source/auth/credentials/credentials.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    User credentials handling
   5
   6    Copyright (C) Jelmer Vernooij 2005
   7    Copyright (C) Tim Potter 2001
   8    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
  26 #include "auth/credentials/credentials.h"
  27 #include "auth/credentials/credentials_krb5.h"
  28 #include "libcli/auth/libcli_auth.h"
  29 #include "lib/events/events.h"
  30 #include "param/param.h"
  31
  32 /**
  33  * Create a new credentials structure
  34  * @param mem_ctx TALLOC_CTX parent for credentials structure
  35  */
  36 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
  37 {
  38         struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
  39         if (!cred) {
  40                 return cred;
  41         }
  42
  43         cred->netlogon_creds = NULL;
  44         cred->machine_account_pending = false;
  45         cred->workstation_obtained = CRED_UNINITIALISED;
  46         cred->username_obtained = CRED_UNINITIALISED;
  47         cred->password_obtained = CRED_UNINITIALISED;
  48         cred->domain_obtained = CRED_UNINITIALISED;
  49         cred->realm_obtained = CRED_UNINITIALISED;
  50         cred->ccache_obtained = CRED_UNINITIALISED;
  51         cred->client_gss_creds_obtained = CRED_UNINITIALISED;
  52         cred->server_gss_creds_obtained = CRED_UNINITIALISED;
  53         cred->keytab_obtained = CRED_UNINITIALISED;
  54         cred->principal_obtained = CRED_UNINITIALISED;
  55
  56         cred->ccache_threshold = CRED_UNINITIALISED;
  57         cred->client_gss_creds_threshold = CRED_UNINITIALISED;
  58
  59         cred->old_password = NULL;
  60         cred->smb_krb5_context = NULL;
  61         cred->salt_principal = NULL;
  62         cred->machine_account = false;
  63
  64         cred->bind_dn = NULL;
  65
  66         cred->tries = 3;
  67         cred->callback_running = false;
  68         cred->ev = NULL;
  69
  70         cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
  71         cli_credentials_set_gensec_features(cred, 0);
  72
  73         return cred;
  74 }
  75
  76 /**
  77  * Create a new anonymous credential
  78  * @param mem_ctx TALLOC_CTX parent for credentials structure
  79  */
  80 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
  81 {
  82         struct cli_credentials *anon_credentials;
  83
  84         anon_credentials = cli_credentials_init(mem_ctx);
  85         cli_credentials_set_conf(anon_credentials, global_loadparm);
  86         cli_credentials_set_anonymous(anon_credentials);
  87
  88         return anon_credentials;
  89 }
  90
  91 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
  92                                         enum credentials_use_kerberos use_kerberos)
  93 {
  94         creds->use_kerberos = use_kerberos;
  95 }
  96
  97 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
  98 {
  99         return creds->use_kerberos;
 100 }
 101
 102 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
 103 {
 104         creds->gensec_features = gensec_features;
 105 }
 106
 107 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
 108 {
 109         return creds->gensec_features;
 110 }
 111
 112
 113 /**
 114  * Obtain the username for this credentials context.
 115  * @param cred credentials context
 116  * @retval The username set on this context.
 117  * @note Return value will never be NULL except by programmer error.
