Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
{
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+ struct ccache_container *ccache;
+ krb5_error_code ret;
NTSTATUS nt_status;
gss_buffer_desc name_token;
OM_uint32 maj_stat, min_stat;
return NT_STATUS_INVALID_PARAMETER;
}
+ ret = cli_credentials_get_ccache(creds,
+ &ccache);
+ if (ret) {
+ DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
name_token.value = cli_credentials_get_principal(creds,
gensec_gssapi_state);
name_token.length = strlen(name_token.value);
return NT_STATUS_UNSUCCESSFUL;
}
- nt_status = kinit_to_ccache(gensec_gssapi_state,
- creds,
- gensec_gssapi_state->smb_krb5_context,
- &gensec_gssapi_state->ccache, &gensec_gssapi_state->ccache_name);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
maj_stat = gsskrb5_acquire_cred(&min_stat,
- NULL, gensec_gssapi_state->ccache,
+ NULL, ccache->ccache,
gensec_gssapi_state->client_name,
GSS_C_INDEFINITE,
GSS_C_NULL_OID_SET,
enum GENSEC_KRB5_STATE state_position;
struct smb_krb5_context *smb_krb5_context;
krb5_auth_context auth_context;
- krb5_ccache ccache;
krb5_data ticket;
krb5_keyblock *keyblock;
char *peer_principal;
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state;
- krb5_error_code ret = 0;
gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
if (!gensec_krb5_state) {
gensec_security->private_data = gensec_krb5_state;
gensec_krb5_state->auth_context = NULL;
- gensec_krb5_state->ccache = NULL;
ZERO_STRUCT(gensec_krb5_state->ticket);
ZERO_STRUCT(gensec_krb5_state->keyblock);
gensec_krb5_state->session_key = data_blob(NULL, 0);
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory);
- ret = smb_krb5_init_context(gensec_krb5_state,
- &gensec_krb5_state->smb_krb5_context);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
- error_message(ret)));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
- ret, gensec_krb5_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
+ krb5_error_code ret = 0;
struct gensec_krb5_state *gensec_krb5_state;
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+
+ gensec_krb5_state = gensec_security->private_data;
+
+ ret = smb_krb5_init_context(gensec_krb5_state,
+ &gensec_krb5_state->smb_krb5_context);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
+ error_message(ret)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
NTSTATUS nt_status;
- const char *ccache_name;
+ struct ccache_container *ccache_container;
const char *hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
- /* TODO: This is effecivly a static/global variable...
-
- TODO: If the user set a username, we should use an in-memory CCACHE (see below)
- */
- ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache);
+ ret = cli_credentials_get_ccache(gensec_security->credentials, &ccache_container);
if (ret) {
- DEBUG(1,("krb5_cc_default failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
- return NT_STATUS_INTERNAL_ERROR;
+ DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n",
+ error_message(ret)));
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- while (1) {
- {
- krb5_data in_data;
- in_data.length = 0;
-
- ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
- &gensec_krb5_state->auth_context,
- AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
- gensec_get_target_service(gensec_security),
- hostname,
- &in_data, gensec_krb5_state->ccache,
- &gensec_krb5_state->ticket);
-
- }
- switch (ret) {
- case 0:
- return NT_STATUS_OK;
- case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
- DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
- hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
- return NT_STATUS_ACCESS_DENIED;
- case KRB5KDC_ERR_PREAUTH_FAILED:
- case KRB5KRB_AP_ERR_TKT_EXPIRED:
- case KRB5_CC_END:
- /* Too much clock skew - we will need to kinit to re-skew the clock */
- case KRB5KRB_AP_ERR_SKEW:
- case KRB5_KDCREP_SKEW:
- {
- DEBUG(3, ("kerberos (mk_req) failed: %s\n",
- smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
- /* fall down to remaining code */
- }
+ gensec_krb5_state->smb_krb5_context = talloc_reference(gensec_krb5_state, ccache_container->smb_krb5_context);
- /* just don't print a message for these really ordinary messages */
- case KRB5_FCC_NOFILE:
- case KRB5_CC_NOTFOUND:
- case ENOENT:
