*/
#include "includes.h"
-#include "popt_common.h"
+#include "auth_info.h"
#include "secrets.h"
+#include "param/param.h"
+#include "librpc/gen_ndr/samr.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
/**************************************************************************n
Code to cope with username/password auth options from the commandline.
Used mainly in client tools.
****************************************************************************/
+struct user_auth_info {
+ struct cli_credentials *creds;
+ struct loadparm_context *lp_ctx;
+ bool got_username;
+ bool got_pass;
+ int signing_state;
+ bool smb_encrypt;
+ bool use_machine_account;
+ bool use_pw_nt_hash;
+ char *pw_nt_hash;
+};
+
struct user_auth_info *user_auth_info_init(TALLOC_CTX *mem_ctx)
{
- struct user_auth_info *result;
+ struct user_auth_info *result = NULL;
result = talloc_zero(mem_ctx, struct user_auth_info);
if (result == NULL) {
return NULL;
}
- result->signing_state = Undefined;
+ result->lp_ctx = loadparm_init_s3(result, loadparm_s3_helpers());
+ if (result->lp_ctx == NULL) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+
+ result->creds = cli_credentials_init(result);
+ if (result->creds == NULL) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+
+ cli_credentials_set_conf(result->creds, result->lp_ctx);
+
+ result->signing_state = SMB_SIGNING_DEFAULT;
return result;
}
+void set_cmdline_auth_info_guess(struct user_auth_info *auth_info)
+{
+ /*
+ * Note that cli_credentials_guess() calls
+ * cli_credentials_set_conf() again, which will
+ * hopefully cope with a reloaded smb.conf.
+ */
+ cli_credentials_set_username(auth_info->creds, "GUEST", CRED_GUESS_ENV);
+ cli_credentials_guess(auth_info->creds, auth_info->lp_ctx);
+}
+
+void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
+ const char *filename)
+{
+ bool ok;
+
+ ok = cli_credentials_parse_file(auth_info->creds, filename,
+ CRED_SPECIFIED);
+ if (!ok) {
+ exit(EIO);
+ }
+ auth_info->got_username = true;
+}
+
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
{
- if (!auth_info->username) {
+ const char *username = NULL;
+
+ username = cli_credentials_get_username(auth_info->creds);
+ if (username == NULL) {
return "";
}
- return auth_info->username;
+
+ return username;
}
void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
const char *username)
{
- TALLOC_FREE(auth_info->username);
- auth_info->username = talloc_strdup(auth_info, username);
- if (!auth_info->username) {
+ const char *new_val = NULL;
+
+ if (username == NULL) {
+ return;
+ }
+ cli_credentials_parse_string(auth_info->creds,
+ username,
+ CRED_SPECIFIED);
+ new_val = cli_credentials_get_username(auth_info->creds);
+ if (new_val == NULL) {
+ exit(ENOMEM);
+ }
+
+ auth_info->got_username = true;
+ if (strchr_m(username, '%') != NULL) {
+ auth_info->got_pass = true;
+ }
+}
+
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
+{
+ const char *username = NULL;
+ const char *new_val = NULL;
+
+ if (!auth_info->got_username) {
+ return;
+ }
+
+ username = cli_credentials_get_username(auth_info->creds);
+ if (username == NULL) {
+ return;
+ }
+ if (username[0] == '\0') {
+ return;
+ }
+
+ cli_credentials_parse_string(auth_info->creds,
+ username,
+ CRED_SPECIFIED);
+ new_val = cli_credentials_get_username(auth_info->creds);
+ if (new_val == NULL) {
exit(ENOMEM);
}
}
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
{
- if (!auth_info->domain) {
+ const char *domain = NULL;
+
+ domain = cli_credentials_get_domain(auth_info->creds);
+ if (domain == NULL) {
return "";
}
- return auth_info->domain;
+
+ return domain;
}
void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
const char *domain)
{
- TALLOC_FREE(auth_info->domain);
- auth_info->domain = talloc_strdup(auth_info, domain);
- if (!auth_info->domain) {
+ bool ok;
+
+ ok = cli_credentials_set_domain(auth_info->creds, domain, CRED_SPECIFIED);
+ if (!ok) {
exit(ENOMEM);
}
}
const char *get_cmdline_auth_info_password(const struct user_auth_info *auth_info)
{
- if (!auth_info->password) {
+ const char *password = NULL;
+
+ if (auth_info->pw_nt_hash != NULL) {
+ return auth_info->pw_nt_hash;
+ }
+
+ if (auth_info->use_pw_nt_hash) {
+ struct user_auth_info *ai =
+ discard_const_p(struct user_auth_info, auth_info);
