r9728: A *major* update to the credentials system, to incorporate the
authorAndrew Bartlett <abartlet@samba.org>
Mon, 29 Aug 2005 04:30:22 +0000 (04:30 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:34:54 +0000 (13:34 -0500)
Kerberos CCACHE into the system.

This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.

It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.

Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)

22 files changed:
source4/auth/gensec/gensec_gssapi.c
source4/auth/gensec/gensec_krb5.c
source4/auth/kerberos/kerberos.h
source4/auth/kerberos/kerberos_util.c
source4/auth/ntlmssp/ntlmssp_client.c
source4/client/client.c
source4/include/credentials.h
source4/include/includes.h
source4/lib/cmdline/credentials.c
source4/lib/cmdline/popt_common.c
source4/lib/credentials.c
source4/lib/ldb/ldb_ildap/ldb_ildap.c
source4/lib/samba3/samba3dump.c
source4/libcli/composite/sesssetup.c
source4/librpc/rpc/dcerpc_schannel.c
source4/scripting/ejs/smbcalls_auth.c
source4/scripting/ejs/smbcalls_creds.c
source4/torture/rpc/netlogon.c
source4/torture/rpc/samlogon.c
source4/torture/rpc/schannel.c
source4/utils/net/net_password.c
source4/utils/ntlm_auth.c

index 64a6f8be77cddb9df96233c9a99481ca6cc12d2c..26494f022284d3fc047719281145f966411e3573 100644 (file)
@@ -208,6 +208,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 {
        struct gensec_gssapi_state *gensec_gssapi_state;
        struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+       struct ccache_container *ccache;
+       krb5_error_code ret;
        NTSTATUS nt_status;
        gss_buffer_desc name_token;
        OM_uint32 maj_stat, min_stat;
@@ -245,6 +247,13 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       ret = cli_credentials_get_ccache(creds, 
+                                        &ccache);
+       if (ret) {
+               DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
        name_token.value = cli_credentials_get_principal(creds, 
                                                         gensec_gssapi_state);
        name_token.length = strlen(name_token.value);
@@ -260,16 +269,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
                return NT_STATUS_UNSUCCESSFUL;
        }
 
-       nt_status = kinit_to_ccache(gensec_gssapi_state, 
-                                   creds,
-                                   gensec_gssapi_state->smb_krb5_context, 
-                                   &gensec_gssapi_state->ccache, &gensec_gssapi_state->ccache_name);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return nt_status;
-       }
-
        maj_stat = gsskrb5_acquire_cred(&min_stat, 
-                                       NULL, gensec_gssapi_state->ccache,
+                                       NULL, ccache->ccache,
                                        gensec_gssapi_state->client_name,
                                        GSS_C_INDEFINITE,
                                        GSS_C_NULL_OID_SET,
index a89f46a41107baf68fd69dcb15016601c35afa08..09722af10b7e39a8b0a1e39db4d3510fdd0a1d33 100644 (file)
@@ -45,7 +45,6 @@ struct gensec_krb5_state {
        enum GENSEC_KRB5_STATE state_position;
        struct smb_krb5_context *smb_krb5_context;
        krb5_auth_context auth_context;
-       krb5_ccache ccache;
        krb5_data ticket;
        krb5_keyblock *keyblock;
        char *peer_principal;
@@ -75,7 +74,6 @@ static int gensec_krb5_destory(void *ptr)
 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 {
        struct gensec_krb5_state *gensec_krb5_state;
-       krb5_error_code ret = 0;
 
        gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
        if (!gensec_krb5_state) {
@@ -85,7 +83,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
        gensec_security->private_data = gensec_krb5_state;
 
        gensec_krb5_state->auth_context = NULL;
-       gensec_krb5_state->ccache = NULL;
        ZERO_STRUCT(gensec_krb5_state->ticket);
        ZERO_STRUCT(gensec_krb5_state->keyblock);
        gensec_krb5_state->session_key = data_blob(NULL, 0);
@@ -93,34 +90,29 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 
        talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory); 
 
-       ret = smb_krb5_init_context(gensec_krb5_state,
-                                   &gensec_krb5_state->smb_krb5_context);
-       if (ret) {
-               DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", 
-                        error_message(ret)));
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-
-       ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
-       if (ret) {
-               DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
-                        smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
-                                                   ret, gensec_krb5_state)));
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-
        return NT_STATUS_OK;
 }
 
 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
 {
        NTSTATUS nt_status;
+       krb5_error_code ret = 0;
        struct gensec_krb5_state *gensec_krb5_state;
 
        nt_status = gensec_krb5_start(gensec_security);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
+       
+       gensec_krb5_state = gensec_security->private_data;
+
+       ret = smb_krb5_init_context(gensec_krb5_state,
+                                   &gensec_krb5_state->smb_krb5_context);
+       if (ret) {
+               DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", 
+                        error_message(ret)));
+               return NT_STATUS_INTERNAL_ERROR;
+       }
 
        gensec_krb5_state = gensec_security->private_data;
        gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
@@ -133,7 +125,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
        struct gensec_krb5_state *gensec_krb5_state;
        krb5_error_code ret;
        NTSTATUS nt_status;
-       const char *ccache_name;
+       struct ccache_container *ccache_container;
 
