auth/credentials/credentials.h

   1 /*
   2    samba -- Unix SMB/CIFS implementation.
   3
   4    Client credentials structure
   5
   6    Copyright (C) Jelmer Vernooij 2004-2006
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22 #ifndef __CREDENTIALS_H__
  23 #define __CREDENTIALS_H__
  24
  25 #include "../lib/util/data_blob.h"
  26 #include "librpc/gen_ndr/misc.h"
  27
  28 struct ccache_container;
  29 struct tevent_context;
  30 struct netlogon_creds_CredentialState;
  31
  32 /* In order of priority */
  33 enum credentials_obtained {
  34         CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
  35         CRED_CALLBACK,           /* Callback should be used to obtain value */
  36         CRED_GUESS_ENV,          /* Current value should be used, which was guessed */
  37         CRED_GUESS_FILE,         /* A guess from a file (or file pointed at in env variable) */
  38         CRED_CALLBACK_RESULT,    /* Value was obtained from a callback */
  39         CRED_SPECIFIED           /* Was explicitly specified on the command-line */
  40 };
  41
  42 enum credentials_use_kerberos {
  43         CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
  44         CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
  45         CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
  46 };
  47
  48 enum credentials_krb_forwardable {
  49         CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
  50         CRED_NO_KRB_FORWARDABLE,       /* not forwardable */
  51         CRED_FORCE_KRB_FORWARDABLE     /* forwardable */
  52 };
  53
  54 #define CLI_CRED_NTLM2       0x01
  55 #define CLI_CRED_NTLMv2_AUTH 0x02
  56 #define CLI_CRED_LANMAN_AUTH 0x04
  57 #define CLI_CRED_NTLM_AUTH   0x08
  58 #define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
  59
  60 struct cli_credentials {
  61         enum credentials_obtained workstation_obtained;
  62         enum credentials_obtained username_obtained;
  63         enum credentials_obtained password_obtained;
  64         enum credentials_obtained domain_obtained;
  65         enum credentials_obtained realm_obtained;
  66         enum credentials_obtained ccache_obtained;
  67         enum credentials_obtained client_gss_creds_obtained;
  68         enum credentials_obtained principal_obtained;
  69         enum credentials_obtained keytab_obtained;
  70         enum credentials_obtained server_gss_creds_obtained;
  71
  72         /* Threshold values (essentially a MAX() over a number of the
  73          * above) for the ccache and GSS credentials, to ensure we
  74          * regenerate/pick correctly */
  75
  76         enum credentials_obtained ccache_threshold;
  77         enum credentials_obtained client_gss_creds_threshold;
  78
  79         const char *workstation;
  80         const char *username;
  81         const char *password;
  82         const char *old_password;
  83         const char *domain;
  84         const char *realm;
  85         const char *principal;
  86         char *salt_principal;
  87         char *impersonate_principal;
  88         char *self_service;
  89         char *target_service;
  90
  91         const char *bind_dn;
  92
  93         /* Allows authentication from a keytab or similar */
  94         struct samr_Password *nt_hash;
  95
  96         /* Allows NTLM pass-though authentication */
  97         DATA_BLOB lm_response;
  98         DATA_BLOB nt_response;
  99
 100         struct ccache_container *ccache;
 101         struct gssapi_creds_container *client_gss_creds;
 102         struct keytab_container *keytab;
 103         struct gssapi_creds_container *server_gss_creds;
 104
 105         const char *(*workstation_cb) (struct cli_credentials *);
 106         const char *(*password_cb) (struct cli_credentials *);
 107         const char *(*username_cb) (struct cli_credentials *);
 108         const char *(*domain_cb) (struct cli_credentials *);
 109         const char *(*realm_cb) (struct cli_credentials *);
 110         const char *(*principal_cb) (struct cli_credentials *);
 111
 112         /* Private handle for the callback routines to use */
 113         void *priv_data;
 114
 115         struct netlogon_creds_CredentialState *netlogon_creds;
 116         enum netr_SchannelType secure_channel_type;
 117         int kvno;
 118         time_t password_last_changed_time;
 119
 120         struct smb_krb5_context *smb_krb5_context;
 121
 122         /* We are flagged to get machine account details from the
 123          * secrets.ldb when we are asked for a username or password */
 124         bool machine_account_pending;
 125         struct loadparm_context *machine_account_pending_lp_ctx;
 126
 127         /* Is this a machine account? */
 128         bool machine_account;
 129
 130         /* Should we be trying to use kerberos? */
 131         enum credentials_use_kerberos use_kerberos;
 132
 133         /* Should we get a forwardable ticket? */
 134         enum credentials_krb_forwardable krb_forwardable;
 135
 136         /* gensec features which should be used for connections */
 137         uint32_t gensec_features;
 138
 139         /* Number of retries left before bailing out */
 140         int tries;
 141
 142         /* Whether any callback is currently running */
 143         bool callback_running;
 144 };
 145
 146 struct ldb_context;
 147 struct ldb_message;
 148 struct loadparm_context;
 149 struct ccache_container;
 150
 151 struct gssapi_creds_container;
 152
 153 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
 154 bool cli_credentials_set_workstation(struct cli_credentials *cred,
 155                                      const char *val,
 156                                      enum credentials_obtained obtained);
 157 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
 158 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
 159 void cli_credentials_set_anonymous(struct cli_credentials *cred);
 160 bool cli_credentials_wrong_password(struct cli_credentials *cred);
 161 const char *cli_credentials_get_password(struct cli_credentials *cred);
