r13206: This patch finally re-adds a -k option that works reasonably.

author Andrew Bartlett <abartlet@samba.org>

Sat, 28 Jan 2006 12:15:24 +0000 (12:15 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 18:51:33 +0000 (13:51 -0500)
author Andrew Bartlett <abartlet@samba.org>
Sat, 28 Jan 2006 12:15:24 +0000 (12:15 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:51:33 +0000 (13:51 -0500)
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk

index 5c72630d5adb1611c2a1e66489184ce6fb8c3c67..96c48f757422ec444627b84f9320ea53aeeaec0e 100644 (file)
--- a/source4/auth/credentials/config.mk
+++ b/source4/auth/credentials/config.mk
@@ -5,10 +5,9 @@ PRIVATE_PROTO_HEADER = credentials_proto.h
  OBJ_FILES = credentials.o \
                 credentials_files.o \
                 credentials_krb5.o \
-               credentials_ntlm.o \
-               credentials_gensec.o 
+               credentials_ntlm.o
  REQUIRED_SUBSYSTEMS = \
-               HEIMDAL GENSEC LIBCLI_AUTH LIBLDB SECRETS
+               HEIMDAL LIBCLI_AUTH LIBLDB SECRETS
  # End SUBSYSTEM CREDENTIALS
  #################################
  
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c

index a6bfb15decc96a3dda3f321e63c3b1007371cb9c..b1554cc9efb1dcbe14c43a1216114e1545f71d2e 100644 (file)
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -24,7 +24,7 @@
  
  #include "includes.h"
  #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
-
+#include "auth/gensec/gensec.h"
  
  /**
   * Create a new credentials structure
@@ -54,13 +54,26 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
         cred->smb_krb5_context = NULL;
         cred->salt_principal = NULL;
         cred->machine_account = False;
-       cred->gensec_list = NULL;
  
         cred->bind_dn = NULL;
  
+       cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
+
         return cred;
  }
  
+void cli_credentials_set_kerberos_state(struct cli_credentials *creds, 
+                                       enum credentials_use_kerberos use_kerberos)
+{
+       creds->use_kerberos = use_kerberos;
+}
+
+enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+{
+       return creds->use_kerberos;
+}
+
+
  /**
   * Obtain the username for this credentials context.
   * @param cred credentials context
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h

index 8402676acd440c6daa0d9665f436d19c0b98170f..eb4e5c96d090c27fc6457246f6a81d4be6fa5145 100644 (file)
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -32,15 +32,19 @@ enum credentials_obtained {
         CRED_SPECIFIED           /* Was explicitly specified on the command-line */
  };
  
+enum credentials_use_kerberos {
+       CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
+       CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
+       CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
+};
+
  #define CLI_CRED_NTLM2       0x01
  #define CLI_CRED_NTLMv2_AUTH 0x02
  #define CLI_CRED_LANMAN_AUTH 0x04
  #define CLI_CRED_NTLM_AUTH   0x08
+#define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
  
  struct cli_credentials {
-       /* Preferred methods, NULL means default */
-       const char **preferred_methods;
-
         enum credentials_obtained workstation_obtained;
         enum credentials_obtained username_obtained;
         enum credentials_obtained password_obtained;
@@ -94,8 +98,8 @@ struct cli_credentials {
         /* Is this a machine account? */
         BOOL machine_account;
  
-       /* A list of valid GENSEC mechanisms for use on this account */
-       const struct gensec_security_ops **gensec_list;
+       /* Should we be trying to use kerberos? */
+       enum credentials_use_kerberos use_kerberos;
  };
  
  #include "auth/credentials/credentials_proto.h"
diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c

deleted file mode 100644 (file)

index 7ea15e7..0000000
--- a/source4/auth/credentials/credentials_gensec.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   User credentials handling
-
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "auth/gensec/gensec.h"
-
-const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) 
-{
-       if (!creds || !creds->gensec_list) {
-               return gensec_security_all();
-       }
-       return creds->gensec_list;
-}
-
-static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
-                                                  const struct gensec_security_ops *remove_mech) 
-{
-       const struct gensec_security_ops **gensec_list;
-       const struct gensec_security_ops **new_gensec_list;
-       int i, j;
-
-       gensec_list = cli_credentials_gensec_list(creds);
-
-       for (i=0; gensec_list && gensec_list[i]; i++) {
-               /* noop */
-       }
-
-       new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
-       if (!new_gensec_list) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       j = 0;
-       for (i=0; gensec_list && gensec_list[i]; i++) {
-               if (gensec_list[i] != remove_mech) {
-                       new_gensec_list[j] = gensec_list[i];
-                       j++;
-               }
-       }
-       new_gensec_list[j] = NULL; 
-       
-       creds->gensec_list = new_gensec_list;
-
-       return NT_STATUS_OK;
-}
-
-NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
-                                          const char *oid) 
-{
-       const struct gensec_security_ops *gensec_by_oid;
-
-       gensec_by_oid = gensec_security_by_oid(NULL, oid);
-       if (!gensec_by_oid) {
-               return NT_STATUS_OK;
-       }
-
-       return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
-}
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c