        const char *hostname = gensec_get_target_hostname(gensec_security);
        if (!hostname) {
@@ -154,72 +146,68 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
        gensec_krb5_state = gensec_security->private_data;
        gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
-       /* TODO: This is effecivly a static/global variable... 
-        
-          TODO: If the user set a username, we should use an in-memory CCACHE (see below)
-       */ 
-       ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache);
+       ret = cli_credentials_get_ccache(gensec_security->credentials, &ccache_container);
        if (ret) {
-               DEBUG(1,("krb5_cc_default failed (%s)\n",
-                        smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
-               return NT_STATUS_INTERNAL_ERROR;
+               DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", 
+                        error_message(ret)));
+               return NT_STATUS_UNSUCCESSFUL;
        }
-       
-       while (1) {
-               {
-                       krb5_data in_data;
-                       in_data.length = 0;
-
-                       ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
-                                         &gensec_krb5_state->auth_context,
-                                         AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
-                                         gensec_get_target_service(gensec_security),
-                                         hostname,
-                                         &in_data, gensec_krb5_state->ccache, 
-                                         &gensec_krb5_state->ticket);
-                       
-               }
-               switch (ret) {
-               case 0:
-                       return NT_STATUS_OK;
-               case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
-                       DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
-                                 hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
-                       return NT_STATUS_ACCESS_DENIED;
-               case KRB5KDC_ERR_PREAUTH_FAILED:
-               case KRB5KRB_AP_ERR_TKT_EXPIRED:
-               case KRB5_CC_END:
-                       /* Too much clock skew - we will need to kinit to re-skew the clock */
-               case KRB5KRB_AP_ERR_SKEW:
-               case KRB5_KDCREP_SKEW:
-               {
-                       DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
-                                 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
-                       /* fall down to remaining code */
-               }
 
+       gensec_krb5_state->smb_krb5_context = talloc_reference(gensec_krb5_state, ccache_container->smb_krb5_context);
 
-               /* just don't print a message for these really ordinary messages */
-               case KRB5_FCC_NOFILE:
-               case KRB5_CC_NOTFOUND:
-               case ENOENT:
-                       
-               nt_status = kinit_to_ccache(gensec_krb5_state,  
-                                           gensec_security->credentials,
-                                           gensec_krb5_state->smb_krb5_context, 
-                                           &gensec_krb5_state->ccache, 
-                                           &ccache_name);
+       ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
+       if (ret) {
+               DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
+                        smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
+                                                   ret, gensec_krb5_state)));
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       if (!ret) {
+               krb5_data in_data;
+               in_data.length = 0;
                
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       return nt_status;
-               }
+               ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
+                                 &gensec_krb5_state->auth_context,
+                                 AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
+                                 gensec_get_target_service(gensec_security),
+                                 hostname,
+                                 &in_data, ccache_container->ccache, 
+                                 &gensec_krb5_state->ticket);
+               
+       }
+       switch (ret) {
+       case 0:
+               return NT_STATUS_OK;
+       case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+               DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
+                         hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
+               return NT_STATUS_ACCESS_DENIED;
+       case KRB5KDC_ERR_PREAUTH_FAILED:
+       case KRB5KRB_AP_ERR_TKT_EXPIRED:
+       case KRB5_CC_END:
+               /* Too much clock skew - we will need to kinit to re-skew the clock */
+       case KRB5KRB_AP_ERR_SKEW:
+       case KRB5_KDCREP_SKEW:
+       {
+               DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
+                         smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
+               /* fall down to remaining code */
+       }
+       
+       
+       /* just don't print a message for these really ordinary messages */
+       case KRB5_FCC_NOFILE:
+       case KRB5_CC_NOTFOUND:
+       case ENOENT:
+               
+               return NT_STATUS_UNSUCCESSFUL;
                break;
-
-               default:
-                       DEBUG(0, ("kerberos: %s\n", 
-                                 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
-                       return NT_STATUS_UNSUCCESSFUL;
-               }
+               
+       default:
+               DEBUG(0, ("kerberos: %s\n", 
+                         smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
+               return NT_STATUS_UNSUCCESSFUL;
        }
 }
 
index 954ac7dc57bbc83b736d60d206e95e73c70e3745..8cc8e561accf5aebbdc331116622eb2570161cc5 100644 (file)
@@ -34,6 +34,10 @@ struct smb_krb5_context {
 #endif
 };
        
+struct ccache_container {
+       struct smb_krb5_context *smb_krb5_context;
+       krb5_ccache ccache;
+};
 
 /* not really ASN.1, but RFC 1964 */
 #define TOK_ID_KRB_AP_REQ      "\x01\x00"
@@ -111,11 +115,10 @@ BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, k
 void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
 char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
-NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
+ krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
                          struct cli_credentials *credentials,
                          struct smb_krb5_context *smb_krb5_context,
-                         krb5_ccache *ccache,
-                         const char **ccache_name);
+                                krb5_ccache ccache);
 krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx, 
                                      struct smb_krb5_context **smb_krb5_context); 
 krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
index d455dac572a99d2a8cab3069e3e110f240b79334..9dc8621b0ea52ed133b00cfc6bd3f9cacd8b0c73 100644 (file)
@@ -33,11 +33,6 @@ struct principal_container {
        krb5_principal principal;
 };
 
-struct ccache_container {
-       struct smb_krb5_context *smb_krb5_context;
-       krb5_ccache ccache;
-};
-
 struct keytab_container {
        struct smb_krb5_context *smb_krb5_context;
        krb5_keytab keytab;
@@ -65,7 +60,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
                return ENOMEM;
        }
        
-       machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
+       machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx));
 
        if (!machine_username) {
                talloc_free(mem_ctx);
@@ -100,58 +95,30 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
        return ret;
 }
 
-static int free_ccache(void *ptr) {
-       struct ccache_container *ccc = ptr;
-       /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
-       krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
-
-       return 0;
-}
-
 /**
  * Return a freshly allocated ccache (destroyed by destructor on child
  * of parent_ctx), for a given set of client credentials 
  */
 
NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
                          struct cli_credentials *credentials,
                          struct smb_krb5_context *smb_krb5_context,
-                         krb5_ccache *ccache,
-                         const char **ccache_name) 
+                         krb5_ccache ccache) 
 {
        krb5_error_code ret;
        const char *password;
-       char *ccache_string;
        time_t kdc_time = 0;
-       struct ccache_container *mem_ctx = talloc(parent_ctx, struct ccache_container);
+
+       TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 
        if (!mem_ctx) {
-               return NT_STATUS_NO_MEMORY;
+               return ENOMEM;
        }
 
        password = cli_credentials_get_password(credentials);
        
-       /* this string should be unique */
-       ccache_string = talloc_asprintf(mem_ctx, "MEMORY:%s_%s", 
-                                       cli_credentials_get_principal(credentials, mem_ctx), 
-                                       generate_random_str(mem_ctx, 16));
-       
-       ret = krb5_cc_resolve(smb_krb5_context->krb5_context, ccache_string, ccache);
-       if (ret) {
-               DEBUG(1,("failed to generate a new krb5 ccache (%s): %s\n", 
-                        ccache_string,
-                        error_message(ret)));
-               talloc_free(mem_ctx);
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-
-       mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
-       mem_ctx->ccache = *ccache;
-
-       talloc_set_destructor(mem_ctx, free_ccache);
-
        if (password) {
-               ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, 
+               ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
                                                 cli_credentials_get_principal(credentials, mem_ctx), 
                                                 password, NULL, &kdc_time);
        } else {
@@ -163,7 +130,7 @@ static int free_ccache(void *ptr) {
                if (!mach_pwd) {
                        talloc_free(mem_ctx);
                        DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
-                       return NT_STATUS_WRONG_PASSWORD;
+                       return EINVAL;
                }
                ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
                                         ENCTYPE_ARCFOUR_HMAC,
@@ -171,7 +138,7 @@ static int free_ccache(void *ptr) {
                                         &keyblock);
                
                if (ret == 0) {
-                       ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache, 
+                       ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, 
                                                         cli_credentials_get_principal(credentials, mem_ctx), 
                                                         &keyblock, NULL, &kdc_time);
                        krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
@@ -192,7 +159,7 @@ static int free_ccache(void *ptr) {
                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
                                                    ret, mem_ctx)));
                talloc_free(mem_ctx);
-               return NT_STATUS_TIME_DIFFERENCE_AT_DC;
+               return ret;
        }
        if (ret) {
                DEBUG(1,("kinit for %s failed (%s)\n", 
@@ -200,11 +167,9 @@ static int free_ccache(void *ptr) {
                         smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
                                                    ret, mem_ctx)));
                talloc_free(mem_ctx);
-               return NT_STATUS_WRONG_PASSWORD;
+               return ret;
        } 
-       *ccache_name = ccache_string;
-
-       return NT_STATUS_OK;
+       return 0;
 }
 
 static int free_keytab(void *ptr) {
index add774f84ebda972b9dbb763da92fca25c5afe3c..feee14a8573dddb6f27d23209f18666a8749eb0a 100644 (file)
@@ -164,20 +164,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       /* Correctly handle username in the original form of user@REALM, which is valid */
-       if (gensec_security->credentials->realm_obtained
-           > gensec_security->credentials->domain_obtained) {
-               user = talloc_asprintf(out_mem_ctx, "%s@%s", 
-                                      cli_credentials_get_username(gensec_security->credentials), 
-                                      cli_credentials_get_realm(gensec_security->credentials));
-               domain = NULL;
-       } else {
-               user = cli_credentials_get_username(gensec_security->credentials);
-               domain = cli_credentials_get_domain(gensec_security->credentials);
-       }
+       user = cli_credentials_get_username(gensec_security->credentials, out_mem_ctx);
+       domain = cli_credentials_get_domain(gensec_security->credentials);
 
        nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials, out_mem_ctx);
-       password = cli_credentials_get_password(gensec_security->credentials);
 
        if (!nt_hash) {
                static const uint8_t zeros[16];
@@ -265,24 +255,29 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
                }
 
                /* lanman auth is insecure, it may be disabled.  We may also not have a password */
-               if (lp_client_lanman_auth() && password) {
-                       lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24);
-                       if (!SMBencrypt(password,challenge_blob.data,
-                                       lm_response.data)) {
-                               /* If the LM password was too long (and therefore the LM hash being
-                                  of the first 14 chars only), don't send it */
-                               data_blob_free(&lm_response);
-
-                               /* LM Key is incompatible with 'long' passwords */
-                               gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+               if (lp_client_lanman_auth()) {
+                       password = cli_credentials_get_password(gensec_security->credentials);
+                       if (!password) {
+                               lm_response = nt_response;
                        } else {
-                               E_deshash(password, lm_hash);
-                               lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
-                               memcpy(lm_session_key.data, lm_hash, 8);
-                               memset(&lm_session_key.data[8], '\0', 8);
-
-                               if (!gensec_ntlmssp_state->use_nt_response) {
+                               lm_response = data_blob_talloc(gensec_ntlmssp_state, NULL, 24);
+                               if (!SMBencrypt(password,challenge_blob.data,
+                                               lm_response.data)) {
+                                       /* If the LM password was too long (and therefore the LM hash being
+                                          of the first 14 chars only), don't send it */
+                                       data_blob_free(&lm_response);
+                                       
+                                       /* LM Key is incompatible with 'long' passwords */
+                                       gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+                               } else {
+                                       E_deshash(password, lm_hash);
+                                       lm_session_key = data_blob_talloc(gensec_ntlmssp_state, NULL, 16);
+                                       memcpy(lm_session_key.data, lm_hash, 8);
+                                       memset(&lm_session_key.data[8], '\0', 8);
+                                       
+                                       if (!gensec_ntlmssp_state->use_nt_response) {
                                        session_key = lm_session_key;
+                                       }
                                }
                        }
                } else {
@@ -353,7 +348,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 
        gensec_ntlmssp_state->expected_state = NTLMSSP_DONE;
 