 118  */
 119 const char *cli_credentials_get_username(struct cli_credentials *cred)
 120 {
 121         if (cred->machine_account_pending) {
 122                 cli_credentials_set_machine_account(cred);
 123         }
 124
 125         if (cred->username_obtained == CRED_CALLBACK &&
 126             !cred->callback_running) {
 127                 cred->callback_running = true;
 128                 cred->username = cred->username_cb(cred);
 129                 cred->callback_running = false;
 130                 cred->username_obtained = CRED_SPECIFIED;
 131                 cli_credentials_invalidate_ccache(cred, cred->username_obtained);
 132         }
 133
 134         return cred->username;
 135 }
 136
 137 bool cli_credentials_set_username(struct cli_credentials *cred,
 138                                   const char *val, enum credentials_obtained obtained)
 139 {
 140         if (obtained >= cred->username_obtained) {
 141                 cred->username = talloc_strdup(cred, val);
 142                 cred->username_obtained = obtained;
 143                 cli_credentials_invalidate_ccache(cred, cred->username_obtained);
 144                 return true;
 145         }
 146
 147         return false;
 148 }
 149
 150 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 151                                   const char *(*username_cb) (struct cli_credentials *))
 152 {
 153         if (cred->username_obtained < CRED_CALLBACK) {
 154                 cred->username_cb = username_cb;
 155                 cred->username_obtained = CRED_CALLBACK;
 156                 return true;
 157         }
 158
 159         return false;
 160 }
 161
 162 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
 163                                  const char *bind_dn)
 164 {
 165         cred->bind_dn = talloc_strdup(cred, bind_dn);
 166         return true;
 167 }
 168
 169 /**
 170  * Obtain the BIND DN for this credentials context.
 171  * @param cred credentials context
 172  * @retval The username set on this context.
 173  * @note Return value will be NULL if not specified explictly
 174  */
 175 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
 176 {
 177         return cred->bind_dn;
 178 }
 179
 180
 181 /**
 182  * Obtain the client principal for this credentials context.
 183  * @param cred credentials context
 184  * @retval The username set on this context.
 185  * @note Return value will never be NULL except by programmer error.
 186  */
 187 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
 188 {
 189         if (cred->machine_account_pending) {
 190                 cli_credentials_set_machine_account(cred);
 191         }
 192
 193         if (cred->principal_obtained == CRED_CALLBACK &&
 194             !cred->callback_running) {
 195                 cred->callback_running = true;
 196                 cred->principal = cred->principal_cb(cred);
 197                 cred->callback_running = false;
 198                 cred->principal_obtained = CRED_SPECIFIED;
 199                 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
 200         }
 201
 202         if (cred->principal_obtained < cred->username_obtained) {
 203                 if (cred->domain_obtained > cred->realm_obtained) {
 204                         return talloc_asprintf(mem_ctx, "%s@%s",
 205                                                cli_credentials_get_username(cred),
 206                                                cli_credentials_get_domain(cred));
 207                 } else {
 208                         return talloc_asprintf(mem_ctx, "%s@%s",
 209                                                cli_credentials_get_username(cred),
 210                                                cli_credentials_get_realm(cred));
 211                 }
 212         }
 213         return talloc_reference(mem_ctx, cred->principal);
 214 }
 215
 216 bool cli_credentials_set_principal(struct cli_credentials *cred,
 217                                    const char *val,
 218                                    enum credentials_obtained obtained)
 219 {
 220         if (obtained >= cred->principal_obtained) {
 221                 cred->principal = talloc_strdup(cred, val);
 222                 cred->principal_obtained = obtained;
 223                 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
 224                 return true;
 225         }
 226
 227         return false;
 228 }
 229
 230 /* Set a callback to get the principal.  This could be a popup dialog,
 231  * a terminal prompt or similar.  */
 232 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 233                                   const char *(*principal_cb) (struct cli_credentials *))
 234 {
 235         if (cred->principal_obtained < CRED_CALLBACK) {
 236                 cred->principal_cb = principal_cb;
 237                 cred->principal_obtained = CRED_CALLBACK;
 238                 return true;
 239         }
 240
 241         return false;
 242 }
 243
 244 /* Some of our tools are 'anonymous by default'.  This is a single
 245  * function to determine if authentication has been explicitly
 246  * requested */
 247
 248 bool cli_credentials_authentication_requested(struct cli_credentials *cred)
 249 {
 250         if (cred->bind_dn) {
 251                 return true;
 252         }
 253
 254         if (cli_credentials_is_anonymous(cred)){
 255                 return false;
 256         }
 257
 258         if (cred->principal_obtained >= CRED_SPECIFIED) {
 259                 return true;
 260         }
 261         if (cred->username_obtained >= CRED_SPECIFIED) {
 262                 return true;
 263         }
 264
 265         if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
 266                 return true;
 267         }
 268
 269         return false;
 270 }
 271
 272 /**
 273  * Obtain the password for this credentials context.
