source: trunk/server/source4/auth/credentials/credentials.h

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 13.5 KB
Line 
1/*
2 samba -- Unix SMB/CIFS implementation.
3
4 Client credentials structure
5
6 Copyright (C) Jelmer Vernooij 2004-2006
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21*/
22#ifndef __CREDENTIALS_H__
23#define __CREDENTIALS_H__
24
25#include "../lib/util/data_blob.h"
26#include "librpc/gen_ndr/misc.h"
27
28struct ccache_container;
29struct tevent_context;
30
31/* In order of priority */
32enum credentials_obtained {
33 CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
34 CRED_CALLBACK, /* Callback should be used to obtain value */
35 CRED_GUESS_ENV, /* Current value should be used, which was guessed */
36 CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
37 CRED_CALLBACK_RESULT, /* Value was obtained from a callback */
38 CRED_SPECIFIED /* Was explicitly specified on the command-line */
39};
40
41enum credentials_use_kerberos {
42 CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
43 CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
44 CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
45};
46
47enum credentials_krb_forwardable {
48 CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
49 CRED_NO_KRB_FORWARDABLE, /* not forwardable */
50 CRED_FORCE_KRB_FORWARDABLE /* forwardable */
51};
52
53#define CLI_CRED_NTLM2 0x01
54#define CLI_CRED_NTLMv2_AUTH 0x02
55#define CLI_CRED_LANMAN_AUTH 0x04
56#define CLI_CRED_NTLM_AUTH 0x08
57#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
58
59struct cli_credentials {
60 enum credentials_obtained workstation_obtained;
61 enum credentials_obtained username_obtained;
62 enum credentials_obtained password_obtained;
63 enum credentials_obtained domain_obtained;
64 enum credentials_obtained realm_obtained;
65 enum credentials_obtained ccache_obtained;
66 enum credentials_obtained client_gss_creds_obtained;
67 enum credentials_obtained principal_obtained;
68 enum credentials_obtained keytab_obtained;
69 enum credentials_obtained server_gss_creds_obtained;
70
71 /* Threshold values (essentially a MAX() over a number of the
72 * above) for the ccache and GSS credentials, to ensure we
73 * regenerate/pick correctly */
74
75 enum credentials_obtained ccache_threshold;
76 enum credentials_obtained client_gss_creds_threshold;
77
78 const char *workstation;
79 const char *username;
80 const char *password;
81 const char *old_password;
82 const char *domain;
83 const char *realm;
84 const char *principal;
85 char *salt_principal;
86 char *impersonate_principal;
87 char *target_service;
88
89 const char *bind_dn;
90
91 /* Allows authentication from a keytab or similar */
92 struct samr_Password *nt_hash;
93
94 /* Allows NTLM pass-though authentication */
95 DATA_BLOB lm_response;
96 DATA_BLOB nt_response;
97
98 struct ccache_container *ccache;
99 struct gssapi_creds_container *client_gss_creds;
100 struct keytab_container *keytab;
101 struct gssapi_creds_container *server_gss_creds;
102
103 const char *(*workstation_cb) (struct cli_credentials *);
104 const char *(*password_cb) (struct cli_credentials *);
105 const char *(*username_cb) (struct cli_credentials *);
106 const char *(*domain_cb) (struct cli_credentials *);
107 const char *(*realm_cb) (struct cli_credentials *);
108 const char *(*principal_cb) (struct cli_credentials *);
109
110 /* Private handle for the callback routines to use */
111 void *priv_data;
112
113 struct netlogon_creds_CredentialState *netlogon_creds;
114 enum netr_SchannelType secure_channel_type;
115 int kvno;
116 time_t password_last_changed_time;
117
118 struct smb_krb5_context *smb_krb5_context;
119
120 /* We are flagged to get machine account details from the
121 * secrets.ldb when we are asked for a username or password */
122 bool machine_account_pending;
123 struct loadparm_context *machine_account_pending_lp_ctx;
124
125 /* Is this a machine account? */
126 bool machine_account;
127
128 /* Should we be trying to use kerberos? */
129 enum credentials_use_kerberos use_kerberos;
130
131 /* Should we get a forwardable ticket? */
132 enum credentials_krb_forwardable krb_forwardable;
133
134 /* gensec features which should be used for connections */
135 uint32_t gensec_features;
136
137 /* Number of retries left before bailing out */
138 int tries;
139
140 /* Whether any callback is currently running */
141 bool callback_running;
142};
143
144struct ldb_context;
145struct ldb_message;
146struct loadparm_context;
147struct ccache_container;
148
149struct gssapi_creds_container;
150
151const char *cli_credentials_get_workstation(struct cli_credentials *cred);
152bool cli_credentials_set_workstation(struct cli_credentials *cred,
153 const char *val,
154 enum credentials_obtained obtained);
155bool cli_credentials_is_anonymous(struct cli_credentials *cred);
156struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
157void cli_credentials_set_anonymous(struct cli_credentials *cred);
158bool cli_credentials_wrong_password(struct cli_credentials *cred);
159const char *cli_credentials_get_password(struct cli_credentials *cred);
160void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
161 const char **username,
162 const char **domain);
163NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
164 int *flags,
165 DATA_BLOB challenge, DATA_BLOB target_info,
166 DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
167 DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
168const char *cli_credentials_get_realm(struct cli_credentials *cred);
169const char *cli_credentials_get_username(struct cli_credentials *cred);
170int cli_credentials_get_krb5_context(struct cli_credentials *cred,
171 struct loadparm_context *lp_ctx,
172 struct smb_krb5_context **smb_krb5_context);
173int cli_credentials_get_ccache(struct cli_credentials *cred,
174 struct tevent_context *event_ctx,
175 struct loadparm_context *lp_ctx,
176 struct ccache_container **ccc,