-       if (gensec_security->want_features & GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL) {
+       if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
                nt_status = ntlmssp_sign_init(gensec_ntlmssp_state);
                if (!NT_STATUS_IS_OK(nt_status)) {
                        DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", 
@@ -362,7 +357,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
                }
        }
 
-       return nt_status;
+       return NT_STATUS_OK;
 }
 
 NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
index 3e6609e68e4ee5033f5bdfddc75a337975d1ed0f..eb090aea74e7a80c62a1e434efbb4bbeb8fa7287 100644 (file)
@@ -198,7 +198,7 @@ static void send_message(void)
        int total_len = 0;
        int grp_id;
 
-       if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials), &grp_id)) {
+       if (!smbcli_message_start(cli->tree, desthost, cli_credentials_get_username(cmdline_credentials, cmdline_credentials), &grp_id)) {
                d_printf("message start: %s\n", smbcli_errstr(cli->tree));
                return;
        }
index 58cc4767ad4e9bdb693395c283d1e01fe9dfcd4f..5dadbbd1c51a8d2c27911aaff3c3684f76d7a88b 100644 (file)
@@ -24,8 +24,9 @@
 /* In order of priority */
 enum credentials_obtained { 
        CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
-       CRED_GUESSED,            /* Current value should be used, which was guessed */
+       CRED_GUESS_ENV,          /* Current value should be used, which was guessed */
        CRED_CALLBACK,           /* Callback should be used to obtain value */
+       CRED_GUESS_FILE,         /* A guess from a file (or file pointed at in env variable) */
        CRED_SPECIFIED           /* Was explicitly specified on the command-line */
 };
 
@@ -38,20 +39,26 @@ struct cli_credentials {
        enum credentials_obtained password_obtained;
        enum credentials_obtained domain_obtained;
        enum credentials_obtained realm_obtained;
+       enum credentials_obtained ccache_obtained;
+       enum credentials_obtained principal_obtained;
 
        const char *workstation;
        const char *username;
        const char *password;
        const char *domain;
        const char *realm;
+       const char *principal;
 
        struct samr_Password *nt_hash;
 
+       struct ccache_container *ccache;
+
        const char *(*workstation_cb) (struct cli_credentials *);
        const char *(*password_cb) (struct cli_credentials *);
        const char *(*username_cb) (struct cli_credentials *);
        const char *(*domain_cb) (struct cli_credentials *);
        const char *(*realm_cb) (struct cli_credentials *);
+       const char *(*principal_cb) (struct cli_credentials *);
 
        /* Private handle for the callback routines to use */
        void *priv_data;
@@ -65,4 +72,3 @@ struct cli_credentials {
 
        BOOL machine_account_pending;
 };
-
index ea7abb0c9ba9de2e81a2e38809293305a2458cbc..94b88d37b2162774257674aac827ad484800ae1d 100644 (file)
@@ -115,6 +115,7 @@ extern char *sys_errlist[];
 extern int errno;
 #endif
 
+
 #include "lib/replace/replace.h"
 
 /* Lists, trees, caching, database... */
index d827baed76a02254c2b82d136e411a956bc48f2d..7832e01e4bb94016efa8f9b843748b3ac31a1a25 100644 (file)
@@ -29,14 +29,23 @@ static const char *cmdline_get_userpassword(struct cli_credentials *credentials)
 {
        char *prompt;
        char *ret;
-
-       prompt = talloc_asprintf(NULL, "Password for [%s\\%s]:", 
-                                cli_credentials_get_domain(credentials),
-                                cli_credentials_get_username(credentials));
+       char *domain;
+       char *username;
+       TALLOC_CTX *mem_ctx = talloc_new(NULL);
+
+       domain = cli_credentials_get_domain(credentials);
+       username = cli_credentials_get_username(credentials, mem_ctx);
+       if (domain && domain[0]) {
+               prompt = talloc_asprintf(mem_ctx, "Password for [%s\\%s]:", 
+                                        domain, username);
+       } else {
+               prompt = talloc_asprintf(mem_ctx, "Password for [%s]:", 
+                                        username);
+       }
 
        ret = getpass(prompt);
 
-       talloc_free(prompt);
+       talloc_free(mem_ctx);
        return ret;
 }
 
index 4e808652f7bfc80f89543215ef1575ed0223f593..d3bd0a35a4b18285716cd7f1d171ff2638fcdcf0 100644 (file)
@@ -220,9 +220,11 @@ static void popt_common_credentials_callback(poptContext con,
                        char *lp;
 
                        cli_credentials_parse_string(cmdline_credentials, arg, CRED_SPECIFIED);
-
-                       if (cmdline_credentials->password && (lp=strchr_m(arg,'%'))) {
-                               memset(lp,0,strlen(cmdline_credentials->password));
+                       /* This breaks the abstraction, including the const above */
+                       if (lp=strchr_m(arg,'%')) {
+                               lp[0]='\0';
+                               lp++;
+                               memset(lp,0,strlen(lp));
                        }
                }
                break;
index aae55be800c07c5b105f227c35633be9ae540c14..69e237428cf30b22eac5ee57e0d187cebb539d2d 100644 (file)
@@ -25,6 +25,9 @@
 #include "include/secrets.h"
 #include "lib/ldb/include/ldb.h"
 #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+
 
