| 1 | /*
|
|---|
| 2 | samba -- Unix SMB/CIFS implementation.
|
|---|
| 3 |
|
|---|
| 4 | Client credentials structure
|
|---|
| 5 |
|
|---|
| 6 | Copyright (C) Jelmer Vernooij 2004-2006
|
|---|
| 7 | Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
|
|---|
| 8 |
|
|---|
| 9 | This program is free software; you can redistribute it and/or modify
|
|---|
| 10 | it under the terms of the GNU General Public License as published by
|
|---|
| 11 | the Free Software Foundation; either version 3 of the License, or
|
|---|
| 12 | (at your option) any later version.
|
|---|
| 13 |
|
|---|
| 14 | This program is distributed in the hope that it will be useful,
|
|---|
| 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 17 | GNU General Public License for more details.
|
|---|
| 18 |
|
|---|
| 19 | You should have received a copy of the GNU General Public License
|
|---|
| 20 | along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|---|
| 21 | */
|
|---|
| 22 | #ifndef __CREDENTIALS_H__
|
|---|
| 23 | #define __CREDENTIALS_H__
|
|---|
| 24 |
|
|---|
| 25 | #include "../lib/util/data_blob.h"
|
|---|
| 26 | #include "librpc/gen_ndr/misc.h"
|
|---|
| 27 |
|
|---|
| 28 | struct ccache_container;
|
|---|
| 29 | struct tevent_context;
|
|---|
| 30 |
|
|---|
| 31 | /* In order of priority */
|
|---|
| 32 | enum credentials_obtained {
|
|---|
| 33 | CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
|
|---|
| 34 | CRED_CALLBACK, /* Callback should be used to obtain value */
|
|---|
| 35 | CRED_GUESS_ENV, /* Current value should be used, which was guessed */
|
|---|
| 36 | CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
|
|---|
| 37 | CRED_CALLBACK_RESULT, /* Value was obtained from a callback */
|
|---|
| 38 | CRED_SPECIFIED /* Was explicitly specified on the command-line */
|
|---|
| 39 | };
|
|---|
| 40 |
|
|---|
| 41 | enum credentials_use_kerberos {
|
|---|
| 42 | CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
|
|---|
| 43 | CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
|
|---|
| 44 | CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
|
|---|
| 45 | };
|
|---|
| 46 |
|
|---|
| 47 | #define CLI_CRED_NTLM2 0x01
|
|---|
| 48 | #define CLI_CRED_NTLMv2_AUTH 0x02
|
|---|
| 49 | #define CLI_CRED_LANMAN_AUTH 0x04
|
|---|
| 50 | #define CLI_CRED_NTLM_AUTH 0x08
|
|---|
| 51 | #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
|
|---|
| 52 |
|
|---|
| 53 | struct cli_credentials {
|
|---|
| 54 | enum credentials_obtained workstation_obtained;
|
|---|
| 55 | enum credentials_obtained username_obtained;
|
|---|
| 56 | enum credentials_obtained password_obtained;
|
|---|
| 57 | enum credentials_obtained domain_obtained;
|
|---|
| 58 | enum credentials_obtained realm_obtained;
|
|---|
| 59 | enum credentials_obtained ccache_obtained;
|
|---|
| 60 | enum credentials_obtained client_gss_creds_obtained;
|
|---|
| 61 | enum credentials_obtained principal_obtained;
|
|---|
| 62 | enum credentials_obtained keytab_obtained;
|
|---|
| 63 | enum credentials_obtained server_gss_creds_obtained;
|
|---|
| 64 |
|
|---|
| 65 | /* Threshold values (essentially a MAX() over a number of the
|
|---|
| 66 | * above) for the ccache and GSS credentials, to ensure we
|
|---|
| 67 | * regenerate/pick correctly */
|
|---|
| 68 |
|
|---|
| 69 | enum credentials_obtained ccache_threshold;
|
|---|
| 70 | enum credentials_obtained client_gss_creds_threshold;
|
|---|
| 71 |
|
|---|
| 72 | const char *workstation;
|
|---|
| 73 | const char *username;
|
|---|
| 74 | const char *password;
|
|---|
| 75 | const char *old_password;
|
|---|
| 76 | const char *domain;
|
|---|
| 77 | const char *realm;