-
- nt_status = kinit_to_ccache(gensec_krb5_state,
- gensec_security->credentials,
- gensec_krb5_state->smb_krb5_context,
- &gensec_krb5_state->ccache,
- &ccache_name);
+ ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
+ ret, gensec_krb5_state)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!ret) {
+ krb5_data in_data;
+ in_data.length = 0;
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &gensec_krb5_state->auth_context,
+ AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
+ gensec_get_target_service(gensec_security),
+ hostname,
+ &in_data, ccache_container->ccache,
+ &gensec_krb5_state->ticket);
+
+ }
+ switch (ret) {
+ case 0:
+ return NT_STATUS_OK;
+ case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+ DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
+ hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
+ return NT_STATUS_ACCESS_DENIED;
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ case KRB5KRB_AP_ERR_TKT_EXPIRED:
+ case KRB5_CC_END:
+ /* Too much clock skew - we will need to kinit to re-skew the clock */
+ case KRB5KRB_AP_ERR_SKEW:
+ case KRB5_KDCREP_SKEW:
+ {
+ DEBUG(3, ("kerberos (mk_req) failed: %s\n",
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
+ /* fall down to remaining code */
+ }
+
+
+ /* just don't print a message for these really ordinary messages */
+ case KRB5_FCC_NOFILE:
+ case KRB5_CC_NOTFOUND:
+ case ENOENT:
+
+ return NT_STATUS_UNSUCCESSFUL;
break;
-
- default:
- DEBUG(0, ("kerberos: %s\n",
- smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
- return NT_STATUS_UNSUCCESSFUL;
- }
+
+ default:
+ DEBUG(0, ("kerberos: %s\n",
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
+ return NT_STATUS_UNSUCCESSFUL;
}
}
#endif
};
+struct ccache_container {
+ struct smb_krb5_context *smb_krb5_context;
+ krb5_ccache ccache;
+};
/* not really ASN.1, but RFC 1964 */
#define TOK_ID_KRB_AP_REQ "\x01\x00"
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
-NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
+ krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
- krb5_ccache *ccache,
- const char **ccache_name);
+ krb5_ccache ccache);
krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx,
struct smb_krb5_context **smb_krb5_context);
krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
krb5_principal principal;
};
-struct ccache_container {
- struct smb_krb5_context *smb_krb5_context;
- krb5_ccache ccache;
-};
-
struct keytab_container {
struct smb_krb5_context *smb_krb5_context;
krb5_keytab keytab;
return ENOMEM;
}
- machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
+ machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx));
if (!machine_username) {
talloc_free(mem_ctx);
return ret;
}
-static int free_ccache(void *ptr) {
- struct ccache_container *ccc = ptr;
- /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
- krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
-
- return 0;
-}
-
/**
* Return a freshly allocated ccache (destroyed by destructor on child
* of parent_ctx), for a given set of client credentials
*/
- NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
+ krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
- krb5_ccache *ccache,
- const char **ccache_name)
+ krb5_ccache ccache)
{
krb5_error_code ret;
const char *password;
- char *ccache_string;
time_t kdc_time = 0;
- struct ccache_container *mem_ctx = talloc(parent_ctx, struct ccache_container);
+
+ TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
+ return ENOMEM;
}
password = cli_credentials_get_password(credentials);
- /* this string should be unique */
- ccache_string = talloc_asprintf(mem_ctx, "MEMORY:%s_%s",
- cli_credentials_get_principal(credentials, mem_ctx),
- generate_random_str(mem_ctx, 16));
-
- ret = krb5_cc_resolve(smb_krb5_context->krb5_context, ccache_string, ccache);
- if (ret) {
- DEBUG(1,("failed to generate a new krb5 ccache (%s): %s\n",
- ccache_string,
- error_message(ret)));
- talloc_free(mem_ctx);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
- mem_ctx->ccache = *ccache;
-
- talloc_set_destructor(mem_ctx, free_ccache);
-
if (password) {
- ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
+ ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
cli_credentials_get_principal(credentials, mem_ctx),