 274  * @param cred credentials context
 275  * @retval If set, the cleartext password, otherwise NULL
 276  */
 277 const char *cli_credentials_get_password(struct cli_credentials *cred)
 278 {
 279         if (cred->machine_account_pending) {
 280                 cli_credentials_set_machine_account(cred);
 281         }
 282
 283         if (cred->password_obtained == CRED_CALLBACK &&
 284             !cred->callback_running) {
 285                 cred->callback_running = true;
 286                 cred->password = cred->password_cb(cred);
 287                 cred->callback_running = false;
 288                 cred->password_obtained = CRED_CALLBACK_RESULT;
 289                 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
 290         }
 291
 292         return cred->password;
 293 }
 294
 295 /* Set a password on the credentials context, including an indication
 296  * of 'how' the password was obtained */
 297
 298 bool cli_credentials_set_password(struct cli_credentials *cred,
 299                                   const char *val,
 300                                   enum credentials_obtained obtained)
 301 {
 302         if (obtained >= cred->password_obtained) {
 303                 cred->password = talloc_strdup(cred, val);
 304                 cred->password_obtained = obtained;
 305                 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
 306
 307                 cred->nt_hash = NULL;
 308                 return true;
 309         }
 310
 311         return false;
 312 }
 313
 314 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
 315                                            const char *(*password_cb) (struct cli_credentials *))
 316 {
 317         if (cred->password_obtained < CRED_CALLBACK) {
 318                 cred->password_cb = password_cb;
 319                 cred->password_obtained = CRED_CALLBACK;
 320                 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
 321                 return true;
 322         }
 323
 324         return false;
 325 }
 326
 327 /**
 328  * Obtain the 'old' password for this credentials context (used for join accounts).
 329  * @param cred credentials context
 330  * @retval If set, the cleartext password, otherwise NULL
 331  */
 332 const char *cli_credentials_get_old_password(struct cli_credentials *cred)
 333 {
 334         if (cred->machine_account_pending) {
 335                 cli_credentials_set_machine_account(cred);
 336         }
 337
 338         return cred->old_password;
 339 }
 340
 341 bool cli_credentials_set_old_password(struct cli_credentials *cred,
 342                                       const char *val,
 343                                       enum credentials_obtained obtained)
 344 {
 345         cred->old_password = talloc_strdup(cred, val);
 346         return true;
 347 }
 348
 349 /**
 350  * Obtain the password, in the form MD4(unicode(password)) for this credentials context.
 351  *
 352  * Sometimes we only have this much of the password, while the rest of
 353  * the time this call avoids calling E_md4hash themselves.
 354  *
 355  * @param cred credentials context
 356  * @retval If set, the cleartext password, otherwise NULL
 357  */
 358 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 359                                                         TALLOC_CTX *mem_ctx)
 360 {
 361         const char *password = cli_credentials_get_password(cred);
 362
 363         if (password) {
 364                 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
 365                 if (!nt_hash) {
 366                         return NULL;
 367                 }
 368
 369                 E_md4hash(password, nt_hash->hash);
 370
 371                 return nt_hash;
 372         } else {
 373                 return cred->nt_hash;
 374         }
 375 }
 376
 377 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
 378                                  const struct samr_Password *nt_hash,
 379                                  enum credentials_obtained obtained)
 380 {
 381         if (obtained >= cred->password_obtained) {
 382                 cli_credentials_set_password(cred, NULL, obtained);
 383                 if (nt_hash) {
 384                         cred->nt_hash = talloc(cred, struct samr_Password);
 385                         *cred->nt_hash = *nt_hash;
 386                 } else {
 387                         cred->nt_hash = NULL;
 388                 }
 389                 return true;
 390         }
 391
 392         return false;
 393 }
 394
 395 /**
 396  * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
 397  * @param cred credentials context
 398  * @retval The domain set on this context.