index c7932e6f1a9d4b4237d009f09a5f45f7727fa83c..5068540a3274ca848926acffc751c49b8b7c1b3a 100644 (file)
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -66,6 +66,10 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
         if (cred->machine_account) {
                 *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
         }
+       
+       if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
  
         if (!nt_hash) {
                 static const uint8_t zeros[16];
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c

index fa5c877363504155374f848fa8f26e44375a2cc0..4853b53e406e5d2fe4086a96cf916fcae9fcb9ab 100644 (file)
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -27,29 +27,110 @@
  #include "smb_build.h"
  
  /* the list of currently registered GENSEC backends */
-const static struct gensec_security_ops **generic_security_ops;
+static struct gensec_security_ops **generic_security_ops;
  static int gensec_num_backends;
  
-const struct gensec_security_ops **gensec_security_all(void)
+/* Return all the registered mechs.  Don't modify the return pointer,
+ * but you may talloc_reference it if convient */
+struct gensec_security_ops **gensec_security_all(void)
  {
         return generic_security_ops;
  }
  
+/* Sometimes we want to force only kerberos, sometimes we want to
+ * force it's avoidance.  The old list could be either
+ * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
+ * an existing list we have trimmed down) */
+
+struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, 
+                                                      struct gensec_security_ops **old_gensec_list, 
+                                                      enum credentials_use_kerberos use_kerberos) 
+{
+       struct gensec_security_ops **new_gensec_list;
+       int i, j, num_mechs_in;
+
+       if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
+               talloc_reference(mem_ctx, old_gensec_list);
+               return old_gensec_list;
+       }
+
+       for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
+               /* noop */
+       }
+
+       new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
+       if (!new_gensec_list) {
+               return NULL;
+       }
+
+       j = 0;
+       for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
+               int oid_idx;
+               for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
+                       if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
+                               new_gensec_list[j] = old_gensec_list[i];
+                               j++;
+                               break;
+                       }
+               }
+               switch (use_kerberos) {
+               case CRED_DONT_USE_KERBEROS:
+                       if (old_gensec_list[i]->kerberos == False) {
+                               new_gensec_list[j] = old_gensec_list[i];
+                               j++;
+                       }
+                       break;
+               case CRED_MUST_USE_KERBEROS:
+                       if (old_gensec_list[i]->kerberos == True) {
+                               new_gensec_list[j] = old_gensec_list[i];
+                               j++;
+                       }
+                       break;
+               case CRED_AUTO_USE_KERBEROS:
+                       break;
+               }
+       }
+       new_gensec_list[j] = NULL; 
+       
+       return new_gensec_list;
+}
+
+struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
+                                                  TALLOC_CTX *mem_ctx) 
+{
+       struct gensec_security_ops **backends;
+       backends = gensec_security_all();
+       if (!gensec_security) {
+               talloc_reference(mem_ctx, backends);
+               return backends;
+       } else {
+               struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+               enum credentials_use_kerberos use_kerberos
+                       = cli_credentials_get_kerberos_state(creds);
+               return gensec_use_kerberos_mechs(mem_ctx, backends, use_kerberos);
+       }
+
+}
+
  static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
                                                                      uint8_t auth_type)
  {
         int i;
-       const struct gensec_security_ops **backends;
-       if (!gensec_security) {
-               backends = gensec_security_all();
-       } else {
-               backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       struct gensec_security_ops **backends;
+       const struct gensec_security_ops *backend;
+       TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+       if (!mem_ctx) {
+               return NULL;
         }
+       backends = gensec_security_mechs(gensec_security, mem_ctx);
         for (i=0; backends && backends[i]; i++) {
                 if (backends[i]->auth_type == auth_type) {
-                       return backends[i];
+                       backend = backends[i];
+                       talloc_free(mem_ctx);
+                       return backend;
                 }
         }
+       talloc_free(mem_ctx);
  