|
|---|
| 78 | const char *principal;
|
|---|
| 79 | const char *salt_principal;
|
|---|
| 80 |
|
|---|
| 81 | const char *bind_dn;
|
|---|
| 82 |
|
|---|
| 83 | /* Allows authentication from a keytab or similar */
|
|---|
| 84 | struct samr_Password *nt_hash;
|
|---|
| 85 |
|
|---|
| 86 | /* Allows NTLM pass-though authentication */
|
|---|
| 87 | DATA_BLOB lm_response;
|
|---|
| 88 | DATA_BLOB nt_response;
|
|---|
| 89 |
|
|---|
| 90 | struct ccache_container *ccache;
|
|---|
| 91 | struct gssapi_creds_container *client_gss_creds;
|
|---|
| 92 | struct keytab_container *keytab;
|
|---|
| 93 | struct gssapi_creds_container *server_gss_creds;
|
|---|
| 94 |
|
|---|
| 95 | const char *(*workstation_cb) (struct cli_credentials *);
|
|---|
| 96 | const char *(*password_cb) (struct cli_credentials *);
|
|---|
| 97 | const char *(*username_cb) (struct cli_credentials *);
|
|---|
| 98 | const char *(*domain_cb) (struct cli_credentials *);
|
|---|
| 99 | const char *(*realm_cb) (struct cli_credentials *);
|
|---|
| 100 | const char *(*principal_cb) (struct cli_credentials *);
|
|---|
| 101 |
|
|---|
| 102 | /* Private handle for the callback routines to use */
|
|---|
| 103 | void *priv_data;
|
|---|
| 104 |
|
|---|
| 105 | struct netlogon_creds_CredentialState *netlogon_creds;
|
|---|
| 106 | enum netr_SchannelType secure_channel_type;
|
|---|
| 107 | int kvno;
|
|---|
| 108 |
|
|---|
| 109 | struct smb_krb5_context *smb_krb5_context;
|
|---|
| 110 |
|
|---|
| 111 | /* We are flagged to get machine account details from the
|
|---|
| 112 | * secrets.ldb when we are asked for a username or password */
|
|---|
| 113 | bool machine_account_pending;
|
|---|
| 114 | struct loadparm_context *machine_account_pending_lp_ctx;
|
|---|
| 115 |
|
|---|
| 116 | /* Is this a machine account? */
|
|---|
| 117 | bool machine_account;
|
|---|
| 118 |
|
|---|
| 119 | /* Should we be trying to use kerberos? */
|
|---|
| 120 | enum credentials_use_kerberos use_kerberos;
|
|---|
| 121 |
|
|---|
| 122 | /* gensec features which should be used for connections */
|
|---|
| 123 | uint32_t gensec_features;
|
|---|
| 124 |
|
|---|
| 125 | /* Number of retries left before bailing out */
|
|---|
| 126 | int tries;
|
|---|
| 127 |
|
|---|
| 128 | /* Whether any callback is currently running */
|
|---|
| 129 | bool callback_running;
|
|---|
| 130 | };
|
|---|
| 131 |
|
|---|
| 132 | struct ldb_context;
|
|---|
| 133 | struct loadparm_context;
|
|---|
| 134 | struct ccache_container;
|
|---|
| 135 |
|
|---|
| 136 | struct gssapi_creds_container;
|
|---|
| 137 |
|
|---|
| 138 | const char *cli_credentials_get_workstation(struct cli_credentials *cred);
|
|---|
| 139 | bool cli_credentials_set_workstation(struct cli_credentials *cred,
|
|---|
| 140 | const char *val,
|
|---|
| 141 | enum credentials_obtained obtained);
|
|---|
| 142 | bool cli_credentials_is_anonymous(struct cli_credentials *cred);
|
|---|
| 143 | struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
|
|---|
| 144 | void cli_credentials_set_anonymous(struct cli_credentials *cred);
|
|---|
| 145 | bool cli_credentials_wrong_password(struct cli_credentials *cred);
|
|---|
| 146 | const char *cli_credentials_get_password(struct cli_credentials *cred);
|
|---|
| 147 | void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
|
|---|
| 148 | const char **username,
|
|---|
| 149 | const char **domain);
|
|---|
| 150 | NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
|
|---|
| 151 | int *flags,
|
|---|
| 152 | DATA_BLOB challenge, DATA_BLOB target_info,
|
|---|
| 153 | DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
|
|---|