 /**
  * Create a new credentials structure
@@ -44,6 +47,8 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
        cred->password_obtained = CRED_UNINITIALISED;
        cred->domain_obtained = CRED_UNINITIALISED;
        cred->realm_obtained = CRED_UNINITIALISED;
+       cred->ccache_obtained = CRED_UNINITIALISED;
+       cred->principal_obtained = CRED_UNINITIALISED;
        return cred;
 }
 
@@ -53,18 +58,23 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
  * @retval The username set on this context.
  * @note Return value will never be NULL except by programmer error.
  */
-const char *cli_credentials_get_username(struct cli_credentials *cred)
+const char *cli_credentials_get_username(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
 {
        if (cred->machine_account_pending) {
                cli_credentials_set_machine_account(cred);
        }
 
+       /* If we have a principal set on this, we want to login with "" domain and user@realm */
+       if (cred->username_obtained < cred->principal_obtained) {
+               return cli_credentials_get_principal(cred, mem_ctx);
+       }
+
        if (cred->username_obtained == CRED_CALLBACK) {
                cred->username = cred->username_cb(cred);
                cred->username_obtained = CRED_SPECIFIED;
        }
 
-       return cred->username;
+       return talloc_reference(mem_ctx, cred->username);
 }
 
 BOOL cli_credentials_set_username(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
@@ -78,6 +88,53 @@ BOOL cli_credentials_set_username(struct cli_credentials *cred, const char *val,
        return False;
 }
 
+/**
+ * Obtain the client principal for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
+{
+       if (cred->machine_account_pending) {
+               cli_credentials_set_machine_account(cred);
+       }
+
+       if (cred->principal_obtained == CRED_CALLBACK) {
+               cred->principal = cred->principal_cb(cred);
+               cred->principal_obtained = CRED_SPECIFIED;
+       }
+
+       if (cred->principal_obtained < cred->username_obtained) {
+               return talloc_asprintf(mem_ctx, "%s@%s", 
+                                      cli_credentials_get_username(cred, mem_ctx),
+                                      cli_credentials_get_realm(cred));
+       }
+       return talloc_reference(mem_ctx, cred->principal);
+}
+
+BOOL cli_credentials_set_principal(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained)
+{
+       if (obtained >= cred->principal_obtained) {
+               cred->principal = talloc_strdup(cred, val);
+               cred->principal_obtained = obtained;
+               return True;
+       }
+
+       return False;
+}
+
+BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) 
+{
+       if (cred->principal_obtained == CRED_SPECIFIED) {
+               return True;
+       }
+       if (cred->username_obtained >= CRED_SPECIFIED) {
+               return True;
+       }
+       return False;
+}
+
 /**
  * Obtain the password for this credentials context.
  * @param cred credentials context
@@ -148,6 +205,207 @@ BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred,
        return False;
 }
 
+int cli_credentials_set_from_ccache(struct cli_credentials *cred, 
+                                   enum credentials_obtained obtained)
+{
+       
+       krb5_principal princ;
+       krb5_error_code ret;
+       char *name;
+       char **realm;
+
+       ret = krb5_cc_get_principal(cred->ccache->smb_krb5_context->krb5_context, 
+                                   cred->ccache->ccache, &princ);
+
+       if (ret) {
+               char *err_mess = smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, ret, cred);
+               DEBUG(1,("failed to get principal from ccache: %s\n", 
+                        err_mess));
+               talloc_free(err_mess);
+               return ret;
+       }
+       
+       ret = krb5_unparse_name(cred->ccache->smb_krb5_context->krb5_context, princ, &name);
+       if (ret) {
+               char *err_mess = smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, ret, cred);
+               DEBUG(1,("failed to unparse principal from ccache: %s\n", 
+                        err_mess));
+               talloc_free(err_mess);
+               return ret;
+       }
+
+       realm = krb5_princ_realm(cred->ccache->smb_krb5_context->krb5_context, princ);
+
+       cli_credentials_set_realm(cred, *realm, obtained);
+       cli_credentials_set_principal(cred, name, obtained);
+
+       free(name);
+
+       krb5_free_principal(cred->ccache->smb_krb5_context->krb5_context, princ);
+
+       cred->ccache_obtained = obtained;
+
+       return 0;
+}
+
+
+static int free_mccache(void *ptr) {
+       struct ccache_container *ccc = ptr;
+       krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, ccc->ccache);
+
+       return 0;
+}
+
+static int free_dccache(void *ptr) {
+       struct ccache_container *ccc = ptr;
+       krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
+
+       return 0;
+}
+
+static int cli_credentials_set_ccache(struct cli_credentials *cred, 
+                                     const char *name, 
+                                     enum credentials_obtained obtained)
+{
+       krb5_error_code ret;
+       krb5_principal princ;
+       struct ccache_container *ccc = talloc(cred, struct ccache_container);
+       if (!ccc) {
+               return ENOMEM;
+       }
+
+       ret = smb_krb5_init_context(ccc, &ccc->smb_krb5_context);
+       if (ret) {
+               talloc_free(ccc);
+               return ret;
+       }
+       if (name) {
+               ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache);
+               if (ret) {
+                       DEBUG(1,("failed to read krb5 ccache: %s: %s\n", 
+                                name, 
+                                smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+                       talloc_free(ccc);
+                       return ret;
+               }
+       } else {
+               ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache);
+               if (ret) {
+                       DEBUG(1,("failed to read default krb5 ccache: %s\n", 
+                                smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+                       talloc_free(ccc);
+                       return ret;
+               }
+       }
+
+       talloc_set_destructor(ccc, free_dccache);
+
+       ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, ccc->ccache, &princ);
+
+       if (ret) {
+               DEBUG(1,("failed to get principal from default ccache: %s\n", 
+                        smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+               talloc_free(ccc);               
+               return ret;
+       }
+
+       krb5_free_principal(ccc->smb_krb5_context->krb5_context, princ);
+
+       cred->ccache = ccc;
+       talloc_steal(cred, ccc);
+
+       ret = cli_credentials_set_from_ccache(cred, obtained);
+
+       if (ret) {
+               return ret;
+       }
+
+       return 0;
+}
+
+
+int cli_credentials_new_ccache(struct cli_credentials *cred)
+{
+       krb5_error_code ret;
+       char *rand_string;
+       struct ccache_container *ccc = talloc(cred, struct ccache_container);
+       char *ccache_name;
+       if (!ccc) {
+               return ENOMEM;
+       }
+
+       rand_string = generate_random_str(NULL, 16);
+       if (!rand_string) {
+               talloc_free(ccc);
+               return ENOMEM;
+       }
+
+       ccache_name = talloc_asprintf(ccc, "MEMORY:%s", 
+                             rand_string);
+       talloc_free(rand_string);
+
+       if (!ccache_name) {
+               talloc_free(ccc);
+               return ENOMEM;
+       }
+
+       ret = smb_krb5_init_context(ccc, &ccc->smb_krb5_context);
+       if (ret) {
+               talloc_free(ccache_name);
+               talloc_free(ccc);
+               return ret;
+       }
+
+       ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name, &ccc->ccache);
+       if (ret) {
+               DEBUG(1,("failed to generate a new krb5 ccache (%s): %s\n", 
+                        ccache_name,
+                        smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
+               talloc_free(ccache_name);
+               talloc_free(ccc);
+               return ret;
+       }
+
+       talloc_set_destructor(ccc, free_mccache);
+
+       cred->ccache = ccc;
+       talloc_steal(cred, ccc);
+       talloc_free(ccache_name);
+
+       return ret;
+}
+
+int cli_credentials_get_ccache(struct cli_credentials *cred, struct ccache_container **ccc)
+{
+       krb5_error_code ret;
+       
+       if (cred->ccache_obtained >= (MAX(cred->principal_obtained, 
+                                         cred->username_obtained))) {
+               *ccc = cred->ccache;
+               return 0;
+       }
+       if (cli_credentials_is_anonymous(cred)) {
+               return EINVAL;
+       }
+
+       ret = cli_credentials_new_ccache(cred);
+       if (ret) {
+               return ret;
+       }
+       ret = kinit_to_ccache(cred, cred, cred->ccache->smb_krb5_context, cred->ccache->ccache);
+       if (ret) {
+               return ret;
+       }
+       ret = cli_credentials_set_from_ccache(cred, cred->principal_obtained);
+
+       if (ret) {
+               return ret;
+       }
+       *ccc = cred->ccache;
+       return ret;
+}
+
+
 /**
  * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
  * @param cred credentials context
@@ -160,6 +418,11 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred)
                cli_credentials_set_machine_account(cred);
        }
 
