source4/auth/credentials/credentials.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    User credentials handling
   5
   6    Copyright (C) Jelmer Vernooij 2005
   7    Copyright (C) Tim Potter 2001
   8    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "lib/ldb/include/ldb.h"
  27 #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
  28
  29
  30 /**
  31  * Create a new credentials structure
  32  * @param mem_ctx TALLOC_CTX parent for credentials structure
  33  */
  34 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
  35 {
  36         struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
  37         if (!cred) {
  38                 return cred;
  39         }
  40
  41         cred->netlogon_creds = NULL;
  42         cred->machine_account_pending = False;
  43         cred->workstation_obtained = CRED_UNINITIALISED;
  44         cred->username_obtained = CRED_UNINITIALISED;
  45         cred->password_obtained = CRED_UNINITIALISED;
  46         cred->domain_obtained = CRED_UNINITIALISED;
  47         cred->realm_obtained = CRED_UNINITIALISED;
  48         cred->ccache_obtained = CRED_UNINITIALISED;
  49         cred->keytab_obtained = CRED_UNINITIALISED;
  50         cred->principal_obtained = CRED_UNINITIALISED;
  51
  52         cred->old_password = NULL;
  53         cred->smb_krb5_context = NULL;
  54         cred->salt_principal = NULL;
  55         cred->machine_account = False;
  56
  57         return cred;
  58 }
  59
  60 /**
  61  * Obtain the username for this credentials context.
  62  * @param cred credentials context
  63  * @retval The username set on this context.
  64  * @note Return value will never be NULL except by programmer error.
  65  */
  66 const char *cli_credentials_get_username(struct cli_credentials *cred)
  67 {
  68         if (cred->machine_account_pending) {
  69                 cli_credentials_set_machine_account(cred);
  70         }
  71
  72         if (cred->username_obtained == CRED_CALLBACK) {
  73                 cred->username = cred->username_cb(cred);
  74                 cred->username_obtained = CRED_SPECIFIED;
  75         }
  76
  77         return cred->username;
  78 }
  79
  80 BOOL cli_credentials_set_username(struct cli_credentials *cred,
  81                                   const char *val, enum credentials_obtained obtained)
  82 {
  83         if (obtained >= cred->username_obtained) {
  84                 cred->username = talloc_strdup(cred, val);
  85                 cred->username_obtained = obtained;
  86                 return True;
  87         }
  88
  89         return False;
  90 }
  91
  92 BOOL cli_credentials_set_username_callback(struct cli_credentials *cred,
  93                                   const char *(*username_cb) (struct cli_credentials *))
  94 {
  95         if (cred->username_obtained < CRED_CALLBACK) {
  96                 cred->username_cb = username_cb;
  97                 cred->username_obtained = CRED_CALLBACK;
  98                 return True;
  99         }
 100
 101         return False;
 102 }
 103
 104
 105
 106 /**
 107  * Obtain the client principal for this credentials context.
 108  * @param cred credentials context
 109  * @retval The username set on this context.
 110  * @note Return value will never be NULL except by programmer error.
 111  */
 112 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
 113 {
 114         if (cred->machine_account_pending) {
 115                 cli_credentials_set_machine_account(cred);
 116         }
 117
 118         if (cred->principal_obtained == CRED_CALLBACK) {
 119                 cred->principal = cred->principal_cb(cred);
 120                 cred->principal_obtained = CRED_SPECIFIED;
 121         }
 122
 123         if (cred->principal_obtained < cred->username_obtained) {
 124                 if (cred->domain_obtained > cred->realm_obtained) {
 125                         return talloc_asprintf(mem_ctx, "%s@%s",
 126                                                cli_credentials_get_username(cred),
 127                                                cli_credentials_get_domain(cred));
 128                 } else {
 129                         return talloc_asprintf(mem_ctx, "%s@%s",
 130                                                cli_credentials_get_username(cred),
 131                                                cli_credentials_get_realm(cred));
 132                 }
 133         }
 134         return talloc_reference(mem_ctx, cred->principal);
 135 }
 136
 137 BOOL cli_credentials_set_principal(struct cli_credentials *cred,
 138                                    const char *val,
 139                                    enum credentials_obtained obtained)
 140 {
 141         if (obtained >= cred->principal_obtained) {
 142                 cred->principal = talloc_strdup(cred, val);
 143                 cred->principal_obtained = obtained;
 144                 return True;
 145         }
 146
 147         return False;
 148 }
 149
 150 BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred,
 151                                   const char *(*principal_cb) (struct cli_credentials *))
 152 {
 153         if (cred->principal_obtained < CRED_CALLBACK) {
 154                 cred->principal_cb = principal_cb;
 155                 cred->principal_obtained = CRED_CALLBACK;
 156                 return True;
 157         }
 158
 159         return False;
 160 }
 161
 162 BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
 163 {
 164         if (cred->principal_obtained >= CRED_SPECIFIED) {
 165                 return True;
 166         }
 167         if (cred->username_obtained >= CRED_SPECIFIED) {
 168                 return True;
 169         }
 170         return False;
 171 }
 172
 173 /**
 174  * Obtain the password for this credentials context.
