r5989: Display authentication information (list of available auth protocols
[samba.git] / source4 / lib / credentials.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Copyright (C) Jelmer Vernooij 2005
5    Copyright (C) Tim Potter 2001
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 2 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program; if not, write to the Free Software
20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "system/filesys.h"
25 #include "lib/cmdline/popt_common.h"
26 #include "include/secrets.h"
27 #include "lib/ldb/include/ldb.h"
28
29 /* Create a new credentials structure, on the specified TALLOC_CTX */
30 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) 
31 {
32         struct cli_credentails *cred = talloc_zero(mem_ctx, struct cli_credentials);
33         if (!cred) {
34                 return cred;
35         }
36
37         cli_credentials_set_domain(cred, lp_workgroup(), CRED_GUESSED);
38         cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_GUESSED);
39         cli_credentials_set_realm(cred, lp_realm(), CRED_GUESSED);
40         
41         return cred;
42 }
43
44 const char *cli_credentials_get_username(struct cli_credentials *cred)
45 {
46         if (cred->username_obtained == CRED_CALLBACK) {
47                 cred->username = cred->username_cb(cred);
48                 cred->username_obtained = CRED_SPECIFIED;
49         }
50
51         return cred->username;
52 }
53
54 BOOL cli_credentials_set_username(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
55 {
56         if (obtained >= cred->username_obtained) {
57                 cred->username = talloc_strdup(cred, val);
58                 cred->username_obtained = obtained;
59                 return True;
60         }
61
62         return False;
63 }
64
65 const char *cli_credentials_get_password(struct cli_credentials *cred)
66 {
67         if (cred->password_obtained == CRED_CALLBACK) {
68                 cred->password = cred->password_cb(cred);
69                 cred->password_obtained = CRED_SPECIFIED;
70         }
71
72         return cred->password;
73 }
74
75 BOOL cli_credentials_set_password(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
76 {
77         if (obtained >= cred->password_obtained) {
78                 cred->password = talloc_strdup(cred, val);
79                 cred->password_obtained = obtained;
80                 return True;
81         }
82
83         return False;
84 }
85
86 const char *cli_credentials_get_domain(struct cli_credentials *cred)
87 {
88         if (cred->domain_obtained == CRED_CALLBACK) {
89                 cred->domain = cred->domain_cb(cred);
90                 cred->domain_obtained = CRED_SPECIFIED;
91         }
92
93         return cred->domain;
94 }
95
96
97 BOOL cli_credentials_set_domain(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
98 {
99         if (obtained >= cred->domain_obtained) {
100                 cred->domain = talloc_strdup(cred, val);
101                 cred->domain_obtained = obtained;
102                 return True;
103         }
104
105         return False;
106 }
107
108 const char *cli_credentials_get_realm(struct cli_credentials *cred)
109 {       
110         if (cred == NULL) {
111                 return NULL;
112         }
113
114         if (cred->realm_obtained == CRED_CALLBACK) {
115                 cred->realm = cred->realm_cb(cred);
116                 cred->realm_obtained = CRED_SPECIFIED;
117         }
118
119         return cred->realm;
120 }
121
122 BOOL cli_credentials_set_realm(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
123 {
124         if (obtained >= cred->realm_obtained) {
125                 cred->realm = talloc_strdup(cred, val);
126                 cred->realm_obtained = obtained;
127                 return True;
128         }
129
130         return False;
131 }
132
133 const char *cli_credentials_get_workstation(struct cli_credentials *cred)
134 {
135         if (cred == NULL) {
136                 return NULL;
137         }
138
139         if (cred->workstation_obtained == CRED_CALLBACK) {
140                 cred->workstation = cred->workstation_cb(cred);
141                 cred->workstation_obtained = CRED_SPECIFIED;
142         }
143
144         return cred->workstation;
145 }
146
147 BOOL cli_credentials_set_workstation(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
148 {
149         if (obtained >= cred->workstation_obtained) {
150                 cred->workstation = talloc_strdup(cred, val);
151                 cred->workstation_obtained = obtained;
152                 return True;
153         }
154
155         return False;
156 }
157
158 BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, int fd, enum credentials_obtained obtained)
159 {
160         char *p;
161         char pass[128];
162
163         for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
164                 p && p - pass < sizeof(pass);) {
165                 switch (read(fd, p, 1)) {
166                 case 1:
167                         if (*p != '\n' && *p != '\0') {
168                                 *++p = '\0'; /* advance p, and null-terminate pass */
169                                 break;
170                         }
171                 case 0:
172                         if (p - pass) {
173                                 *p = '\0'; /* null-terminate it, just in case... */
174                                 p = NULL; /* then force the loop condition to become false */
175                                 break;
176                         } else {
177                                 fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n");
178                                 return False;
179                         }
180
181                 default:
182                         fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
183                                         fd, strerror(errno));
184                         return False;
185                 }
186         }
187
188         cli_credentials_set_password(credentials, pass, obtained);
189         return True;
190 }
191
192 BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained)
193 {
194         int fd = open(file, O_RDONLY, 0);
195         BOOL ret;
196
197         if (fd < 0) {
198                 fprintf(stderr, "Error opening PASSWD_FILE %s: %s\n",
199                                 file, strerror(errno));
200                 return False;
201         }
202
203         ret = cli_credentials_parse_password_fd(credentials, fd, obtained);
204
205         close(fd);
206         
207         return ret;
208 }
209
210 BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) 
211 {
212         XFILE *auth;
213         char buf[128];
214         uint16_t len = 0;
215         char *ptr, *val, *param;
216
217         if ((auth=x_fopen(file, O_RDONLY, 0)) == NULL)
218         {
219                 /* fail if we can't open the credentials file */
220                 d_printf("ERROR: Unable to open credentials file!\n");
221                 return False;
222         }
223
224         while (!x_feof(auth))
225         {
226                 /* get a line from the file */
227                 if (!x_fgets(buf, sizeof(buf), auth))
228                         continue;
229                 len = strlen(buf);
230
231                 if ((len) && (buf[len-1]=='\n'))
232                 {
233                         buf[len-1] = '\0';
234                         len--;
235                 }
236                 if (len == 0)
237                         continue;
238
239                 /* break up the line into parameter & value.