password, NULL, &kdc_time);
} else {
if (!mach_pwd) {
talloc_free(mem_ctx);
DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
- return NT_STATUS_WRONG_PASSWORD;
+ return EINVAL;
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
&keyblock);
if (ret == 0) {
- ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache,
+ ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
cli_credentials_get_principal(credentials, mem_ctx),
&keyblock, NULL, &kdc_time);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
- return NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ return ret;
}
if (ret) {
DEBUG(1,("kinit for %s failed (%s)\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
- return NT_STATUS_WRONG_PASSWORD;
+ return ret;
}
- *ccache_name = ccache_string;
-
- return NT_STATUS_OK;
+ return 0;
}
static int free_keytab(void *ptr) {
return NT_STATUS_INVALID_PARAMETER;
}
- /* Correctly handle username in the original form of user@REALM, which is valid */
- if (gensec_security->credentials->realm_obtained
- > gensec_security->credentials->domain_obtained) {
- user = talloc_asprintf(out_mem_ctx, "%s@%s",
- cli_credentials_get_username(gensec_security->credentials),
- cli_credentials_get_realm(gensec_security->credentials));
- domain = NULL;
- } else {
- user = cli_credentials_get_username(gensec_security->credentials);
- domain = cli_credentials_get_domain(gensec_security->credentials);
- }
+ user = cli_credentials_get_username(gensec_security->credentials, out_mem_ctx);
+ domain = cli_credentials_get_domain(gensec_security->credentials);
nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx);
- password = cli_credentials_get_password(gensec_security->credentials);
if (!nt_hash) {
static const uint8_t zeros[16];
}
/* lanman auth is insecure, it may be disabled. We may also not have a password */
- if (lp_client_lanman_auth() && password) {
- lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24);
- if (!SMBencrypt(password,challenge_blob.data,
- lm_response.data)) {
- /* If the LM password was too long (and therefore the LM hash being
- of the first 14 chars only), don't send it */
- data_blob_free(&lm_response);
-
- /* LM Key is incompatible with 'long' passwords */
- gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ if (lp_client_lanman_auth()) {
+ password = cli_credentials_get_password(gensec_security->credentials);
+ if (!password) {
+ lm_response = nt_response;
} else {
- E_deshash(password, lm_hash);
- lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
- memcpy(lm_session_key.data, lm_hash, 8);
- memset(&lm_session_key.data[8], '\0', 8);
-
- if (!gensec_ntlmssp_state->use_nt_response) {
+ lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24);
+ if (!SMBencrypt(password,challenge_blob.data,
+ lm_response.data)) {
+ /* If the LM password was too long (and therefore the LM hash being
+ of the first 14 chars only), don't send it */
+ data_blob_free(&lm_response);
+
+ /* LM Key is incompatible with 'long' passwords */
+ gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ } else {
+ E_deshash(password, lm_hash);
+ lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
+ memcpy(lm_session_key.data, lm_hash, 8);
+ memset(&lm_session_key.data[8], '\0', 8);
+
+ if (!gensec_ntlmssp_state->use_nt_response) {
session_key = lm_session_key;
+ }
}
}
} else {
gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
- if (gensec_security->want_features & GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL) {
+ if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
}
}
- return nt_status;
+ return NT_STATUS_OK;
}
NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
int total_len = 0;
int grp_id;
- if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials), &grp_id)) {
+ if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials, cmdline_credentials), &grp_id)) {
d_printf("message start: %s\n", smbcli_errstr(cli->tree));
return;
}
/* In order of priority */
enum credentials_obtained {
CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
- CRED_GUESSED, /* Current value should be used, which was guessed */
+ CRED_GUESS_ENV, /* Current value should be used, which was guessed */
CRED_CALLBACK, /* Callback should be used to obtain value */
+ CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