+       /* If we have a principal set on this, we want to login with "" domain and user@realm */
+       if (cred->domain_obtained < cred->principal_obtained) {
+               return "";
+       }
+
        if (cred->domain_obtained == CRED_CALLBACK) {
                cred->domain = cred->domain_cb(cred);
                cred->domain_obtained = CRED_SPECIFIED;
@@ -200,21 +463,6 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred)
        return cred->realm;
 }
 
-/**
- * Obtain the user's Kerberos principal for this credentials context.
- * @param cred credentials context
- * @param mem_ctx A talloc context to return the prinipal name on.
- * @retval The user's Kerberos principal
- * @note Return value may be NULL due to out-of memeory or invalid mem_ctx
- */
-char *cli_credentials_get_principal(struct cli_credentials *cred,
-                                   TALLOC_CTX *mem_ctx)
-{
-       return talloc_asprintf(mem_ctx, "%s@%s", 
-                              cli_credentials_get_username(cred),
-                              cli_credentials_get_realm(cred));
-}
-
 /**
  * Set the realm for this credentials context, and force it to
  * uppercase for the sainity of our local kerberos libraries 
@@ -419,8 +667,10 @@ void cli_credentials_parse_string(struct cli_credentials *credentials, const cha
        }
 
        if ((p = strchr_m(uname,'@'))) {
+               cli_credentials_set_principal(credentials, uname, obtained);
                *p = 0;
                cli_credentials_set_realm(credentials, p+1, obtained);
+               return;
        } else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
                *p = 0;
                cli_credentials_set_domain(credentials, uname, obtained);
@@ -437,9 +687,10 @@ void cli_credentials_parse_string(struct cli_credentials *credentials, const cha
  */
 void cli_credentials_set_conf(struct cli_credentials *cred)
 {
-       cli_credentials_set_domain(cred, lp_workgroup(), CRED_GUESSED);
-       cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_GUESSED);
-       cli_credentials_set_realm(cred, lp_realm(), CRED_GUESSED);
+       cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
+       cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED);
+       cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED);
+       cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED);
 }
 
 /**
@@ -452,35 +703,36 @@ void cli_credentials_guess(struct cli_credentials *cred)
 {
        char *p;
 
-       cli_credentials_set_username(cred, "", CRED_GUESSED);
        cli_credentials_set_conf(cred);
        
        if (getenv("LOGNAME")) {
-               cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESSED);
+               cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
        }
 
        if (getenv("USER")) {
-               cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESSED);
+               cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESS_ENV);
                if ((p = strchr_m(getenv("USER"),'%'))) {
                        memset(p,0,strlen(cred->password));
                }
        }
 
        if (getenv("DOMAIN")) {
-               cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESSED);
+               cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV);
        }
 
        if (getenv("PASSWD")) {
-               cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESSED);
+               cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
        }
 
        if (getenv("PASSWD_FD")) {
-               cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESSED);
+               cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
        }
        
        if (getenv("PASSWD_FILE")) {
-               cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESSED);
+               cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE);
        }
+
+       cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
 }
 