177 const char **error_string);
178int cli_credentials_get_named_ccache(struct cli_credentials *cred,
179 struct tevent_context *event_ctx,
180 struct loadparm_context *lp_ctx,
181 char *ccache_name,
182 struct ccache_container **ccc, const char **error_string);
183int cli_credentials_get_keytab(struct cli_credentials *cred,
184 struct loadparm_context *lp_ctx,
185 struct keytab_container **_ktc);
186const char *cli_credentials_get_domain(struct cli_credentials *cred);
187struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
188void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
189 struct loadparm_context *lp_ctx);
190void cli_credentials_set_conf(struct cli_credentials *cred,
191 struct loadparm_context *lp_ctx);
192const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
193int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
194 struct loadparm_context *lp_ctx,
195 struct gssapi_creds_container **_gcc);
196int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
197 struct tevent_context *event_ctx,
198 struct loadparm_context *lp_ctx,
199 struct gssapi_creds_container **_gcc,
200 const char **error_string);
201void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
202 enum credentials_use_kerberos use_kerberos);
203void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
204 enum credentials_krb_forwardable krb_forwardable);
205bool cli_credentials_set_domain(struct cli_credentials *cred,
206 const char *val,
207 enum credentials_obtained obtained);
208bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
209 const char *(*domain_cb) (struct cli_credentials *));
210bool cli_credentials_set_username(struct cli_credentials *cred,
211 const char *val, enum credentials_obtained obtained);
212bool cli_credentials_set_username_callback(struct cli_credentials *cred,
213 const char *(*username_cb) (struct cli_credentials *));
214bool cli_credentials_set_principal(struct cli_credentials *cred,
215 const char *val,
216 enum credentials_obtained obtained);
217bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
218 const char *(*principal_cb) (struct cli_credentials *));
219bool cli_credentials_set_password(struct cli_credentials *cred,
220 const char *val,
221 enum credentials_obtained obtained);
222struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
223void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
224const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
225 TALLOC_CTX *mem_ctx);
226bool cli_credentials_set_realm(struct cli_credentials *cred,
227 const char *val,
228 enum credentials_obtained obtained);
229void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
230 enum netr_SchannelType secure_channel_type);
231void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
232 time_t last_change_time);
233void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
234 struct netlogon_creds_CredentialState *netlogon_creds);
235NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
236 struct smb_krb5_context *smb_krb5_context);
237NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
238 struct loadparm_context *lp_ctx,
239 const char *serviceprincipal);
240NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
241 struct loadparm_context *lp_ctx);
242bool cli_credentials_authentication_requested(struct cli_credentials *cred);
243void cli_credentials_guess(struct cli_credentials *cred,
244 struct loadparm_context *lp_ctx);
245bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
246 const char *bind_dn);
247const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
248bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
249const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
250bool cli_credentials_set_password_callback(struct cli_credentials *cred,
251 const char *(*password_cb) (struct cli_credentials *));
252enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
253time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
254void cli_credentials_set_kvno(struct cli_credentials *cred,
255 int kvno);
256bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
257 const struct samr_Password *nt_hash,
258 enum credentials_obtained obtained);
259bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
260 const DATA_BLOB *lm_response,
261 const DATA_BLOB *nt_response,
262 enum credentials_obtained obtained);
263int cli_credentials_set_keytab_name(struct cli_credentials *cred,
264 struct loadparm_context *lp_ctx,
265 const char *keytab_name,
266 enum credentials_obtained obtained);
267void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
268uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
269int cli_credentials_set_ccache(struct cli_credentials *cred,
270 struct loadparm_context *lp_ctx,
271 const char *name,
272 enum credentials_obtained obtained,
273 const char **error_string);
274bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
275bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
276 int fd, enum credentials_obtained obtained);
277void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
278 enum credentials_obtained obtained);
279void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
280void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal);
281void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
282const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
283const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
284const char *cli_credentials_get_target_service(struct cli_credentials *cred);
285enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
286enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
287NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
288 struct loadparm_context *lp_ctx,
289 struct ldb_context *ldb,
290 const char *base,
291 const char *filter,
292 char **error_string);
293 int cli_credentials_get_kvno(struct cli_credentials *cred);
294
295
296#endif /* __CREDENTIALS_H__ */
Note: See TracBrowser for help on using the repository browser.