CRED_SPECIFIED /* Was explicitly specified on the command-line */
};
enum credentials_obtained password_obtained;
enum credentials_obtained domain_obtained;
enum credentials_obtained realm_obtained;
+ enum credentials_obtained ccache_obtained;
+ enum credentials_obtained principal_obtained;
const char *workstation;
const char *username;
const char *password;
const char *domain;
const char *realm;
+ const char *principal;
struct samr_Password *nt_hash;
+ struct ccache_container *ccache;
+
const char *(*workstation_cb) (struct cli_credentials *);
const char *(*password_cb) (struct cli_credentials *);
const char *(*username_cb) (struct cli_credentials *);
const char *(*domain_cb) (struct cli_credentials *);
const char *(*realm_cb) (struct cli_credentials *);
+ const char *(*principal_cb) (struct cli_credentials *);
/* Private handle for the callback routines to use */
void *priv_data;
BOOL machine_account_pending;
};
-
extern int errno;
#endif
+
#include "lib/replace/replace.h"
/* Lists, trees, caching, database... */
{
char *prompt;
char *ret;
-
- prompt = talloc_asprintf(NULL, "Password for [%s\\%s]:",
- cli_credentials_get_domain(credentials),
- cli_credentials_get_username(credentials));
+ char *domain;
+ char *username;
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+
+ domain = cli_credentials_get_domain(credentials);
+ username = cli_credentials_get_username(credentials, mem_ctx);
+ if (domain && domain[0]) {
+ prompt = talloc_asprintf(mem_ctx, "Password for [%s\\%s]:",
+ domain, username);
+ } else {
+ prompt = talloc_asprintf(mem_ctx, "Password for [%s]:",
+ username);
+ }
ret = getpass(prompt);
- talloc_free(prompt);
+ talloc_free(mem_ctx);
return ret;
}
char *lp;
cli_credentials_parse_string(cmdline_credentials, arg, CRED_SPECIFIED);
-
- if (cmdline_credentials->password && (lp=strchr_m(arg,'%'))) {
- memset(lp,0,strlen(cmdline_credentials->password));
+ /* This breaks the abstraction, including the const above */
+ if (lp=strchr_m(arg,'%')) {
+ lp[0]='\0';
+ lp++;
+ memset(lp,0,strlen(lp));
}
}
break;
#include "include/secrets.h"
#include "lib/ldb/include/ldb.h"
#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+
/**
* Create a new credentials structure
cred->password_obtained = CRED_UNINITIALISED;
cred->domain_obtained = CRED_UNINITIALISED;
cred->realm_obtained = CRED_UNINITIALISED;
+ cred->ccache_obtained = CRED_UNINITIALISED;
+ cred->principal_obtained = CRED_UNINITIALISED;
return cred;
}
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
-const char *cli_credentials_get_username(struct cli_credentials *cred)
+const char *cli_credentials_get_username(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred);
}
+ /* If we have a principal set on this, we want to login with "" domain and user@realm */
+ if (cred->username_obtained < cred->principal_obtained) {
+ return cli_credentials_get_principal(cred, mem_ctx);
+ }
+
if (cred->username_obtained == CRED_CALLBACK) {
cred->username = cred->username_cb(cred);
cred->username_obtained = CRED_SPECIFIED;
}
- return cred->username;
+ return talloc_reference(mem_ctx, cred->username);
}
BOOL cli_credentials_set_username(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
return False;
}
+/**
+ * Obtain the client principal for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred);
+ }
+
+ if (cred->principal_obtained == CRED_CALLBACK) {
+ cred->principal = cred->principal_cb(cred);
+ cred->principal_obtained = CRED_SPECIFIED;
+ }
+
+ if (cred->principal_obtained < cred->username_obtained) {
+ return talloc_asprintf(mem_ctx, "%s@%s",
+ cli_credentials_get_username(cred, mem_ctx),
+ cli_credentials_get_realm(cred));
+ }
+ return talloc_reference(mem_ctx, cred->principal);
+}
+
+BOOL cli_credentials_set_principal(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
+{
+ if (obtained >= cred->principal_obtained) {
+ cred->principal = talloc_strdup(cred, val);
+ cred->principal_obtained = obtained;
+ return True;
+ }
+
+ return False;
+}
+
+BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
+{
+ if (cred->principal_obtained == CRED_SPECIFIED) {
+ return True;
+ }
+ if (cred->username_obtained >= CRED_SPECIFIED) {
+ return True;
+ }
+ return False;
+}
+
/**
* Obtain the password for this credentials context.