| 154 | DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
|
|---|
| 155 | const char *cli_credentials_get_realm(struct cli_credentials *cred);
|
|---|
| 156 | const char *cli_credentials_get_username(struct cli_credentials *cred);
|
|---|
| 157 | int cli_credentials_get_krb5_context(struct cli_credentials *cred,
|
|---|
| 158 | struct tevent_context *event_ctx,
|
|---|
| 159 | struct loadparm_context *lp_ctx,
|
|---|
| 160 | struct smb_krb5_context **smb_krb5_context);
|
|---|
| 161 | int cli_credentials_get_ccache(struct cli_credentials *cred,
|
|---|
| 162 | struct tevent_context *event_ctx,
|
|---|
| 163 | struct loadparm_context *lp_ctx,
|
|---|
| 164 | struct ccache_container **ccc);
|
|---|
| 165 | int cli_credentials_get_keytab(struct cli_credentials *cred,
|
|---|
| 166 | struct tevent_context *event_ctx,
|
|---|
| 167 | struct loadparm_context *lp_ctx,
|
|---|
| 168 | struct keytab_container **_ktc);
|
|---|
| 169 | const char *cli_credentials_get_domain(struct cli_credentials *cred);
|
|---|
| 170 | struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
|
|---|
| 171 | void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
|
|---|
| 172 | struct loadparm_context *lp_ctx);
|
|---|
| 173 | void cli_credentials_set_conf(struct cli_credentials *cred,
|
|---|
| 174 | struct loadparm_context *lp_ctx);
|
|---|
| 175 | const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
|
|---|
| 176 | int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
|
|---|
| 177 | struct tevent_context *event_ctx,
|
|---|
| 178 | struct loadparm_context *lp_ctx,
|
|---|
| 179 | struct gssapi_creds_container **_gcc);
|
|---|
| 180 | int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
|
|---|
| 181 | struct tevent_context *event_ctx,
|
|---|
| 182 | struct loadparm_context *lp_ctx,
|
|---|
| 183 | struct gssapi_creds_container **_gcc);
|
|---|
| 184 | void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
|
|---|
| 185 | enum credentials_use_kerberos use_kerberos);
|
|---|
| 186 | bool cli_credentials_set_domain(struct cli_credentials *cred,
|
|---|
| 187 | const char *val,
|
|---|
| 188 | enum credentials_obtained obtained);
|
|---|
| 189 | bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
|
|---|
| 190 | const char *(*domain_cb) (struct cli_credentials *));
|
|---|
| 191 | bool cli_credentials_set_username(struct cli_credentials *cred,
|
|---|
| 192 | const char *val, enum credentials_obtained obtained);
|
|---|
| 193 | bool cli_credentials_set_username_callback(struct cli_credentials *cred,
|
|---|
| 194 | const char *(*username_cb) (struct cli_credentials *));
|
|---|
| 195 | bool cli_credentials_set_principal(struct cli_credentials *cred,
|
|---|
| 196 | const char *val,
|
|---|
| 197 | enum credentials_obtained obtained);
|
|---|
| 198 | bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
|
|---|
| 199 | const char *(*principal_cb) (struct cli_credentials *));
|
|---|
| 200 | bool cli_credentials_set_password(struct cli_credentials *cred,
|
|---|
| 201 | const char *val,
|
|---|
| 202 | enum credentials_obtained obtained);
|
|---|
| 203 | struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
|
|---|
| 204 | void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
|
|---|
| 205 | const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
|
|---|
| 206 | TALLOC_CTX *mem_ctx);
|
|---|
| 207 | bool cli_credentials_set_realm(struct cli_credentials *cred,
|
|---|
| 208 | const char *val,
|
|---|
| 209 | enum credentials_obtained obtained);
|
|---|
| 210 | void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
|
|---|
| 211 | enum netr_SchannelType secure_channel_type);
|
|---|