 162 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 163                                               const char **username,
 164                                               const char **domain);
 165 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 166                                            int *flags,
 167                                            DATA_BLOB challenge, DATA_BLOB target_info,
 168                                            DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
 169                                            DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 170 const char *cli_credentials_get_realm(struct cli_credentials *cred);
 171 const char *cli_credentials_get_username(struct cli_credentials *cred);
 172 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
 173                                      struct loadparm_context *lp_ctx,
 174                                      struct smb_krb5_context **smb_krb5_context);
 175 int cli_credentials_get_ccache(struct cli_credentials *cred,
 176                                struct tevent_context *event_ctx,
 177                                struct loadparm_context *lp_ctx,
 178                                struct ccache_container **ccc,
 179                                const char **error_string);
 180 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 181                                      struct tevent_context *event_ctx,
 182                                      struct loadparm_context *lp_ctx,
 183                                      char *ccache_name,
 184                                      struct ccache_container **ccc, const char **error_string);
 185 bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
 186                                            const char *principal,
 187                                            unsigned int *count);
 188 int cli_credentials_get_keytab(struct cli_credentials *cred,
 189                                struct loadparm_context *lp_ctx,
 190                                struct keytab_container **_ktc);
 191 const char *cli_credentials_get_domain(struct cli_credentials *cred);
 192 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 193 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 194                                                  struct loadparm_context *lp_ctx);
 195 void cli_credentials_set_conf(struct cli_credentials *cred,
 196                               struct loadparm_context *lp_ctx);
 197 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
 198 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 199                                          struct loadparm_context *lp_ctx,
 200                                          struct gssapi_creds_container **_gcc);
 201 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 202                                          struct tevent_context *event_ctx,
 203                                          struct loadparm_context *lp_ctx,
 204                                          struct gssapi_creds_container **_gcc,
 205                                          const char **error_string);
 206 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
 207                                         enum credentials_use_kerberos use_kerberos);
 208 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
 209                                          enum credentials_krb_forwardable krb_forwardable);
 210 bool cli_credentials_set_domain(struct cli_credentials *cred,
 211                                 const char *val,
 212                                 enum credentials_obtained obtained);
 213 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 214                                          const char *(*domain_cb) (struct cli_credentials *));
 215 bool cli_credentials_set_username(struct cli_credentials *cred,
 216                                   const char *val, enum credentials_obtained obtained);
 217 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 218                                   const char *(*username_cb) (struct cli_credentials *));
 219 bool cli_credentials_set_principal(struct cli_credentials *cred,
 220                                    const char *val,
 221                                    enum credentials_obtained obtained);
 222 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 223                                   const char *(*principal_cb) (struct cli_credentials *));
 224 bool cli_credentials_set_password(struct cli_credentials *cred,
 225                                   const char *val,
 226                                   enum credentials_obtained obtained);
 227 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
 228 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
 229 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 230                                                         TALLOC_CTX *mem_ctx);
 231 bool cli_credentials_set_realm(struct cli_credentials *cred,
 232                                const char *val,
 233                                enum credentials_obtained obtained);
 234 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 235                                      enum netr_SchannelType secure_channel_type);
 236 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
 237                                                              time_t last_change_time);
 238 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 239                                         struct netlogon_creds_CredentialState *netlogon_creds);
 240 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
 241                                           struct smb_krb5_context *smb_krb5_context);
 242 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 243                                               struct loadparm_context *lp_ctx,
 244                                               const char *serviceprincipal);
 245 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 246                                              struct loadparm_context *lp_ctx);