 399  * @note Return value will never be NULL except by programmer error.
 400  */
 401 const char *cli_credentials_get_domain(struct cli_credentials *cred)
 402 {
 403         if (cred->machine_account_pending) {
 404                 cli_credentials_set_machine_account(cred);
 405         }
 406
 407         if (cred->domain_obtained == CRED_CALLBACK &&
 408             !cred->callback_running) {
 409                 cred->callback_running = true;
 410                 cred->domain = cred->domain_cb(cred);
 411                 cred->callback_running = false;
 412                 cred->domain_obtained = CRED_SPECIFIED;
 413                 cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
 414         }
 415
 416         return cred->domain;
 417 }
 418
 419
 420 bool cli_credentials_set_domain(struct cli_credentials *cred,
 421                                 const char *val,
 422                                 enum credentials_obtained obtained)
 423 {
 424         if (obtained >= cred->domain_obtained) {
 425                 /* it is important that the domain be in upper case,
 426                  * particularly for the sensitive NTLMv2
 427                  * calculations */
 428                 cred->domain = strupper_talloc(cred, val);
 429                 cred->domain_obtained = obtained;
 430                 cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
 431                 return true;
 432         }
 433
 434         return false;
 435 }
 436
 437 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 438                                          const char *(*domain_cb) (struct cli_credentials *))
 439 {
 440         if (cred->domain_obtained < CRED_CALLBACK) {
 441                 cred->domain_cb = domain_cb;
 442                 cred->domain_obtained = CRED_CALLBACK;
 443                 return true;
 444         }
 445
 446         return false;
 447 }
 448
 449 /**
 450  * Obtain the Kerberos realm for this credentials context.
 451  * @param cred credentials context
 452  * @retval The realm set on this context.
 453  * @note Return value will never be NULL except by programmer error.
 454  */
 455 const char *cli_credentials_get_realm(struct cli_credentials *cred)
 456 {
 457         if (cred->machine_account_pending) {
 458                 cli_credentials_set_machine_account(cred);
 459         }
 460
 461         if (cred->realm_obtained == CRED_CALLBACK &&
 462             !cred->callback_running) {
 463                 cred->callback_running = true;
 464                 cred->realm = cred->realm_cb(cred);
 465                 cred->callback_running = false;
 466                 cred->realm_obtained = CRED_SPECIFIED;
 467                 cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
 468         }
 469
 470         return cred->realm;
 471 }
 472
 473 /**
 474  * Set the realm for this credentials context, and force it to
 475  * uppercase for the sainity of our local kerberos libraries
 476  */
 477 bool cli_credentials_set_realm(struct cli_credentials *cred,
 478                                const char *val,
 479                                enum credentials_obtained obtained)
 480 {
 481         if (obtained >= cred->realm_obtained) {
 482                 cred->realm = strupper_talloc(cred, val);
 483                 cred->realm_obtained = obtained;
 484                 cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
 485                 return true;
 486         }
 487
 488         return false;
 489 }
 490
 491 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
 492                                         const char *(*realm_cb) (struct cli_credentials *))
 493 {
 494         if (cred->realm_obtained < CRED_CALLBACK) {
 495                 cred->realm_cb = realm_cb;
 496                 cred->realm_obtained = CRED_CALLBACK;
 497                 return true;
 498         }
 499
 500         return false;
 501 }
 502
 503 /**
 504  * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context.
 505  *
 506  * @param cred credentials context
 507  * @retval The workstation name set on this context.
 508  * @note Return value will never be NULL except by programmer error.