 175  * @param cred credentials context
 176  * @retval If set, the cleartext password, otherwise NULL
 177  */
 178 const char *cli_credentials_get_password(struct cli_credentials *cred)
 179 {
 180         if (cred->machine_account_pending) {
 181                 cli_credentials_set_machine_account(cred);
 182         }
 183
 184         if (cred->password_obtained == CRED_CALLBACK) {
 185                 cred->password = cred->password_cb(cred);
 186                 cred->password_obtained = CRED_SPECIFIED;
 187         }
 188
 189         return cred->password;
 190 }
 191
 192 BOOL cli_credentials_set_password(struct cli_credentials *cred,
 193                                   const char *val,
 194                                   enum credentials_obtained obtained)
 195 {
 196         if (obtained >= cred->password_obtained) {
 197                 cred->password = talloc_strdup(cred, val);
 198                 cred->password_obtained = obtained;
 199
 200                 cred->nt_hash = NULL;
 201                 return True;
 202         }
 203
 204         return False;
 205 }
 206
 207 BOOL cli_credentials_set_password_callback(struct cli_credentials *cred,
 208                                            const char *(*password_cb) (struct cli_credentials *))
 209 {
 210         if (cred->password_obtained < CRED_CALLBACK) {
 211                 cred->password_cb = password_cb;
 212                 cred->password_obtained = CRED_CALLBACK;
 213                 return True;
 214         }
 215
 216         return False;
 217 }
 218
 219 /**
 220  * Obtain the 'old' password for this credentials context (used for join accounts).
 221  * @param cred credentials context
 222  * @retval If set, the cleartext password, otherwise NULL
 223  */
 224 const char *cli_credentials_get_old_password(struct cli_credentials *cred)
 225 {
 226         if (cred->machine_account_pending) {
 227                 cli_credentials_set_machine_account(cred);
 228         }
 229
 230         return cred->old_password;
 231 }
 232
 233 BOOL cli_credentials_set_old_password(struct cli_credentials *cred,
 234                                       const char *val,
 235                                       enum credentials_obtained obtained)
 236 {
 237         cred->old_password = talloc_strdup(cred, val);
 238         return True;
 239 }
 240
 241 /**
 242  * Obtain the password for this credentials context.
 243  * @param cred credentials context
 244  * @retval If set, the cleartext password, otherwise NULL
 245  */
 246 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 247                                                         TALLOC_CTX *mem_ctx)
 248 {
 249         const char *password = cli_credentials_get_password(cred);
 250
 251         if (password) {
 252                 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
 253                 if (!nt_hash) {
 254                         return NULL;
 255                 }
 256
 257                 E_md4hash(password, nt_hash->hash);
 258
 259                 return nt_hash;
 260         } else {
 261                 return cred->nt_hash;
 262         }
 263 }
 264
 265 BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred,
 266                                  const struct samr_Password *nt_hash,
 267                                  enum credentials_obtained obtained)
 268 {
 269         if (obtained >= cred->password_obtained) {
 270                 cli_credentials_set_password(cred, NULL, obtained);
 271                 cred->nt_hash = talloc(cred, struct samr_Password);
 272                 *cred->nt_hash = *nt_hash;
 273                 return True;
 274         }
 275
 276         return False;
 277 }
 278
 279 /**
 280  * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
 281  * @param cred credentials context
 282  * @retval The domain set on this context.
 283  * @note Return value will never be NULL except by programmer error.