 /**
@@ -690,13 +942,17 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred)
 
 BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
 {
-       const char *username = cli_credentials_get_username(cred);
-
+       TALLOC_CTX *tmp_ctx = talloc_new(cred);
+       const char *username = cli_credentials_get_username(cred, tmp_ctx);
+       
        /* Yes, it is deliberate that we die if we have a NULL pointer
         * here - anonymous is "", not NULL, which is 'never specified,
         * never guessed', ie programmer bug */
-       if (!username[0]) 
+       if (!username[0]) {
+               talloc_free(tmp_ctx);
                return True;
-
+       }
+       
+       talloc_free(tmp_ctx);
        return False;
 }
index bb89fc910e79762ebfa3eb24822dd6503b95922e..3d47863067179abf858a88373f8a91731c0cdc61 100644 (file)
@@ -474,8 +474,7 @@ int ildb_connect(struct ldb_context *ldb, const char *url,
        ldb->modules->private_data = ildb;
        ldb->modules->ops = &ildb_ops;
 
-       if (cmdline_credentials != NULL &&
-           cmdline_credentials->username_obtained > CRED_GUESSED) {
+       if (cmdline_credentials != NULL && cli_credentials_authentication_requested(cmdline_credentials)) {
                status = ldap_bind_sasl(ildb->ldap, cmdline_credentials);
                if (!NT_STATUS_IS_OK(status)) {
                        ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n",
index b95fc0d4b204d7e372fe509539661dfb55845530..6be91c0db2bd3949ec434306788a13947b9526ab 100644 (file)
@@ -86,8 +86,11 @@ static NTSTATUS print_samba3_secrets(struct samba3_secrets *secrets)
        print_header("Secrets");
 
        printf("IPC Credentials:\n");
-       if (secrets->ipc_cred->username_obtained) 
-               printf("        User: %s\n", cli_credentials_get_username(secrets->ipc_cred));
+       if (secrets->ipc_cred->username_obtained) {
+               TALLOC_CTX *mem_ctx = talloc_new(NULL);
+               printf("        User: %s\n", cli_credentials_get_username(secrets->ipc_cred, mem_ctx));
+               talloc_free(mem_ctx);
+       }
        if (secrets->ipc_cred->password_obtained)
                printf("        Password: %s\n", cli_credentials_get_password(secrets->ipc_cred));
 
index b27290d5e4c1a3c3233c77b12ae8be70def35e71..b925f99bed2f8fe017dd55787a6da88b041533ee 100644 (file)
@@ -174,7 +174,7 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
        state->setup.nt1.in.capabilities = io->in.capabilities;
        state->setup.nt1.in.os           = "Unix";
        state->setup.nt1.in.lanman       = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
-       state->setup.nt1.in.user         = cli_credentials_get_username(io->in.credentials);
+       state->setup.nt1.in.user         = cli_credentials_get_username(io->in.credentials, state);
        state->setup.nt1.in.domain       = cli_credentials_get_domain(io->in.credentials);
 
        if (!password) {
@@ -260,7 +260,7 @@ static NTSTATUS session_setup_old(struct composite_context *c,
        state->setup.old.in.vc_num  = 1;
        state->setup.old.in.sesskey = io->in.sesskey;
        state->setup.old.in.domain  = cli_credentials_get_domain(io->in.credentials);
-       state->setup.old.in.user    = cli_credentials_get_username(io->in.credentials);
+       state->setup.old.in.user    = cli_credentials_get_username(io->in.credentials, state);
        state->setup.old.in.os      = "Unix";
        state->setup.old.in.lanman  = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
        
index ae4ce9426923319bce86ec5ba0e76c36a5fd22fa..77c8c028af4d0683cbcb204840c0188c9372436d 100644 (file)
@@ -110,7 +110,7 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
                          negotiate_flags);
 
        a.in.server_name = r.in.server_name;
-       a.in.account_name = cli_credentials_get_username(credentials);
+       a.in.account_name = cli_credentials_get_username(credentials, tmp_ctx);
        a.in.secure_channel_type = 
                cli_credentials_get_secure_channel_type(credentials);
        a.in.computer_name = cli_credentials_get_workstation(credentials);
@@ -153,7 +153,7 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
-                         cli_credentials_get_username(credentials), 
+                         cli_credentials_get_username(credentials, tmp_ctx), 
                          nt_errstr(status)));
                return status;
        }
index ef3b86a8b4818631fd31e15187c4db8159edc4bc..8df69cf087318a882a536019b42d439cba4733c9 100644 (file)
@@ -119,7 +119,7 @@ static int ejs_userAuth(MprVarHandle eid, int argc, struct MprVar **argv)
                ejsSetErrorMsg(eid, "userAuth requires a 'creds' element");
                return -1;
        }
-       username    = cli_credentials_get_username(creds);
+       username    = cli_credentials_get_username(creds, tmp_ctx);
        password    = cli_credentials_get_password(creds);
        domain      = cli_credentials_get_domain(creds);
        remote_host = cli_credentials_get_workstation(creds);
index cc2ccf8c47455c9aa67519b01e635e6e89e1d8de..f9d231293ae9be24a6b064436e7573fd024e29a3 100644 (file)
@@ -73,7 +73,7 @@ static int ejs_creds_get_username(MprVarHandle eid, int argc, struct MprVar **ar
 {
        struct cli_credentials *creds = ejs_creds_get_credentials(eid);
 