+ struct samr_Password *nt_hash = NULL;
+
+ nt_hash = cli_credentials_get_nt_hash(ai->creds,
+ ai);
+ if (nt_hash == NULL) {
+ return "";
+ }
+
+ ai->pw_nt_hash = hex_encode_talloc(ai,
+ nt_hash->hash,
+ sizeof(nt_hash->hash));
+ TALLOC_FREE(nt_hash);
+ if (ai->pw_nt_hash == NULL) {
+ return "";
+ }
+
+ return auth_info->pw_nt_hash;
+ }
+
+ password = cli_credentials_get_password(auth_info->creds);
+ if (password == NULL) {
return "";
}
- return auth_info->password;
+
+ return password;
}
void set_cmdline_auth_info_password(struct user_auth_info *auth_info,
const char *password)
{
- TALLOC_FREE(auth_info->password);
- if (password == NULL) {
- password = "";
+ bool ok;
+
+ auth_info->got_pass = true;
+
+ if (password != NULL && strlen(password) == 0) {
+ password = NULL;
}
- auth_info->password = talloc_strdup(auth_info, password);
- if (!auth_info->password) {
+
+ ok = cli_credentials_set_password(auth_info->creds,
+ password,
+ CRED_SPECIFIED);
+ if (!ok) {
exit(ENOMEM);
}
- auth_info->got_pass = true;
}
bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
const char *arg)
{
- auth_info->signing_state = -1;
+ auth_info->signing_state = SMB_SIGNING_DEFAULT;
if (strequal(arg, "off") || strequal(arg, "no") ||
strequal(arg, "false")) {
- auth_info->signing_state = false;
+ auth_info->signing_state = SMB_SIGNING_OFF;
} else if (strequal(arg, "on") || strequal(arg, "yes") ||
+ strequal(arg, "if_required") ||
strequal(arg, "true") || strequal(arg, "auto")) {
- auth_info->signing_state = true;
+ auth_info->signing_state = SMB_SIGNING_IF_REQUIRED;
} else if (strequal(arg, "force") || strequal(arg, "required") ||
strequal(arg, "forced")) {
- auth_info->signing_state = Required;
+ auth_info->signing_state = SMB_SIGNING_REQUIRED;
} else {
return false;
}
return true;
}
+void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
+ int signing_state)
+{
+ auth_info->signing_state = signing_state;
+}
+
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return SMB_SIGNING_REQUIRED;
+ }
return auth_info->signing_state;
}
void set_cmdline_auth_info_use_ccache(struct user_auth_info *auth_info, bool b)
{
- auth_info->use_ccache = b;
+ uint32_t gensec_features;
+
+ gensec_features = cli_credentials_get_gensec_features(auth_info->creds);
+ gensec_features |= GENSEC_FEATURE_NTLM_CCACHE;
+ cli_credentials_set_gensec_features(auth_info->creds, gensec_features);
}
bool get_cmdline_auth_info_use_ccache(const struct user_auth_info *auth_info)
{
- return auth_info->use_ccache;
+ uint32_t gensec_features;
+
+ gensec_features = cli_credentials_get_gensec_features(auth_info->creds);
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
+ return true;
+ }
+
+ return false;
+}
+
+void set_cmdline_auth_info_use_pw_nt_hash(struct user_auth_info *auth_info,
+ bool b)
+{
+ TALLOC_FREE(auth_info->pw_nt_hash);
+ auth_info->use_pw_nt_hash = b;
+ cli_credentials_set_password_will_be_nt_hash(auth_info->creds, b);
+}
+
+bool get_cmdline_auth_info_use_pw_nt_hash(
+ const struct user_auth_info *auth_info)
+{
+ return auth_info->use_pw_nt_hash;
}
void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info,
bool b)
{
- auth_info->use_kerberos = b;
+ enum credentials_use_kerberos krb5_state;
+
+ if (b) {
+ krb5_state = CRED_MUST_USE_KERBEROS;
+ } else {
+ krb5_state = CRED_DONT_USE_KERBEROS;
+ }
+
+ cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
}
bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info)
{
- return auth_info->use_kerberos;
+ enum credentials_use_kerberos krb5_state;
+
+ krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ return true;
+ }
+
+ return false;
}
void set_cmdline_auth_info_fallback_after_kerberos(struct user_auth_info *auth_info,
bool b)
{
- auth_info->fallback_after_kerberos = b;
+ enum credentials_use_kerberos krb5_state;
+
+ krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
+
+ switch (krb5_state) {
+ case CRED_MUST_USE_KERBEROS:
+ if (b) {
+ krb5_state = CRED_AUTO_USE_KERBEROS;
+ }
+ break;
+ case CRED_AUTO_USE_KERBEROS:
+ if (!b) {
+ krb5_state = CRED_MUST_USE_KERBEROS;
+ }
+ break;
+ case CRED_DONT_USE_KERBEROS:
+ /* nothing to do */
+ break;
+ }
+
+ cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
}
bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info *auth_info)
{
- return auth_info->fallback_after_kerberos;
+ enum credentials_use_kerberos krb5_state;
+
+ krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
+
+ if (krb5_state == CRED_AUTO_USE_KERBEROS) {
+ return true;
+ }
+
+ return false;
}
/* This should only be used by lib/popt_common.c JRA */
void set_cmdline_auth_info_use_krb5_ticket(struct user_auth_info *auth_info)
{
- auth_info->use_kerberos = true;
+ set_cmdline_auth_info_use_kerberos(auth_info, true);
auth_info->got_pass = true;
}
void set_cmdline_auth_info_use_machine_account(struct user_auth_info *auth_info)
{
+ cli_credentials_set_machine_account_pending(auth_info->creds,
+ auth_info->lp_ctx);
auth_info->use_machine_account = true;
}
return auth_info->use_machine_account;
}
-struct user_auth_info *get_cmdline_auth_info_copy(TALLOC_CTX *mem_ctx,
- const struct user_auth_info *src)
-{
- struct user_auth_info *result;
-
- result = user_auth_info_init(mem_ctx);
- if (result == NULL) {
- return NULL;
- }
-
- *result = *src;
-
- result->username = talloc_strdup(
- result, get_cmdline_auth_info_username(src));
- result->password = talloc_strdup(
- result, get_cmdline_auth_info_password(src));
- if ((result->username == NULL) || (result->password == NULL)) {
- TALLOC_FREE(result);
- return NULL;
- }
-
- return result;
-}
-
bool set_cmdline_auth_info_machine_account_creds(struct user_auth_info *auth_info)
{
- char *pass = NULL;
- char *account = NULL;
+ struct db_context *db_ctx = NULL;
+ NTSTATUS status;
if (!get_cmdline_auth_info_use_machine_account(auth_info)) {
return false;
}
- if (!secrets_init()) {
+ db_ctx = secrets_db_ctx();
+ if (db_ctx == NULL) {
d_printf("ERROR: Unable to open secrets database\n");
return false;
}
- if (asprintf(&account, "%s$@%s", lp_netbios_name(), lp_realm()) < 0) {
- return false;
- }
+ cli_credentials_set_domain(auth_info->creds, lpcfg_workgroup(auth_info->lp_ctx),
+ CRED_SPECIFIED);
- pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (!pass) {
+ status = cli_credentials_set_machine_account_db_ctx(auth_info->creds,
+ auth_info->lp_ctx,
+ db_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
d_printf("ERROR: Unable to fetch machine password for "
- "%s in domain %s\n",
- account, lp_workgroup());
- SAFE_FREE(account);
+ "%s in domain %s - %s\n",
+ lpcfg_netbios_name(auth_info->lp_ctx),
+ lpcfg_workgroup(auth_info->lp_ctx),
+ nt_errstr(status));
return false;
}
- set_cmdline_auth_info_username(auth_info, account);
- set_cmdline_auth_info_password(auth_info, pass);
+ return true;
+}
- SAFE_FREE(account);
- SAFE_FREE(pass);
+static const char *cmdline_auth_info_pw_callback(struct cli_credentials *creds)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const char *name = NULL;
+ char *label = NULL;
+ char *ret = NULL;
+ char pwd[256] = {0};
+ int rc;
- return true;
+ name = cli_credentials_get_unparsed_name(creds, frame);
+ if (name == NULL) {
+ goto fail;
+ }
+ label = talloc_asprintf(frame, "Enter %s's password: ", name);
+ if (label == NULL) {
+ goto fail;
+ }
+ rc = samba_getpass(label, pwd, sizeof(pwd), false, false);
+ if (rc != 0) {
+ goto fail;
+ }
+ ret = talloc_strdup(creds, pwd);
+ if (ret == NULL) {
+ goto fail;
+ }
+ talloc_set_name_const(ret, __location__);
+fail:
+ ZERO_STRUCT(pwd);
+ TALLOC_FREE(frame);
+ return ret;
}
/****************************************************************************
void set_cmdline_auth_info_getpass(struct user_auth_info *auth_info)
{
- char *label = NULL;
- char *pass;
- TALLOC_CTX *frame;
-
if (get_cmdline_auth_info_got_pass(auth_info) ||
- get_cmdline_auth_info_use_kerberos(auth_info)) {
+ get_cmdline_auth_info_use_ccache(auth_info) ||
+ get_cmdline_auth_info_use_kerberos(auth_info)) {
/* Already got one... */
return;
}
- frame = talloc_stackframe();
- label = talloc_asprintf(frame, "Enter %s's password: ",
- get_cmdline_auth_info_username(auth_info));
- pass = getpass(label);
- if (pass) {
- set_cmdline_auth_info_password(auth_info, pass);
- }
- TALLOC_FREE(frame);
+ cli_credentials_set_password_callback(auth_info->creds,
+ cmdline_auth_info_pw_callback);
+}
+
+struct cli_credentials *get_cmdline_auth_info_creds(
+ const struct user_auth_info *auth_info)
+{
+ return auth_info->creds;
}