source4/lib/cmdline/popt_credentials.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Credentials popt routines
   4
   5    Copyright (C) Jelmer Vernooij 2002,2003,2005
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "lib/cmdline/popt_common.h"
  23 #include "lib/cmdline/credentials.h"
  24 #include "auth/credentials/credentials.h"
  25 #include "auth/gensec/gensec.h"
  26 #include "param/param.h"
  27
  28 /* Handle command line options:
  29  *              -U,--user
  30  *              -A,--authentication-file
  31  *              -k,--use-kerberos
  32  *              -N,--no-pass
  33  *              -S,--signing
  34  *              -P,--machine-pass
  35  *              --simple-bind-dn
  36  *              --password
  37  *              --krb5-ccache
  38  */
  39
  40 static bool dont_ask;
  41 static bool machine_account_pending;
  42
  43 enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT, OPT_KRB5_CCACHE };
  44
  45 static void popt_common_credentials_callback(poptContext con,
  46                                                 enum poptCallbackReason reason,
  47                                                 const struct poptOption *opt,
  48                                                 const char *arg, const void *data)
  49 {
  50         if (reason == POPT_CALLBACK_REASON_PRE) {
  51                 popt_set_cmdline_credentials(cli_credentials_init(NULL));
  52                 return;
  53         }
  54
  55         if (reason == POPT_CALLBACK_REASON_POST) {
  56                 cli_credentials_guess(popt_get_cmdline_credentials(),
  57                                 cmdline_lp_ctx);
  58
  59                 if (!dont_ask) {
  60                         s4_cli_credentials_set_cmdline_callbacks(
  61                                 popt_get_cmdline_credentials());
  62                 }
  63
  64                 if (machine_account_pending) {
  65                         cli_credentials_set_machine_account(
  66                                 popt_get_cmdline_credentials(), cmdline_lp_ctx);
  67                 }
  68
  69                 return;
  70
  71         }
  72
  73         switch(opt->val) {
  74         case 'U':
  75         {
  76                 char *lp;
  77
  78                 cli_credentials_parse_string(
  79                         popt_get_cmdline_credentials(), arg, CRED_SPECIFIED);
  80                 /* This breaks the abstraction, including the const above */
  81                 if ((lp=strchr_m(arg,'%'))) {
  82                         lp[0]='\0';
  83                         lp++;
  84                         /* Try to prevent this showing up in ps */
  85                         memset(lp,0,strlen(lp));
  86                 }
  87         }
  88         break;
  89
  90         case OPT_PASSWORD:
  91                 cli_credentials_set_password(popt_get_cmdline_credentials(),
  92                         arg, CRED_SPECIFIED);
  93                 /* Try to prevent this showing up in ps */
  94                 memset(discard_const(arg),0,strlen(arg));
  95                 break;
  96
  97         case 'A':
  98                 cli_credentials_parse_file(popt_get_cmdline_credentials(),
  99                         arg, CRED_SPECIFIED);
 100                 break;
 101
 102         case 'P':
 103                 /* Later, after this is all over, get the machine account details from the secrets.ldb */
 104                 machine_account_pending = true;
 105                 break;
 106
 107         case OPT_KERBEROS:
 108         {
 109                 bool use_kerberos = true;
 110                 /* Force us to only use kerberos */
 111                 if (arg) {
 112                         if (!set_boolean(arg, &use_kerberos)) {
 113                                 fprintf(stderr, "Error parsing -k %s. Should be "
 114                                         "-k [yes|no]\n", arg);
 115                                 exit(1);
 116                                 break;
 117                         }
 118                 }
 119
 120                 cli_credentials_set_kerberos_state(
 121                         popt_get_cmdline_credentials(),
 122                                                    use_kerberos
 123                                                    ? CRED_USE_KERBEROS_REQUIRED
 124                                                    : CRED_USE_KERBEROS_DISABLED,
 125                         CRED_SPECIFIED);
 126                 break;
 127         }
 128
 129         case OPT_SIMPLE_BIND_DN:
 130         {
 131                 cli_credentials_set_bind_dn(popt_get_cmdline_credentials(),
 132                                 arg);
 133                 break;
 134         }
 135         case OPT_KRB5_CCACHE:
 136         {
 137                 const char *error_string;
 138                 if (cli_credentials_set_ccache(
