#ifndef __CREDENTIALS_H__
#define __CREDENTIALS_H__
+#include "../lib/util/time.h"
#include "../lib/util/data_blob.h"
#include "librpc/gen_ndr/misc.h"
+struct cli_credentials;
struct ccache_container;
struct tevent_context;
+struct netlogon_creds_CredentialState;
+struct ldb_context;
+struct ldb_message;
+struct loadparm_context;
+struct ccache_container;
+struct gssapi_creds_container;
+struct smb_krb5_context;
+struct keytab_container;
+struct db_context;
/* In order of priority */
enum credentials_obtained {
#define CLI_CRED_NTLM_AUTH 0x08
#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
-struct cli_credentials {
- enum credentials_obtained workstation_obtained;
- enum credentials_obtained username_obtained;
- enum credentials_obtained password_obtained;
- enum credentials_obtained domain_obtained;
- enum credentials_obtained realm_obtained;
- enum credentials_obtained ccache_obtained;
- enum credentials_obtained client_gss_creds_obtained;
- enum credentials_obtained principal_obtained;
- enum credentials_obtained keytab_obtained;
- enum credentials_obtained server_gss_creds_obtained;
-
- /* Threshold values (essentially a MAX() over a number of the
- * above) for the ccache and GSS credentials, to ensure we
- * regenerate/pick correctly */
-
- enum credentials_obtained ccache_threshold;
- enum credentials_obtained client_gss_creds_threshold;
-
- const char *workstation;
- const char *username;
- const char *password;
- const char *old_password;
- const char *domain;
- const char *realm;
- const char *principal;
- char *salt_principal;
- char *impersonate_principal;
- char *self_service;
- char *target_service;
-
- const char *bind_dn;
-
- /* Allows authentication from a keytab or similar */
- struct samr_Password *nt_hash;
-
- /* Allows NTLM pass-though authentication */
- DATA_BLOB lm_response;
- DATA_BLOB nt_response;
-
- struct ccache_container *ccache;
- struct gssapi_creds_container *client_gss_creds;
- struct keytab_container *keytab;
- struct gssapi_creds_container *server_gss_creds;
-
- const char *(*workstation_cb) (struct cli_credentials *);
- const char *(*password_cb) (struct cli_credentials *);
- const char *(*username_cb) (struct cli_credentials *);
- const char *(*domain_cb) (struct cli_credentials *);
- const char *(*realm_cb) (struct cli_credentials *);
- const char *(*principal_cb) (struct cli_credentials *);
-
- /* Private handle for the callback routines to use */
- void *priv_data;
-
- struct netlogon_creds_CredentialState *netlogon_creds;
- enum netr_SchannelType secure_channel_type;
- int kvno;
- time_t password_last_changed_time;
-
- struct smb_krb5_context *smb_krb5_context;
-
- /* We are flagged to get machine account details from the
- * secrets.ldb when we are asked for a username or password */
- bool machine_account_pending;
- struct loadparm_context *machine_account_pending_lp_ctx;
-
- /* Is this a machine account? */
- bool machine_account;
-
- /* Should we be trying to use kerberos? */
- enum credentials_use_kerberos use_kerberos;
-
- /* Should we get a forwardable ticket? */
- enum credentials_krb_forwardable krb_forwardable;
-
- /* gensec features which should be used for connections */
- uint32_t gensec_features;
-
- /* Number of retries left before bailing out */
- int tries;
-
- /* Whether any callback is currently running */
- bool callback_running;
-};
-
-struct ldb_context;
-struct ldb_message;
-struct loadparm_context;
-struct ccache_container;
-
-struct gssapi_creds_container;
-
const char *cli_credentials_get_workstation(struct cli_credentials *cred);
bool cli_credentials_set_workstation(struct cli_credentials *cred,
const char *val,
const char **domain);
NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
int *flags,
- DATA_BLOB challenge, DATA_BLOB target_info,
+ DATA_BLOB challenge,
+ const NTTIME *server_timestamp,
+ DATA_BLOB target_info,
DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
const char *cli_credentials_get_realm(struct cli_credentials *cred);
struct loadparm_context *lp_ctx,
char *ccache_name,
struct ccache_container **ccc, const char **error_string);
+bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
+ const char *principal,
+ unsigned int *count);
int cli_credentials_get_keytab(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc);
struct loadparm_context *lp_ctx);
void cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
-const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
+char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc);
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc,
const char **error_string);
+void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
+ const char *sasl_mech);
void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos);
void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
enum credentials_obtained obtained);
struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
-const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
- TALLOC_CTX *mem_ctx);
+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx);
+struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx);
bool cli_credentials_set_realm(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
enum netr_SchannelType secure_channel_type);
void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
time_t last_change_time);
-void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
- struct netlogon_creds_CredentialState *netlogon_creds);
+void cli_credentials_set_netlogon_creds(
+ struct cli_credentials *cred,
+ const struct netlogon_creds_CredentialState *netlogon_creds);
NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
struct smb_krb5_context *smb_krb5_context);
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
const char *serviceprincipal);
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
+ struct db_context *db_ctx);
+
bool cli_credentials_authentication_requested(struct cli_credentials *cred);
void cli_credentials_guess(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
const char *bind_dn);
const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
-const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
+char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
bool cli_credentials_set_password_callback(struct cli_credentials *cred,
const char *(*password_cb) (struct cli_credentials *));
enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
void cli_credentials_set_kvno(struct cli_credentials *cred,
int kvno);
+bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16,
+ enum credentials_obtained obtained);
+bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16);
+void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred,
+ bool val);
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
+bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
+ const struct samr_Password *nt_hash);
bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response,
const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
char **error_string);
int cli_credentials_get_kvno(struct cli_credentials *cred);
+bool cli_credentials_set_username_callback(struct cli_credentials *cred,
+ const char *(*username_cb) (struct cli_credentials *));
+
+/**
+ * Obtain the client principal for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
+bool cli_credentials_set_principal(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained);
+bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
+ const char *(*principal_cb) (struct cli_credentials *));
+
+/**
+ * Obtain the 'old' password for this credentials context (used for join accounts).
+ * @param cred credentials context
+ * @retval If set, the cleartext password, otherwise NULL
+ */
+const char *cli_credentials_get_old_password(struct cli_credentials *cred);
+bool cli_credentials_set_old_password(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained);
+bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
+ const char *(*domain_cb) (struct cli_credentials *));
+bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
+ const char *(*realm_cb) (struct cli_credentials *));
+bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
+ const char *(*workstation_cb) (struct cli_credentials *));
+
+void cli_credentials_set_callback_data(struct cli_credentials *cred,
+ void *callback_data);
+void *_cli_credentials_callback_data(struct cli_credentials *cred);
+#define cli_credentials_callback_data(_cred, _type) \
+ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
+#define cli_credentials_callback_data_void(_cred) \
+ _cli_credentials_callback_data(_cred)
+
+/**
+ * Return attached NETLOGON credentials
+ */
+struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
+
+NTSTATUS netlogon_creds_session_encrypt(
+ struct netlogon_creds_CredentialState *state,
+ DATA_BLOB data);
#endif /* __CREDENTIALS_H__ */