdline_auth_info_fallback_after_kerberos(struct user_auth_info *auth_i
break;
}
cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
cli_credentials_set_kerberos_state(auth_info->creds,
krb5_state,
CRED_SPECIFIED);
}
bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info *auth_info)

3
source3/libads/sasl.c
View File

@ -163,7 +163,8 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
}
cli_credentials_set_kerberos_state(auth_generic_state->credentials,
krb5_state);
krb5_state,
CRED_SPECIFIED);
if (target_service != NULL) {
nt_status = gensec_set_target_service(

3
source3/libnet/libnet_join.c
View File

@ -1707,7 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
if (use_kerberos) {
cli_credentials_set_kerberos_state(cli_creds,
CRED_USE_KERBEROS_REQUIRED);
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
}
status = cli_full_connection_creds(&cli, NULL,

9
source3/libsmb/cliconnect.c
View File

@ -123,13 +123,16 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
if (use_kerberos && fallback_after_kerberos) {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DESIRED);
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
} else if (use_kerberos) {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED);
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED);
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
if (use_ccache) {

12
source3/passdb/passdb.c
View File

@ -2683,7 +2683,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
/*
* It's not possible to use NTLMSSP with a domain trust account.
*/
cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
} else {
/*
* We can't use kerberos against an NT4 domain.
@ -2691,7 +2693,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
* We should have a mode that also disallows NTLMSSP here,
* as only NETLOGON SCHANNEL is possible.
*/
cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@ -2709,7 +2713,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
/*
* We currently can't do kerberos just with an NTHASH.
*/
cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
goto done;
}

6
source3/passdb/pdb_samba_dsdb.c
View File

@ -2518,13 +2518,15 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
* Force kerberos if this is an active directory domain
*/
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED);
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
} else {
/*
* TODO: we should allow krb5 with the raw nt hash.
*/
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED);
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
*_creds = talloc_move(mem_ctx, &creds);

4
source3/rpc_client/cli_pipe.c
View File

@ -2569,7 +2569,9 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
goto fail;
}
cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
cli_credentials_set_kerberos_state(auth_generic_ctx->credentials,
use_kerberos,
CRED_SPECIFIED);
cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);

5
source3/rpcclient/rpcclient.c
View File

@ -911,8 +911,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
case DCERPC_AUTH_TYPE_SPNEGO:
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
cli_credentials_set_kerberos_state(
creds, krb5_state);
cli_credentials_set_kerberos_state(creds,
krb5_state,
CRED_SPECIFIED);
ntresult = cli_rpc_pipe_open_with_creds(
cli, cmd_entry->table,

4
source3/utils/net_ads.c
View File

@ -2478,7 +2478,9 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
talloc_destroy(mem_ctx);
return -1;
}
cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
&server_ss, 0,

9
source3/utils/net_util.c
View File

@ -499,13 +499,16 @@ struct cli_credentials *net_context_creds(struct net_context *c,
if (c->opt_kerberos && c->opt_user_specified) {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DESIRED);
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
} else if (c->opt_kerberos) {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED);
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED);
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
if (c->opt_ccache) {

8
source3/utils/ntlm_auth.c
View File

@ -1365,9 +1365,13 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,

4
source3/winbindd/winbindd_cm.c
View File

@ -708,7 +708,9 @@ static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
}
cli_credentials_set_conf(creds, lp_ctx);
cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
if (!ok) {

4
source4/auth/gensec/gensec_gssapi.c
View File

@ -1557,7 +1557,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
}
/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(session_info->credentials, CRED_USE_KERBEROS_REQUIRED);
cli_credentials_set_kerberos_state(session_info->credentials,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;

3
source4/auth/session.c
View File

@ -295,7 +295,8 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
/* This credential handle isn't useful for password
* authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED);
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
}
#endif

3
source4/lib/cmdline/popt_credentials.c
View File

@ -121,7 +121,8 @@ static void popt_common_credentials_callback(poptContext con,
popt_get_cmdline_credentials(),
use_kerberos
? CRED_USE_KERBEROS_REQUIRED
: CRED_USE_KERBEROS_DISABLED);
: CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
break;
}

5
source4/torture/ldap/session_expiry.c
View File

@ -54,8 +54,9 @@ bool torture_ldap_session_expiry(struct torture_context *torture)
torture_assert_goto(
torture, url!=NULL, ret, fail, "talloc_asprintf failed");
cli_credentials_set_kerberos_state(
credentials, CRED_USE_KERBEROS_REQUIRED);
cli_credentials_set_kerberos_state(credentials,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
ok = lpcfg_set_option(
torture->lp_ctx, "gensec_gssapi:requested_life_time=4");

8
source4/torture/rpc/schannel.c
View File

@ -965,8 +965,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
torture_assert(torture, s->join_ctx2 != NULL,
"Failed to join domain with acct_flags=ACB_WSTRUST");
cli_credentials_set_kerberos_state(s->wks_creds1, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(s->wks_creds2, CRED_USE_KERBEROS_DISABLED);
cli_credentials_set_kerberos_state(s->wks_creds1,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
cli_credentials_set_kerberos_state(s->wks_creds2,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
for (i=0; i < s->nprocs; i++) {
struct cli_credentials *wks = s->wks_creds1;