| 212 | void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
|
|---|
| 213 | struct netlogon_creds_CredentialState *netlogon_creds);
|
|---|
| 214 | NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
|
|---|
| 215 | struct smb_krb5_context *smb_krb5_context);
|
|---|
| 216 | NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
|
|---|
| 217 | struct tevent_context *event_ctx,
|
|---|
| 218 | struct loadparm_context *lp_ctx,
|
|---|
| 219 | const char *serviceprincipal);
|
|---|
| 220 | NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
|
|---|
| 221 | struct loadparm_context *lp_ctx);
|
|---|
| 222 | bool cli_credentials_authentication_requested(struct cli_credentials *cred);
|
|---|
| 223 | void cli_credentials_guess(struct cli_credentials *cred,
|
|---|
| 224 | struct loadparm_context *lp_ctx);
|
|---|
| 225 | bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
|
|---|
| 226 | const char *bind_dn);
|
|---|
| 227 | const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
|
|---|
| 228 | bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
|
|---|
| 229 | const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
|
|---|
| 230 | bool cli_credentials_set_password_callback(struct cli_credentials *cred,
|
|---|
| 231 | const char *(*password_cb) (struct cli_credentials *));
|
|---|
| 232 | enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
|
|---|
| 233 | void cli_credentials_set_kvno(struct cli_credentials *cred,
|
|---|
| 234 | int kvno);
|
|---|
| 235 | bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
|
|---|
| 236 | const struct samr_Password *nt_hash,
|
|---|
| 237 | enum credentials_obtained obtained);
|
|---|
| 238 | bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
|
|---|
| 239 | const DATA_BLOB *lm_response,
|
|---|
| 240 | const DATA_BLOB *nt_response,
|
|---|
| 241 | enum credentials_obtained obtained);
|
|---|
| 242 | int cli_credentials_set_keytab_name(struct cli_credentials *cred,
|
|---|
| 243 | struct tevent_context *event_ctx,
|
|---|
| 244 | struct loadparm_context *lp_ctx,
|
|---|
| 245 | const char *keytab_name,
|
|---|
| 246 | enum credentials_obtained obtained);
|
|---|
| 247 | int cli_credentials_update_keytab(struct cli_credentials *cred,
|
|---|
| 248 | struct tevent_context *event_ctx,
|
|---|
| 249 | struct loadparm_context *lp_ctx);
|
|---|
| 250 | void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
|
|---|
| 251 | uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
|
|---|
| 252 | int cli_credentials_set_ccache(struct cli_credentials *cred,
|
|---|
| 253 | struct tevent_context *event_ctx,
|
|---|
| 254 | struct loadparm_context *lp_ctx,
|
|---|
| 255 | const char *name,
|
|---|
| 256 | enum credentials_obtained obtained);
|
|---|
| 257 | bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
|
|---|
| 258 | bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
|
|---|
| 259 | int fd, enum credentials_obtained obtained);
|
|---|
| 260 | void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
|
|---|
| 261 | enum credentials_obtained obtained);
|
|---|
| 262 | void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
|
|---|
| 263 | enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
|
|---|
| 264 | NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
|
|---|
| 265 | struct tevent_context *event_ctx,
|
|---|
| 266 | struct loadparm_context *lp_ctx,
|
|---|
| 267 | struct ldb_context *ldb,
|
|---|
| 268 | const char *base,
|
|---|
| 269 | const char *filter);
|
|---|
| 270 | int cli_credentials_get_kvno(struct cli_credentials *cred);
|
|---|
| 271 |
|
|---|
| 272 | #endif /* __CREDENTIALS_H__ */
|
|---|