-       mpr_Return(eid, mprString(cli_credentials_get_username(creds)));
+       mpr_Return(eid, mprString(cli_credentials_get_username(creds, mprMemCtx())));
        return 0;
 }
 
index 14353ff590e67cdffe0a9994b08672e11525c905..10ac1cbba3b3afd295c7e5284bb8bb757e6969f3 100644 (file)
@@ -38,7 +38,7 @@ static BOOL test_LogonUasLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
        struct netr_LogonUasLogon r;
 
        r.in.server_name = NULL;
-       r.in.account_name = cli_credentials_get_username(cmdline_credentials),
+       r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx);
        r.in.workstation = TEST_MACHINE_NAME;
 
        printf("Testing LogonUasLogon\n");
@@ -59,7 +59,7 @@ static BOOL test_LogonUasLogoff(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
        struct netr_LogonUasLogoff r;
 
        r.in.server_name = NULL;
-       r.in.account_name = cli_credentials_get_username(cmdline_credentials),
+       r.in.account_name = cli_credentials_get_username(cmdline_credentials, mem_ctx);
        r.in.workstation = TEST_MACHINE_NAME;
 
        printf("Testing LogonUasLogoff\n");
@@ -487,7 +487,7 @@ static BOOL test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
        struct netr_LogonSamLogon r;
        struct netr_Authenticator auth, auth2;
        struct netr_NetworkInfo ninfo;
-       const char *username = cli_credentials_get_username(cmdline_credentials);
+       const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx);
        const char *password = cli_credentials_get_password(cmdline_credentials);
        struct creds_CredentialState *creds;
 
index 607dbaec8a32e53a7711792a6383596a841c88f8..42051795c8359642d6101ef4316bd31ac105d11e 100644 (file)
@@ -1366,13 +1366,13 @@ BOOL torture_rpc_samlogon(void)
        } usercreds[] = {
                {
                        cli_credentials_get_domain(cmdline_credentials),
-                       cli_credentials_get_username(cmdline_credentials),
+                       cli_credentials_get_username(cmdline_credentials, mem_ctx),
                        cli_credentials_get_password(cmdline_credentials),
                        True
                },
                {
                        cli_credentials_get_realm(cmdline_credentials),
-                       cli_credentials_get_username(cmdline_credentials),
+                       cli_credentials_get_username(cmdline_credentials, mem_ctx),
                        cli_credentials_get_password(cmdline_credentials),
                        True
                },
@@ -1380,7 +1380,7 @@ BOOL torture_rpc_samlogon(void)
                        NULL,
                        talloc_asprintf(mem_ctx, 
                                        "%s@%s", 
-                                       cli_credentials_get_username(cmdline_credentials),
+                                       cli_credentials_get_username(cmdline_credentials, mem_ctx),
                                        cli_credentials_get_domain(cmdline_credentials)
                                ),
                        cli_credentials_get_password(cmdline_credentials),
@@ -1390,7 +1390,7 @@ BOOL torture_rpc_samlogon(void)
                        NULL,
                        talloc_asprintf(mem_ctx, 
                                        "%s@%s", 
-                                       cli_credentials_get_username(cmdline_credentials),
+                                       cli_credentials_get_username(cmdline_credentials, mem_ctx),
                                        cli_credentials_get_realm(cmdline_credentials)
                                ),
                        cli_credentials_get_password(cmdline_credentials),
index 580c6f57eb1588ef3b54714a2c94d02fcc3c4a28..3f02622e1c9234ab97b0df885819fe35a5098549 100644 (file)
@@ -92,7 +92,7 @@ static BOOL test_netlogon_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
        struct netr_LogonSamLogon r;
        struct netr_Authenticator auth, auth2;
        struct netr_NetworkInfo ninfo;
-       const char *username = cli_credentials_get_username(cmdline_credentials);
+       const char *username = cli_credentials_get_username(cmdline_credentials, mem_ctx);
        const char *password = cli_credentials_get_password(cmdline_credentials);
        int i;
        BOOL ret = True;
index 1912beeb41b3b03479a13fc3bf0b532961e464fb..0bfb8a5be8003b75d6dfdbb05eabb58bf7b135b3 100644 (file)
@@ -49,7 +49,7 @@ static int net_password_change(struct net_context *ctx, int argc, const char **a
        } else {
                password_prompt = talloc_asprintf(ctx->mem_ctx, "Enter new password for account [%s\\%s]:", 
                                                        cli_credentials_get_domain(ctx->credentials), 
-                                                       cli_credentials_get_username(ctx->credentials));
+                                                       cli_credentials_get_username(ctx->credentials, ctx->mem_ctx));
                new_password = getpass(password_prompt);
        }
 
@@ -61,7 +61,7 @@ static int net_password_change(struct net_context *ctx, int argc, const char **a
 
        /* prepare password change */
        r.generic.level                 = LIBNET_CHANGE_PASSWORD_GENERIC;
-       r.generic.in.account_name       = cli_credentials_get_username(ctx->credentials);
+       r.generic.in.account_name       = cli_credentials_get_username(ctx->credentials, ctx->mem_ctx);
        r.generic.in.domain_name        = cli_credentials_get_domain(ctx->credentials);
        r.generic.in.oldpassword        = cli_credentials_get_password(ctx->credentials);
        r.generic.in.newpassword        = new_password;
index 7e1ca011e4914c0cba14783584d881c25ed14f73..b10d4af6ce6229a35f673616d4cd50cb4dcd2268 100644 (file)
@@ -349,8 +349,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                        cli_credentials_set_conf(creds);
                        if (opt_username) {
                                cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
-                       } else {
-                               cli_credentials_set_username(creds, "", CRED_GUESSED);
                        }
                        if (opt_domain) {
                                cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);