240                  * will need to eat a little whitespace possibly */
241                 param = buf;
242                 if (!(ptr = strchr_m (buf, '=')))
243                         continue;
244
245                 val = ptr+1;
246                 *ptr = '\0';
247
248                 /* eat leading white space */
249                 while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
250                         val++;
251
252                 if (strwicmp("password", param) == 0) {
253                         cli_credentials_set_password(cred, val, obtained);
254                 } else if (strwicmp("username", param) == 0) {
255                         cli_credentials_set_username(cred, val, obtained);
256                 } else if (strwicmp("domain", param) == 0) {
257                         cli_credentials_set_domain(cred, val, obtained);
258                 } else if (strwicmp("realm", param) == 0) {
259                         cli_credentials_set_realm(cred, val, obtained);
260                 }
261                 memset(buf, 0, sizeof(buf));
262         }
263
264         x_fclose(auth);
265         return True;
266 }
267
268
269 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
270 {
271         char *uname, *p;
272
273         uname = talloc_strdup(credentials, data); 
274         if ((p = strchr_m(uname,'%'))) {
275                 *p = 0;
276                 cli_credentials_set_password(credentials, p+1, obtained);
277         }
278
279         if ((p = strchr_m(uname,'@'))) {
280                 *p = 0;
281                 cli_credentials_set_realm(credentials, p+1, obtained);
282         } else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
283                 *p = 0;
284                 cli_credentials_set_domain(credentials, uname, obtained);
285                 uname = p+1;
286         }
287         cli_credentials_set_username(credentials, uname, obtained);
288 }
289
290 void cli_credentials_guess(struct cli_credentials *cred)
291 {
292         char *p;
293
294         if (getenv("LOGNAME")) {
295                 cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESSED);
296         }
297
298         if (getenv("USER")) {
299                 cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESSED);
300                 if ((p = strchr_m(getenv("USER"),'%'))) {
301                         memset(p,0,strlen(cred->password));
302                 }
303         }
304
305         if (getenv("DOMAIN")) {
306                 cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESSED);
307         }
308
309         if (getenv("PASSWD")) {
310                 cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESSED);
311         }
312
313         if (getenv("PASSWD_FD")) {
314                 cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESSED);
315         }
316         
317         if (getenv("PASSWD_FILE")) {
318                 cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESSED);
319         }
320 }
321
322 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *creds)
323 {
324         TALLOC_CTX *mem_ctx = talloc_named(creds, 0, "cli_credentials fetch machine password");
325         
326         struct ldb_context *ldb;
327         int ldb_ret;
328         struct ldb_message **msgs;
329         const char *base_dn = SECRETS_PRIMARY_DOMAIN_DN;
330         const char *attrs[] = {
331                 "secret",
332                 "samAccountName",
333                 NULL
334         };
335         
336         const char *machine_account;
337         const char *password;
338         
339         /* Local secrets are stored in secrets.ldb */
340         ldb = secrets_db_connect(mem_ctx);
341         if (!ldb) {
342                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
343         }
344
345         /* search for the secret record */
346         ldb_ret = gendb_search(ldb,
347                                mem_ctx, base_dn, &msgs, attrs,
348                                SECRETS_PRIMARY_DOMAIN_FILTER, 
349                                cli_credentials_get_domain(creds));
350         if (ldb_ret == 0) {
351                 DEBUG(1, ("Could not find join record to domain: %s\n",
352                           lp_workgroup()));
353                 talloc_free(mem_ctx);
354                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
355         } else if (ldb_ret != 1) {
356                 talloc_free(mem_ctx);
357                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
358         }
359         
360         password = ldb_msg_find_string(msgs[0], "secret", NULL);
361         if (!password) {
362                 DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
363                           cli_credentials_get_domain(creds)));
364                 talloc_free(mem_ctx);
365                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
366         }
367         
368         machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL);
369         if (!machine_account) {
370                 DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
371                           cli_credentials_get_domain(creds)));
372                 talloc_free(mem_ctx);
373                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
374         }
375         
376         cli_credentials_set_username(creds, machine_account, CRED_SPECIFIED);
377         cli_credentials_set_password(creds, password, CRED_SPECIFIED);
378         talloc_free(mem_ctx);
379         
380         return NT_STATUS_OK;
381 }
382
383 /* Fill in a credentails structure as anonymous */
384 void cli_credentials_set_anonymous(struct cli_credentials *cred) 
385 {
386         cli_credentials_set_username(cred, "", CRED_SPECIFIED);
387         cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
388         cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
389 }
390
391 BOOL cli_credentials_is_anonymous(struct cli_credentials *credentials)
392 {
393         const char *username = cli_credentials_get_username(credentials);
394
395         if (!username || !username[0]) 
396                 return True;
397
398         return False;
399 }