 284  */
 285 const char *cli_credentials_get_domain(struct cli_credentials *cred)
 286 {
 287         if (cred->machine_account_pending) {
 288                 cli_credentials_set_machine_account(cred);
 289         }
 290
 291         if (cred->domain_obtained == CRED_CALLBACK) {
 292                 cred->domain = cred->domain_cb(cred);
 293                 cred->domain_obtained = CRED_SPECIFIED;
 294         }
 295
 296         return cred->domain;
 297 }
 298
 299
 300 BOOL cli_credentials_set_domain(struct cli_credentials *cred,
 301                                 const char *val,
 302                                 enum credentials_obtained obtained)
 303 {
 304         if (obtained >= cred->domain_obtained) {
 305                 /* it is important that the domain be in upper case,
 306                  * particularly for the sensitive NTLMv2
 307                  * calculations */
 308                 cred->domain = strupper_talloc(cred, val);
 309                 cred->domain_obtained = obtained;
 310                 return True;
 311         }
 312
 313         return False;
 314 }
 315
 316 BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred,
 317                                          const char *(*domain_cb) (struct cli_credentials *))
 318 {
 319         if (cred->domain_obtained < CRED_CALLBACK) {
 320                 cred->domain_cb = domain_cb;
 321                 cred->domain_obtained = CRED_CALLBACK;
 322                 return True;
 323         }
 324
 325         return False;
 326 }
 327
 328 /**
 329  * Obtain the Kerberos realm for this credentials context.
 330  * @param cred credentials context
 331  * @retval The realm set on this context.
 332  * @note Return value will never be NULL except by programmer error.
 333  */
 334 const char *cli_credentials_get_realm(struct cli_credentials *cred)
 335 {
 336         if (cred->machine_account_pending) {
 337                 cli_credentials_set_machine_account(cred);
 338         }
 339
 340         if (cred->realm_obtained == CRED_CALLBACK) {
 341                 cred->realm = cred->realm_cb(cred);
 342                 cred->realm_obtained = CRED_SPECIFIED;
 343         }
 344
 345         return cred->realm;
 346 }
 347
 348 /**
 349  * Set the realm for this credentials context, and force it to
 350  * uppercase for the sainity of our local kerberos libraries
 351  */
 352 BOOL cli_credentials_set_realm(struct cli_credentials *cred,
 353                                const char *val,
 354                                enum credentials_obtained obtained)
 355 {
 356         if (obtained >= cred->realm_obtained) {
 357                 cred->realm = strupper_talloc(cred, val);
 358                 cred->realm_obtained = obtained;
 359                 return True;
 360         }
 361
 362         return False;
 363 }
 364
 365 BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred,
 366                                         const char *(*realm_cb) (struct cli_credentials *))
 367 {
 368         if (cred->realm_obtained < CRED_CALLBACK) {
 369                 cred->realm_cb = realm_cb;
 370                 cred->realm_obtained = CRED_CALLBACK;
 371                 return True;
 372         }
 373
 374         return False;
 375 }
 376
 377 /**
 378  * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context.
 379  *
 380  * @param cred credentials context
 381  * @retval The workstation name set on this context.
 382  * @note Return value will never be NULL except by programmer error.
