This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
#include "libcli/auth/libcli_auth.h"
+#include "lib/events/events.h"
+#include "param/param.h"
/**
* Create a new credentials structure
* @param mem_ctx TALLOC_CTX parent for credentials structure
*/
-struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
+_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
{
struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
if (!cred) {
}
cred->netlogon_creds = NULL;
- cred->machine_account_pending = False;
+ cred->machine_account_pending = false;
cred->workstation_obtained = CRED_UNINITIALISED;
cred->username_obtained = CRED_UNINITIALISED;
cred->password_obtained = CRED_UNINITIALISED;
cred->keytab_obtained = CRED_UNINITIALISED;
cred->principal_obtained = CRED_UNINITIALISED;
+ cred->ccache_threshold = CRED_UNINITIALISED;
+ cred->client_gss_creds_threshold = CRED_UNINITIALISED;
+
cred->old_password = NULL;
cred->smb_krb5_context = NULL;
cred->salt_principal = NULL;
- cred->machine_account = False;
+ cred->machine_account = false;
cred->bind_dn = NULL;
cred->tries = 3;
- cred->callback_running = False;
+ cred->callback_running = false;
cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
cli_credentials_set_gensec_features(cred, 0);
return cred;
}
-void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+/**
+ * Create a new anonymous credential
+ * @param mem_ctx TALLOC_CTX parent for credentials structure
+ */
+_PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
+{
+ struct cli_credentials *anon_credentials;
+
+ anon_credentials = cli_credentials_init(mem_ctx);
+ cli_credentials_set_anonymous(anon_credentials);
+
+ return anon_credentials;
+}
+
+_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos)
{
creds->use_kerberos = use_kerberos;
}
-enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
{
return creds->use_kerberos;
}
-void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
+_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
{
creds->gensec_features = gensec_features;
}
-uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
+_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
{
return creds->gensec_features;
}
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_username(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->username_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->username = cred->username_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->username_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
}
return cred->username;
}
-BOOL cli_credentials_set_username(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred,
const char *val, enum credentials_obtained obtained)
{
if (obtained >= cred->username_obtained) {
cred->username = talloc_strdup(cred, val);
cred->username_obtained = obtained;
- return True;
+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_username_callback(struct cli_credentials *cred,
+bool cli_credentials_set_username_callback(struct cli_credentials *cred,
const char *(*username_cb) (struct cli_credentials *))
{
if (cred->username_obtained < CRED_CALLBACK) {
cred->username_cb = username_cb;
cred->username_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_bind_dn(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
const char *bind_dn)
{
cred->bind_dn = talloc_strdup(cred, bind_dn);
- return True;
+ return true;
}
/**
* @retval The username set on this context.
* @note Return value will be NULL if not specified explictly
*/
-const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
{
return cred->bind_dn;
}
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+_PUBLIC_ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->principal_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->principal = cred->principal_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->principal_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
}
if (cred->principal_obtained < cred->username_obtained) {
return talloc_reference(mem_ctx, cred->principal);
}
-BOOL cli_credentials_set_principal(struct cli_credentials *cred,
+bool cli_credentials_set_principal(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
if (obtained >= cred->principal_obtained) {
cred->principal = talloc_strdup(cred, val);
cred->principal_obtained = obtained;
- return True;
+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
+ return true;
}
- return False;
+ return false;
}
/* Set a callback to get the principal. This could be a popup dialog,
* a terminal prompt or similar. */
-
-BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred,
+bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
const char *(*principal_cb) (struct cli_credentials *))
{
if (cred->principal_obtained < CRED_CALLBACK) {
cred->principal_cb = principal_cb;
cred->principal_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/* Some of our tools are 'anonymous by default'. This is a single
* function to determine if authentication has been explicitly
* requested */
-BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
+_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
{
if (cred->bind_dn) {
- return True;
+ return true;
}
if (cli_credentials_is_anonymous(cred)){
- return False;
+ return false;
}
if (cred->principal_obtained >= CRED_SPECIFIED) {
- return True;
+ return true;
}
if (cred->username_obtained >= CRED_SPECIFIED) {
- return True;
+ return true;
}
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @param cred credentials context
* @retval If set, the cleartext password, otherwise NULL
*/
-const char *cli_credentials_get_password(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->password_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->password = cred->password_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->password_obtained = CRED_CALLBACK_RESULT;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
}
return cred->password;
/* Set a password on the credentials context, including an indication
* of 'how' the password was obtained */
-BOOL cli_credentials_set_password(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
if (obtained >= cred->password_obtained) {
cred->password = talloc_strdup(cred, val);
cred->password_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
cred->nt_hash = NULL;
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_password_callback(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred,
const char *(*password_cb) (struct cli_credentials *))
{
if (cred->password_obtained < CRED_CALLBACK) {
cred->password_cb = password_cb;
cred->password_obtained = CRED_CALLBACK;
- return True;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
+ return true;
}
- return False;
+ return false;
}
/**
const char *cli_credentials_get_old_password(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
return cred->old_password;
}
-BOOL cli_credentials_set_old_password(struct cli_credentials *cred,
+bool cli_credentials_set_old_password(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
cred->old_password = talloc_strdup(cred, val);
- return True;
+ return true;
}
/**
* @param cred credentials context
* @retval If set, the cleartext password, otherwise NULL
*/
-const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx)
{
const char *password = cli_credentials_get_password(cred);
}
}
-BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained)
{
} else {
cred->nt_hash = NULL;