* @param cred credentials context
return False;
}
+int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ enum credentials_obtained obtained)
+{
+
+ krb5_principal princ;
+ krb5_error_code ret;
+ char *name;
+ char **realm;
+
+ ret = krb5_cc_get_principal(cred->ccache->smb_krb5_context->krb5_context,
+ cred->ccache->ccache, &princ);
+
+ if (ret) {
+ char *err_mess = smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, ret, cred);
+ DEBUG(1,("failed to get principal from ccache: %s\n",
+ err_mess));
+ talloc_free(err_mess);
+ return ret;
+ }
+
+ ret = krb5_unparse_name(cred->ccache->smb_krb5_context->krb5_context, princ, &name);
+ if (ret) {
+ char *err_mess = smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, ret, cred);
+ DEBUG(1,("failed to unparse principal from ccache: %s\n",
+ err_mess));
+ talloc_free(err_mess);
+ return ret;
+ }
+
+ realm = krb5_princ_realm(cred->ccache->smb_krb5_context->krb5_context, princ);
+
+ cli_credentials_set_realm(cred, *realm, obtained);
+ cli_credentials_set_principal(cred, name, obtained);
+
+ free(name);
+
+ krb5_free_principal(cred->ccache->smb_krb5_context->krb5_context, princ);
+
+ cred->ccache_obtained = obtained;
+
+ return 0;
+}
+
+
+static int free_mccache(void *ptr) {
+ struct ccache_container *ccc = ptr;
+ krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, ccc->ccache);
+
+ return 0;
+}
+
+static int free_dccache(void *ptr) {
+ struct ccache_container *ccc = ptr;
+ krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
+
+ return 0;
+}
+
+static int cli_credentials_set_ccache(struct cli_credentials *cred,
+ const char *name,
+ enum credentials_obtained obtained)
+{
+ krb5_error_code ret;
+ krb5_principal princ;
+ struct ccache_container *ccc = talloc(cred, struct ccache_container);
+ if (!ccc) {
+ return ENOMEM;
+ }
+
+ ret = smb_krb5_init_context(ccc, &ccc->smb_krb5_context);
+ if (ret) {
+ talloc_free(ccc);
+ return ret;
+ }
+ if (name) {
+ ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache);
+ if (ret) {
+ DEBUG(1,("failed to read krb5 ccache: %s: %s\n",
+ name,
+ smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+ talloc_free(ccc);
+ return ret;
+ }
+ } else {
+ ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache);
+ if (ret) {
+ DEBUG(1,("failed to read default krb5 ccache: %s\n",
+ smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+ talloc_free(ccc);
+ return ret;
+ }
+ }
+
+ talloc_set_destructor(ccc, free_dccache);
+
+ ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, ccc->ccache, &princ);
+
+ if (ret) {
+ DEBUG(1,("failed to get principal from default ccache: %s\n",
+ smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+ talloc_free(ccc);