 509  */
 510 const char *cli_credentials_get_workstation(struct cli_credentials *cred)
 511 {
 512         if (cred->workstation_obtained == CRED_CALLBACK &&
 513             !cred->callback_running) {
 514                 cred->callback_running = true;
 515                 cred->workstation = cred->workstation_cb(cred);
 516                 cred->callback_running = false;
 517                 cred->workstation_obtained = CRED_SPECIFIED;
 518         }
 519
 520         return cred->workstation;
 521 }
 522
 523 bool cli_credentials_set_workstation(struct cli_credentials *cred,
 524                                      const char *val,
 525                                      enum credentials_obtained obtained)
 526 {
 527         if (obtained >= cred->workstation_obtained) {
 528                 cred->workstation = talloc_strdup(cred, val);
 529                 cred->workstation_obtained = obtained;
 530                 return true;
 531         }
 532
 533         return false;
 534 }
 535
 536 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 537                                               const char *(*workstation_cb) (struct cli_credentials *))
 538 {
 539         if (cred->workstation_obtained < CRED_CALLBACK) {
 540                 cred->workstation_cb = workstation_cb;
 541                 cred->workstation_obtained = CRED_CALLBACK;
 542                 return true;
 543         }
 544
 545         return false;
 546 }
 547
 548 /**
 549  * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields
 550  *
 551  * The format accepted is [domain\\]user[%password] or user[@realm][%password]
 552  *
 553  * @param credentials Credentials structure on which to set the password
 554  * @param data the string containing the username, password etc
 555  * @param obtained This enum describes how 'specified' this password is
 556  */
 557
 558 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
 559 {
 560         char *uname, *p;
 561
 562         if (strcmp("%",data) == 0) {
 563                 cli_credentials_set_anonymous(credentials);
 564                 return;
 565         }
 566
 567         uname = talloc_strdup(credentials, data);
 568         if ((p = strchr_m(uname,'%'))) {
 569                 *p = 0;
 570                 cli_credentials_set_password(credentials, p+1, obtained);
 571         }
 572
 573         if ((p = strchr_m(uname,'@'))) {
 574                 cli_credentials_set_principal(credentials, uname, obtained);
 575                 *p = 0;
 576                 cli_credentials_set_realm(credentials, p+1, obtained);
 577                 return;
 578         } else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
 579                 *p = 0;
 580                 cli_credentials_set_domain(credentials, uname, obtained);
 581                 uname = p+1;
 582         }
 583         cli_credentials_set_username(credentials, uname, obtained);
 584 }
 585
 586 /**
 587  * Given a a credentials structure, print it as a string
 588  *
 589  * The format output is [domain\\]user[%password] or user[@realm][%password]
 590  *
 591  * @param credentials Credentials structure on which to set the password
 592  * @param mem_ctx The memory context to place the result on
 593  */
 594
 595 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
 596 {
 597         const char *bind_dn = cli_credentials_get_bind_dn(credentials);
 598         const char *domain;
 599         const char *username;
 600         const char *name;
 601
 602         if (bind_dn) {
 603                 name = talloc_reference(mem_ctx, bind_dn);
 604         } else {
 605                 cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
 606                 if (domain && domain[0]) {
 607                         name = talloc_asprintf(mem_ctx, "%s\\%s",
 608                                                domain, username);
 609                 } else {
 610                         name = talloc_asprintf(mem_ctx, "%s",
 611                                                username);
 612                 }
 613         }
 614         return name;
 615 }
 616
 617 /**
 618  * Specifies default values for domain, workstation and realm
 619  * from the smb.conf configuration file
 620  *
 621  * @param cred Credentials structure to fill in
 622  */
 623 void cli_credentials_set_conf(struct cli_credentials *cred,
 624                               struct loadparm_context *lp_ctx)
 625 {
 626         cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
 627         cli_credentials_set_domain(cred, lp_workgroup(lp_ctx), CRED_UNINITIALISED);
 628         cli_credentials_set_workstation(cred, lp_netbios_name(lp_ctx), CRED_UNINITIALISED);
 629         cli_credentials_set_realm(cred, lp_realm(lp_ctx), CRED_UNINITIALISED);
 630 }