 247 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
 248 void cli_credentials_guess(struct cli_credentials *cred,
 249                            struct loadparm_context *lp_ctx);
 250 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
 251                                  const char *bind_dn);
 252 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
 253 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
 254 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
 255 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
 256                                            const char *(*password_cb) (struct cli_credentials *));
 257 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
 258 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
 259 void cli_credentials_set_kvno(struct cli_credentials *cred,
 260                               int kvno);
 261 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
 262                                  const struct samr_Password *nt_hash,
 263                                  enum credentials_obtained obtained);
 264 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
 265                                        const DATA_BLOB *lm_response,
 266                                        const DATA_BLOB *nt_response,
 267                                        enum credentials_obtained obtained);
 268 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
 269                                     struct loadparm_context *lp_ctx,
 270                                     const char *keytab_name,
 271                                     enum credentials_obtained obtained);
 272 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
 273 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
 274 int cli_credentials_set_ccache(struct cli_credentials *cred,
 275                                struct loadparm_context *lp_ctx,
 276                                const char *name,
 277                                enum credentials_obtained obtained,
 278                                const char **error_string);
 279 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
 280 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
 281                                        int fd, enum credentials_obtained obtained);
 282 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
 283                                        enum credentials_obtained obtained);
 284 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
 285 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
 286                                                const char *principal,
 287                                                const char *self_service);
 288 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
 289 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
 290 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
 291 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
 292 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 293 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
 294 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
 295 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 296                                      struct loadparm_context *lp_ctx,
 297                                      struct ldb_context *ldb,
 298                                      const char *base,
 299                                      const char *filter,
 300                                      char **error_string);
 301  int cli_credentials_get_kvno(struct cli_credentials *cred);
 302
 303 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 304                                   const char *(*username_cb) (struct cli_credentials *));
 305
 306 /**
 307  * Obtain the client principal for this credentials context.
 308  * @param cred credentials context
 309  * @retval The username set on this context.
 310  * @note Return value will never be NULL except by programmer error.
 311  */
 312 const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
 313 bool cli_credentials_set_principal(struct cli_credentials *cred,
 314                                    const char *val,
 315                                    enum credentials_obtained obtained);
 316 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 317                                   const char *(*principal_cb) (struct cli_credentials *));
 318
 319 /**
 320  * Obtain the 'old' password for this credentials context (used for join accounts).
 321  * @param cred credentials context
 322  * @retval If set, the cleartext password, otherwise NULL
 323  */
 324 const char *cli_credentials_get_old_password(struct cli_credentials *cred);
 325 bool cli_credentials_set_old_password(struct cli_credentials *cred,
 326                                       const char *val,
 327                                       enum credentials_obtained obtained);
 328 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 329                                          const char *(*domain_cb) (struct cli_credentials *));
 330 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
 331                                         const char *(*realm_cb) (struct cli_credentials *));
 332 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 333                                               const char *(*workstation_cb) (struct cli_credentials *));
 334
 335 void cli_credentials_set_callback_data(struct cli_credentials *cred,
 336                                        void *callback_data);
 337 void *_cli_credentials_callback_data(struct cli_credentials *cred);
 338 #define cli_credentials_callback_data(_cred, _type) \
 339         talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
 340 #define cli_credentials_callback_data_void(_cred) \
 341         _cli_credentials_callback_data(_cred)
 342
 343 /**
 344  * Return attached NETLOGON credentials
 345  */
 346 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 347
 348 #endif /* __CREDENTIALS_H__ */