+ return ret;
+ }
+
+ krb5_free_principal(ccc->smb_krb5_context->krb5_context, princ);
+
+ cred->ccache = ccc;
+ talloc_steal(cred, ccc);
+
+ ret = cli_credentials_set_from_ccache(cred, obtained);
+
+ if (ret) {
+ return ret;
+ }
+
+ return 0;
+}
+
+
+int cli_credentials_new_ccache(struct cli_credentials *cred)
+{
+ krb5_error_code ret;
+ char *rand_string;
+ struct ccache_container *ccc = talloc(cred, struct ccache_container);
+ char *ccache_name;
+ if (!ccc) {
+ return ENOMEM;
+ }
+
+ rand_string = generate_random_str(NULL, 16);
+ if (!rand_string) {
+ talloc_free(ccc);
+ return ENOMEM;
+ }
+
+ ccache_name = talloc_asprintf(ccc, "MEMORY:%s",
+ rand_string);
+ talloc_free(rand_string);
+
+ if (!ccache_name) {
+ talloc_free(ccc);
+ return ENOMEM;
+ }
+
+ ret = smb_krb5_init_context(ccc, &ccc->smb_krb5_context);
+ if (ret) {
+ talloc_free(ccache_name);
+ talloc_free(ccc);
+ return ret;
+ }
+
+ ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name, &ccc->ccache);
+ if (ret) {
+ DEBUG(1,("failed to generate a new krb5 ccache (%s): %s\n",
+ ccache_name,
+ smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+ talloc_free(ccache_name);
+ talloc_free(ccc);
+ return ret;
+ }
+
+ talloc_set_destructor(ccc, free_mccache);
+
+ cred->ccache = ccc;
+ talloc_steal(cred, ccc);
+ talloc_free(ccache_name);
+
+ return ret;
+}
+
+int cli_credentials_get_ccache(struct cli_credentials *cred, struct ccache_container **ccc)
+{
+ krb5_error_code ret;
+
+ if (cred->ccache_obtained >= (MAX(cred->principal_obtained,
+ cred->username_obtained))) {
+ *ccc = cred->ccache;
+ return 0;
+ }
+ if (cli_credentials_is_anonymous(cred)) {
+ return EINVAL;
+ }
+
+ ret = cli_credentials_new_ccache(cred);
+ if (ret) {
+ return ret;
+ }
+ ret = kinit_to_ccache(cred, cred, cred->ccache->smb_krb5_context, cred->ccache->ccache);
+ if (ret) {
+ return ret;
+ }
+ ret = cli_credentials_set_from_ccache(cred, cred->principal_obtained);
+
+ if (ret) {
+ return ret;
+ }
+ *ccc = cred->ccache;
+ return ret;
+}
+
+
/**
* Obtain the 'short' or 'NetBIOS' domain for this credentials context.
* @param cred credentials context
cli_credentials_set_machine_account(cred);
}
+ /* If we have a principal set on this, we want to login with "" domain and user@realm */
+ if (cred->domain_obtained < cred->principal_obtained) {
+ return "";
+ }
+
if (cred->domain_obtained == CRED_CALLBACK) {
cred->domain = cred->domain_cb(cred);
cred->domain_obtained = CRED_SPECIFIED;
return cred->realm;
}
-/**
- * Obtain the user's Kerberos principal for this credentials context.
- * @param cred credentials context
- * @param mem_ctx A talloc context to return the prinipal name on.