 383  */
 384 const char *cli_credentials_get_workstation(struct cli_credentials *cred)
 385 {
 386         if (cred->workstation_obtained == CRED_CALLBACK) {
 387                 cred->workstation = cred->workstation_cb(cred);
 388                 cred->workstation_obtained = CRED_SPECIFIED;
 389         }
 390
 391         return cred->workstation;
 392 }
 393
 394 BOOL cli_credentials_set_workstation(struct cli_credentials *cred,
 395                                      const char *val,
 396                                      enum credentials_obtained obtained)
 397 {
 398         if (obtained >= cred->workstation_obtained) {
 399                 cred->workstation = talloc_strdup(cred, val);
 400                 cred->workstation_obtained = obtained;
 401                 return True;
 402         }
 403
 404         return False;
 405 }
 406
 407 BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 408                                               const char *(*workstation_cb) (struct cli_credentials *))
 409 {
 410         if (cred->workstation_obtained < CRED_CALLBACK) {
 411                 cred->workstation_cb = workstation_cb;
 412                 cred->workstation_obtained = CRED_CALLBACK;
 413                 return True;
 414         }
 415
 416         return False;
 417 }
 418
 419 /**
 420  * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields
 421  *
 422  * The format accepted is [domain\\]user[%password] or user[@realm][%password]
 423  *
 424  * @param credentials Credentials structure on which to set the password
 425  * @param data the string containing the username, password etc
 426  * @param obtained This enum describes how 'specified' this password is
 427  */
 428
 429 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
 430 {
 431         char *uname, *p;
 432
 433         if (strcmp("%",data) == 0) {
 434                 cli_credentials_set_anonymous(credentials);
 435                 return;
 436         }
 437
 438         uname = talloc_strdup(credentials, data);
 439         if ((p = strchr_m(uname,'%'))) {
 440                 *p = 0;
 441                 cli_credentials_set_password(credentials, p+1, obtained);
 442         }
 443
 444         if ((p = strchr_m(uname,'@'))) {
 445                 cli_credentials_set_principal(credentials, uname, obtained);
 446                 *p = 0;
 447                 cli_credentials_set_realm(credentials, p+1, obtained);
 448                 return;
 449         } else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
 450                 *p = 0;
 451                 cli_credentials_set_domain(credentials, uname, obtained);
 452                 uname = p+1;
 453         }
 454         cli_credentials_set_username(credentials, uname, obtained);
 455 }
 456
 457 /**
 458  * Specifies default values for domain, workstation and realm
 459  * from the smb.conf configuration file
 460  *
 461  * @param cred Credentials structure to fill in
 462  */
 463 void cli_credentials_set_conf(struct cli_credentials *cred)
 464 {
 465         cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
 466         cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED);
 467         cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED);
 468         cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED);
 469 }
 470
 471 /**
 472  * Guess defaults for credentials from environment variables,
 473  * and from the configuration file
 474  *
 475  * @param cred Credentials structure to fill in
 476  */
 477 void cli_credentials_guess(struct cli_credentials *cred)
 478 {
 479         char *p;
 480
 481         cli_credentials_set_conf(cred);
 482
 483         if (getenv("LOGNAME")) {
 484                 cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
 485         }
 486
 487         if (getenv("USER")) {
 488                 cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESS_ENV);
 489                 if ((p = strchr_m(getenv("USER"),'%'))) {
 490                         memset(p,0,strlen(cred->password));
 491                 }
 492         }
 493
 494         if (getenv("DOMAIN")) {
 495                 cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV);
 496         }
 497
 498         if (getenv("PASSWD")) {
 499                 cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
 500         }
 501
 502         if (getenv("PASSWD_FD")) {
 503                 cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
 504         }
 505
 506         if (getenv("PASSWD_FILE")) {
 507                 cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE);
 508         }
 509
 510         cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
 511 }
 512
 513 /**
 514  * Attach NETLOGON credentials for use with SCHANNEL
 515  */
 516
 517 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 518                                         struct creds_CredentialState *netlogon_creds)
 519 {
 520         cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
 521 }
 522
 523 /**
 524  * Return attached NETLOGON credentials
 525  */
 526
 527 struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
 528 {
 529         return cred->netlogon_creds;
 530 }
 531
 532 /**
 533  * Set NETLOGON secure channel type
 534  */
 535
 536 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 537                                              enum netr_SchannelType secure_channel_type)
 538 {
 539         cred->secure_channel_type = secure_channel_type;
 540 }
 541
 542 /**
 543  * Return NETLOGON secure chanel type
 544  */
 545
 546 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
 547 {
 548         return cred->secure_channel_type;
 549 }
 550
 551 /**
 552  * Fill in a credentials structure as the anonymous user
 553  */
 554 void cli_credentials_set_anonymous(struct cli_credentials *cred)
 555 {
 556         cli_credentials_set_username(cred, "", CRED_SPECIFIED);
 557         cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
 558         cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
 559 }
 560
 561 /**
 562  * Describe a credentials context as anonymous or authenticated
 563  * @retval True if anonymous, False if a username is specified
 564  */
 565
 566 BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
 567 {
 568         const char *username = cli_credentials_get_username(cred);
 569
 570         /* Yes, it is deliberate that we die if we have a NULL pointer
 571          * here - anonymous is "", not NULL, which is 'never specified,
 572          * never guessed', ie programmer bug */
 573         if (!username[0]) {
 574                 return True;
 575         }
 576
 577         return False;
 578 }