 631
 632 /**
 633  * Guess defaults for credentials from environment variables,
 634  * and from the configuration file
 635  *
 636  * @param cred Credentials structure to fill in
 637  */
 638 void cli_credentials_guess(struct cli_credentials *cred)
 639 {
 640         char *p;
 641
 642         cli_credentials_set_conf(cred, global_loadparm);
 643
 644         if (getenv("LOGNAME")) {
 645                 cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
 646         }
 647
 648         if (getenv("USER")) {
 649                 cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESS_ENV);
 650                 if ((p = strchr_m(getenv("USER"),'%'))) {
 651                         memset(p,0,strlen(cred->password));
 652                 }
 653         }
 654
 655         if (getenv("PASSWD")) {
 656                 cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
 657         }
 658
 659         if (getenv("PASSWD_FD")) {
 660                 cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")),
 661                                                   CRED_GUESS_FILE);
 662         }
 663
 664         p = getenv("PASSWD_FILE");
 665         if (p && p[0]) {
 666                 cli_credentials_parse_password_file(cred, p, CRED_GUESS_FILE);
 667         }
 668
 669         if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
 670                 cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
 671         }
 672 }
 673
 674 /**
 675  * Attach NETLOGON credentials for use with SCHANNEL
 676  */
 677
 678 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 679                                         struct creds_CredentialState *netlogon_creds)
 680 {
 681         cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
 682 }
 683
 684 /**
 685  * Return attached NETLOGON credentials
 686  */
 687
 688 struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
 689 {
 690         return cred->netlogon_creds;
 691 }
 692
 693 /**
 694  * Set NETLOGON secure channel type
 695  */
 696
 697 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 698                                              enum netr_SchannelType secure_channel_type)
 699 {
 700         cred->secure_channel_type = secure_channel_type;
 701 }
 702
 703 /**
 704  * Return NETLOGON secure chanel type
 705  */
 706
 707 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
 708 {
 709         return cred->secure_channel_type;
 710 }
 711
 712 /**
 713  * Fill in a credentials structure as the anonymous user
 714  */
 715 void cli_credentials_set_anonymous(struct cli_credentials *cred)
 716 {
 717         cli_credentials_set_username(cred, "", CRED_SPECIFIED);
 718         cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
 719         cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
 720 }
 721
 722 /**
 723  * Describe a credentials context as anonymous or authenticated
 724  * @retval true if anonymous, false if a username is specified
 725  */
 726
 727 bool cli_credentials_is_anonymous(struct cli_credentials *cred)
 728 {
 729         const char *username;
 730
 731         if (cred->machine_account_pending) {
 732                 cli_credentials_set_machine_account(cred);
 733         }
 734
 735         username = cli_credentials_get_username(cred);
 736
 737         /* Yes, it is deliberate that we die if we have a NULL pointer
 738          * here - anonymous is "", not NULL, which is 'never specified,
 739          * never guessed', ie programmer bug */
 740         if (!username[0]) {
 741                 return true;
 742         }
 743
 744         return false;
 745 }
 746
 747 /**
 748  * Mark the current password for a credentials struct as wrong. This will
 749  * cause the password to be prompted again (if a callback is set).
 750  *
 751  * This will decrement the number of times the password can be tried.
 752  *
 753  * @retval whether the credentials struct is finished
 754  */
 755 bool cli_credentials_wrong_password(struct cli_credentials *cred)
 756 {
 757         if (cred->password_obtained != CRED_CALLBACK_RESULT) {
 758                 return false;
 759         }
 760
 761         cred->password_obtained = CRED_CALLBACK;
 762
 763         cred->tries--;
 764
 765         return (cred->tries > 0);
 766 }
 767
 768 /*
 769   set the common event context for this set of credentials
 770  */
 771 void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev)
 772 {
 773         cred->ev = ev;
 774 }
 775
 776 /*
 777   set the common event context for this set of credentials
 778  */
 779 struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred)
 780 {
 781         if (cred->ev == NULL) {
 782                 cred->ev = event_context_find(cred);
 783         }
 784         return cred->ev;
 785 }