- * @retval The user's Kerberos principal
- * @note Return value may be NULL due to out-of memeory or invalid mem_ctx
- */
-char *cli_credentials_get_principal(struct cli_credentials *cred,
- TALLOC_CTX *mem_ctx)
-{
- return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred),
- cli_credentials_get_realm(cred));
-}
-
/**
* Set the realm for this credentials context, and force it to
* uppercase for the sainity of our local kerberos libraries
}
if ((p = strchr_m(uname,'@'))) {
+ cli_credentials_set_principal(credentials, uname, obtained);
*p = 0;
cli_credentials_set_realm(credentials, p+1, obtained);
+ return;
} else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
*p = 0;
cli_credentials_set_domain(credentials, uname, obtained);
*/
void cli_credentials_set_conf(struct cli_credentials *cred)
{
- cli_credentials_set_domain(cred, lp_workgroup(), CRED_GUESSED);
- cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_GUESSED);
- cli_credentials_set_realm(cred, lp_realm(), CRED_GUESSED);
+ cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
+ cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED);
+ cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED);
+ cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED);
}
/**
{
char *p;
- cli_credentials_set_username(cred, "", CRED_GUESSED);
cli_credentials_set_conf(cred);
if (getenv("LOGNAME")) {
- cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESSED);
+ cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
}
if (getenv("USER")) {
- cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESSED);
+ cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESS_ENV);
if ((p = strchr_m(getenv("USER"),'%'))) {
memset(p,0,strlen(cred->password));
}
}
if (getenv("DOMAIN")) {
- cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESSED);
+ cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV);
}
if (getenv("PASSWD")) {
- cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESSED);
+ cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
}
if (getenv("PASSWD_FD")) {
- cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESSED);
+ cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
}
if (getenv("PASSWD_FILE")) {
- cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESSED);
+ cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE);
}
+
+ cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
}
/**
BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
{
- const char *username = cli_credentials_get_username(cred);
-
+ TALLOC_CTX *tmp_ctx = talloc_new(cred);
+ const char *username = cli_credentials_get_username(cred, tmp_ctx);
+
/* Yes, it is deliberate that we die if we have a NULL pointer
* here - anonymous is "", not NULL, which is 'never specified,
* never guessed', ie programmer bug */
- if (!username[0])
+ if (!username[0]) {
+ talloc_free(tmp_ctx);
return True;
-
+ }
+
+ talloc_free(tmp_ctx);
return False;
}
ldb->modules->private_data = ildb;
ldb->modules->ops = &ildb_ops;
- if (cmdline_credentials != NULL &&
- cmdline_credentials->username_obtained > CRED_GUESSED) {
+ if (cmdline_credentials != NULL && cli_credentials_authentication_requested(cmdline_credentials)) {
status = ldap_bind_sasl(ildb->ldap, cmdline_credentials);
if (!NT_STATUS_IS_OK(status)) {
ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n",
print_header("Secrets");
printf("IPC Credentials:\n");
- if (secrets->ipc_cred->username_obtained)
- printf(" User: %s\n", cli_credentials_get_username(secrets->ipc_cred));
+ if (secrets->ipc_cred->username_obtained) {
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ printf(" User: %s\n", cli_credentials_get_username(secrets->ipc_cred, mem_ctx));
+ talloc_free(mem_ctx);
+ }
if (secrets->ipc_cred->password_obtained)
printf(" Password: %s\n", cli_credentials_get_password(secrets->ipc_cred));
state->setup.nt1.in.capabilities = io->in.capabilities;
state->setup.nt1.in.os = "Unix";
state->setup.nt1.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
- state->setup.nt1.in.user = cli_credentials_get_username(io->in.credentials);
+ state->setup.nt1.in.user = cli_credentials_get_username(io->in.credentials, state);
state->setup.nt1.in.domain = cli_credentials_get_domain(io->in.credentials);
if (!password) {
state->setup.old.in.vc_num = 1;
state->setup.old.in.sesskey = io->in.sesskey;
state->setup.old.in.domain = cli_credentials_get_domain(io->in.credentials);