}
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @retval The domain set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_domain(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->domain_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->domain = cred->domain_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->domain_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
}
return cred->domain;
}
-BOOL cli_credentials_set_domain(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
* calculations */
cred->domain = strupper_talloc(cred, val);
cred->domain_obtained = obtained;
- return True;
+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred,
+bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
const char *(*domain_cb) (struct cli_credentials *))
{
if (cred->domain_obtained < CRED_CALLBACK) {
cred->domain_cb = domain_cb;
cred->domain_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @retval The realm set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_realm(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->realm_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->realm = cred->realm_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->realm_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
}
return cred->realm;
* Set the realm for this credentials context, and force it to
* uppercase for the sainity of our local kerberos libraries
*/
-BOOL cli_credentials_set_realm(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
if (obtained >= cred->realm_obtained) {
cred->realm = strupper_talloc(cred, val);
cred->realm_obtained = obtained;
- return True;
+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred,
+bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
const char *(*realm_cb) (struct cli_credentials *))
{
if (cred->realm_obtained < CRED_CALLBACK) {
cred->realm_cb = realm_cb;
cred->realm_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @retval The workstation name set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_workstation(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred)
{
if (cred->workstation_obtained == CRED_CALLBACK &&
!cred->callback_running) {
- cred->callback_running = True;
+ cred->callback_running = true;
cred->workstation = cred->workstation_cb(cred);
- cred->callback_running = False;
+ cred->callback_running = false;
cred->workstation_obtained = CRED_SPECIFIED;
}
return cred->workstation;
}
-BOOL cli_credentials_set_workstation(struct cli_credentials *cred,
+_PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained)
{
if (obtained >= cred->workstation_obtained) {
cred->workstation = talloc_strdup(cred, val);
cred->workstation_obtained = obtained;
- return True;
+ return true;
}
- return False;
+ return false;
}
-BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred,
+bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
const char *(*workstation_cb) (struct cli_credentials *))
{
if (cred->workstation_obtained < CRED_CALLBACK) {
cred->workstation_cb = workstation_cb;
cred->workstation_obtained = CRED_CALLBACK;
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
* @param obtained This enum describes how 'specified' this password is
*/
-void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
+_PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
{
char *uname, *p;
* @param mem_ctx The memory context to place the result on
*/
-const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
+_PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
{
const char *bind_dn = cli_credentials_get_bind_dn(credentials);
const char *domain;
*
* @param cred Credentials structure to fill in
*/
-void cli_credentials_set_conf(struct cli_credentials *cred)
+_PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
- cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED);
- cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED);
- cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED);
+ cli_credentials_set_domain(cred, lp_workgroup(lp_ctx), CRED_UNINITIALISED);
+ cli_credentials_set_workstation(cred, lp_netbios_name(lp_ctx), CRED_UNINITIALISED);
+ cli_credentials_set_realm(cred, lp_realm(lp_ctx), CRED_UNINITIALISED);
}
/**
*
* @param cred Credentials structure to fill in
*/
-void cli_credentials_guess(struct cli_credentials *cred)
+_PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
char *p;
- cli_credentials_set_conf(cred);
+ if (lp_ctx != NULL) {
+ cli_credentials_set_conf(cred, lp_ctx);
+ }
if (getenv("LOGNAME")) {
cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
}
}
- if (getenv("DOMAIN")) {
- cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV);
- }
-
if (getenv("PASSWD")) {
cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
}
if (getenv("PASSWD_FD")) {
- cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
+ cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")),
+ CRED_GUESS_FILE);
}
- if (getenv("PASSWD_FILE")) {
- cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE);
+ p = getenv("PASSWD_FILE");
+ if (p && p[0]) {
+ cli_credentials_parse_password_file(cred, p, CRED_GUESS_FILE);
}
if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
- cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
+ cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE);
}
}
* Attach NETLOGON credentials for use with SCHANNEL
*/
-void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
+_PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
struct creds_CredentialState *netlogon_creds)
{
cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
* Set NETLOGON secure channel type
*/
-void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
+_PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
enum netr_SchannelType secure_channel_type)
{
cred->secure_channel_type = secure_channel_type;
* Return NETLOGON secure chanel type
*/
-enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
+_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
{
return cred->secure_channel_type;
}
/**
* Fill in a credentials structure as the anonymous user
*/
-void cli_credentials_set_anonymous(struct cli_credentials *cred)
+_PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
{
cli_credentials_set_username(cred, "", CRED_SPECIFIED);
cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
+ cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
+ cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
}
/**
* Describe a credentials context as anonymous or authenticated
- * @retval True if anonymous, False if a username is specified
+ * @retval true if anonymous, false if a username is specified
*/
-BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
+_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
{
const char *username;
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
username = cli_credentials_get_username(cred);
* here - anonymous is "", not NULL, which is 'never specified,
* never guessed', ie programmer bug */
if (!username[0]) {
- return True;
+ return true;
}
- return False;
+ return false;
}
/**
*
* @retval whether the credentials struct is finished
*/
-BOOL cli_credentials_wrong_password(struct cli_credentials *cred)
+_PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
{
if (cred->password_obtained != CRED_CALLBACK_RESULT) {
- return False;
+ return false;
}
cred->password_obtained = CRED_CALLBACK;
git.samba.org / ira / wip.git / blobdiff