 139                         popt_get_cmdline_credentials(), cmdline_lp_ctx,
 140                         arg, CRED_SPECIFIED,
 141                                                &error_string) != 0) {
 142                         fprintf(stderr, "Error reading krb5 credentials cache: '%s' %s", arg, error_string);
 143                         exit(1);
 144                 }
 145                 break;
 146         }
 147         case OPT_SIGN:
 148         {
 149                 uint32_t gensec_features;
 150
 151                 gensec_features = cli_credentials_get_gensec_features(
 152                                         popt_get_cmdline_credentials());
 153
 154                 gensec_features |= GENSEC_FEATURE_SIGN;
 155                 cli_credentials_set_gensec_features(
 156                                         popt_get_cmdline_credentials(),
 157                                                     gensec_features,
 158                                                     CRED_SPECIFIED);
 159                 break;
 160         }
 161         case OPT_ENCRYPT:
 162         {
 163                 uint32_t gensec_features;
 164
 165                 gensec_features = cli_credentials_get_gensec_features(
 166                                         popt_get_cmdline_credentials());
 167
 168                 gensec_features |= GENSEC_FEATURE_SEAL;
 169                 cli_credentials_set_gensec_features(
 170                                         popt_get_cmdline_credentials(),
 171                                                     gensec_features,
 172                                                     CRED_SPECIFIED);
 173                 break;
 174         }
 175         }
 176 }
 177
 178
 179
 180 struct poptOption popt_common_credentials4[] = {
 181         {
 182                 .argInfo    = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
 183                 .arg        = (void *)popt_common_credentials_callback,
 184         },
 185         {
 186                 .longName   = "user",
 187                 .shortName  = 'U',
 188                 .argInfo    = POPT_ARG_STRING,
 189                 .val        = 'U',
 190                 .descrip    = "Set the network username",
 191                 .argDescrip = "[DOMAIN/]USERNAME[%PASSWORD]",
 192         },
 193         {
 194                 .longName   = "no-pass",
 195                 .shortName  = 'N',
 196                 .argInfo    = POPT_ARG_NONE,
 197                 .arg        = &dont_ask,
 198                 .val        = 'N',
 199                 .descrip    = "Don't ask for a password",
 200         },
 201         {
 202                 .longName   = "password",
 203                 .argInfo    = POPT_ARG_STRING,
 204                 .val        = OPT_PASSWORD,
 205                 .descrip    = "Password",
 206         },
 207         {
 208                 .longName   = "authentication-file",
 209                 .shortName  = 'A',
 210                 .argInfo    = POPT_ARG_STRING,
 211                 .val        = 'A',
 212                 .descrip    = "Get the credentials from a file",
 213                 .argDescrip = "FILE",
 214         },
 215         {
 216                 .longName   = "machine-pass",
 217                 .shortName  = 'P',
 218                 .argInfo    = POPT_ARG_NONE,
 219                 .val        = 'P',
 220                 .descrip    = "Use stored machine account password",
 221         },
 222         {
 223                 .longName   = "simple-bind-dn",
 224                 .argInfo    = POPT_ARG_STRING,
 225                 .val        = OPT_SIMPLE_BIND_DN,
 226                 .descrip    = "DN to use for a simple bind",
 227         },
 228         {
 229                 .longName   = "kerberos",
 230                 .shortName  = 'k',
 231                 .argInfo    = POPT_ARG_STRING,
 232                 .val        = OPT_KERBEROS,
 233                 .descrip    = "Use Kerberos, -k [yes|no]",
 234         },
 235         {
 236                 .longName   = "krb5-ccache",
 237                 .argInfo    = POPT_ARG_STRING,
 238                 .val        = OPT_KRB5_CCACHE,
 239                 .descrip    = "Credentials cache location for Kerberos",
 240         },
 241         {
 242                 .longName   = "sign",
 243                 .shortName  = 'S',
 244                 .argInfo    = POPT_ARG_NONE,
 245                 .val        = OPT_SIGN,
 246                 .descrip    = "Sign connection to prevent modification in transit",
 247         },
 248         {
 249                 .longName   = "encrypt",
 250                 .shortName  = 'e',
 251                 .argInfo    = POPT_ARG_NONE,
 252                 .val        = OPT_ENCRYPT,
 253                 .descrip    = "Encrypt connection for privacy",
 254         },
 255         POPT_TABLEEND
 256 };