- state->setup.old.in.user = cli_credentials_get_username(io->in.credentials);
+ state->setup.old.in.user = cli_credentials_get_username(io->in.credentials, state);
state->setup.old.in.os = "Unix";
state->setup.old.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
negotiate_flags);
a.in.server_name = r.in.server_name;
- a.in.account_name = cli_credentials_get_username(credentials);
+ a.in.account_name = cli_credentials_get_username(credentials, tmp_ctx);
a.in.secure_channel_type =
cli_credentials_get_secure_channel_type(credentials);
a.in.computer_name = cli_credentials_get_workstation(credentials);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
- cli_credentials_get_username(credentials),
+ cli_credentials_get_username(credentials, tmp_ctx),
nt_errstr(status)));
return status;
}
ejsSetErrorMsg(eid, "userAuth requires a 'creds' element");
return -1;
}
- username = cli_credentials_get_username(creds);
+ username = cli_credentials_get_username(creds, tmp_ctx);
password = cli_credentials_get_password(creds);
domain = cli_credentials_get_domain(creds);
remote_host = cli_credentials_get_workstation(creds);
{
struct cli_credentials *creds = ejs_creds_get_credentials(eid);
- mpr_Return(eid, mprString(cli_credentials_get_username(creds)));
+ mpr_Return(eid, mprString(cli_credentials_get_username(creds, mprMemCtx())));
return 0;
}
struct netr_LogonUasLogon r;
r.in.server_name = NULL;
- r.in.account_name = cli_credentials_get_username(cmdline_credentials),
+ r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx);
r.in.workstation = TEST_MACHINE_NAME;
printf("Testing LogonUasLogon\n");
struct netr_LogonUasLogoff r;
r.in.server_name = NULL;
- r.in.account_name = cli_credentials_get_username(cmdline_credentials),
+ r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx);
r.in.workstation = TEST_MACHINE_NAME;
printf("Testing LogonUasLogoff\n");
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
- const char *username = cli_credentials_get_username(cmdline_credentials);
+ const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx);
const char *password = cli_credentials_get_password(cmdline_credentials);
struct creds_CredentialState *creds;
} usercreds[] = {
{
cli_credentials_get_domain(cmdline_credentials),
- cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials, mem_ctx),
cli_credentials_get_password(cmdline_credentials),
True
},
{
cli_credentials_get_realm(cmdline_credentials),
- cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials, mem_ctx),
cli_credentials_get_password(cmdline_credentials),
True
},
NULL,
talloc_asprintf(mem_ctx,
"%s@%s",
- cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials, mem_ctx),
cli_credentials_get_domain(cmdline_credentials)
),
cli_credentials_get_password(cmdline_credentials),
NULL,
talloc_asprintf(mem_ctx,
"%s@%s",
- cli_credentials_get_username(cmdline_credentials),
+ cli_credentials_get_username(cmdline_credentials, mem_ctx),
cli_credentials_get_realm(cmdline_credentials)
),
cli_credentials_get_password(cmdline_credentials),
struct netr_LogonSamLogon r;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
- const char *username = cli_credentials_get_username(cmdline_credentials);
+ const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx);
const char *password = cli_credentials_get_password(cmdline_credentials);
int i;
BOOL ret = True;
} else {
password_prompt = talloc_asprintf(ctx->mem_ctx, "Enter new password for account [%s\\%s]:",
cli_credentials_get_domain(ctx->credentials),
- cli_credentials_get_username(ctx->credentials));
+ cli_credentials_get_username(ctx->credentials, ctx->mem_ctx));
new_password = getpass(password_prompt);
}
/* prepare password change */
r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC;
- r.generic.in.account_name = cli_credentials_get_username(ctx->credentials);
+ r.generic.in.account_name = cli_credentials_get_username(ctx->credentials, ctx->mem_ctx);
r.generic.in.domain_name = cli_credentials_get_domain(ctx->credentials);
r.generic.in.oldpassword = cli_credentials_get_password(ctx->credentials);
r.generic.in.newpassword = new_password;
cli_credentials_set_conf(creds);
if (opt_username) {
cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
- } else {
- cli_credentials_set_username(creds, "", CRED_GUESSED);
}
if (opt_domain) {
cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
git.samba.org / jelmer / samba4-debian.git / commitdiff