         return NULL;
  }
@@ -58,22 +139,26 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
                                                          const char *oid_string)
  {
         int i, j;
-       const struct gensec_security_ops **backends;
-       if (!gensec_security) {
-               backends = gensec_security_all();
-       } else {
-               backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       struct gensec_security_ops **backends;
+       const struct gensec_security_ops *backend;
+       TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+       if (!mem_ctx) {
+               return NULL;
         }
+       backends = gensec_security_mechs(gensec_security, mem_ctx);
         for (i=0; backends && backends[i]; i++) {
                 if (backends[i]->oid) {
                         for (j=0; backends[i]->oid[j]; j++) { 
                                 if (backends[i]->oid[j] &&
                                     (strcmp(backends[i]->oid[j], oid_string) == 0)) {
-                                       return backends[i];
+                                       backend = backends[i];
+                                       talloc_free(mem_ctx);
+                                       return backend;
                                 }
                         }
                 }
         }
+       talloc_free(mem_ctx);
  
         return NULL;
  }
@@ -82,18 +167,22 @@ static const struct gensec_security_ops *gensec_security_by_sasl_name(struct gen
                                                                       const char *sasl_name)
  {
         int i;
-       const struct gensec_security_ops **backends;
-       if (!gensec_security) {
-               backends = gensec_security_all();
-       } else {
-               backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       struct gensec_security_ops **backends;
+       const struct gensec_security_ops *backend;
+       TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+       if (!mem_ctx) {
+               return NULL;
         }
+       backends = gensec_security_mechs(gensec_security, mem_ctx);
         for (i=0; backends && backends[i]; i++) {
                 if (backends[i]->sasl_name 
                     && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
-                       return backends[i];
+                       backend = backends[i];
+                       talloc_free(mem_ctx);
+                       return backend;
                 }
         }
+       talloc_free(mem_ctx);
  
         return NULL;
  }
@@ -102,19 +191,22 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
                                                                  const char *name)
  {
         int i;
-       const struct gensec_security_ops **backends;
-       if (!gensec_security) {
-               backends = gensec_security_all();
-       } else {
-               backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       struct gensec_security_ops **backends;
+       const struct gensec_security_ops *backend;
+       TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+       if (!mem_ctx) {
+               return NULL;
         }
+       backends = gensec_security_mechs(gensec_security, mem_ctx);
         for (i=0; backends && backends[i]; i++) {
                 if (backends[i]->name 
                     && (strcmp(backends[i]->name, name) == 0)) {
-                       return backends[i];
+                       backend = backends[i];
+                       talloc_free(mem_ctx);
+                       return backend;
                 }
         }
-
+       talloc_free(mem_ctx);
         return NULL;
  }
  
@@ -131,7 +223,7 @@ const struct gensec_security_ops **gensec_security_by_sasl(struct gensec_securit
                                                            const char **sasl_names)
  {
         const struct gensec_security_ops **backends_out;
-       const struct gensec_security_ops **backends;
+       struct gensec_security_ops **backends;
         int i, k, sasl_idx;
         int num_backends_out = 0;
  
@@ -139,7 +231,7 @@ const struct gensec_security_ops **gensec_security_by_sasl(struct gensec_securit
                 return NULL;
         }
  
-       backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       backends = gensec_security_mechs(gensec_security, mem_ctx);
  
         backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1);
         if (!backends_out) {
@@ -198,7 +290,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
                                                                       const char *skip)
  {
         struct gensec_security_ops_wrapper *backends_out;
-       const struct gensec_security_ops **backends;
+       struct gensec_security_ops **backends;
         int i, j, k, oid_idx;
         int num_backends_out = 0;
  
@@ -206,7 +298,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
                 return NULL;
         }
  
-       backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       backends = gensec_security_mechs(gensec_security, gensec_security);
  
         backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1);
         if (!backends_out) {
@@ -267,7 +359,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
   */
  
  const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx, 
-                                          const struct gensec_security_ops **ops,                                 
+                                          struct gensec_security_ops **ops,                               
                                            const char *skip) 
  {
         int i;
@@ -354,8 +446,8 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
                                   TALLOC_CTX *mem_ctx, 
                                   const char *skip) 
  {
-       const struct gensec_security_ops **ops
-               = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       struct gensec_security_ops **ops
+               = gensec_security_mechs(gensec_security, mem_ctx);
         return gensec_security_oids_from_ops(mem_ctx, ops, skip);
  }
  
@@ -944,10 +1036,8 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
    The 'name' can be later used by other backends to find the operations
    structure for this backend.
  */
-NTSTATUS gensec_register(const void *_ops)
+NTSTATUS gensec_register(const struct gensec_security_ops *ops)
  {
-       const struct gensec_security_ops *ops = _ops;
-       
         if (!lp_parm_bool(-1, "gensec", ops->name, ops->enabled)) {
                 DEBUG(2,("gensec subsystem %s is disabled\n", ops->name));
                 return NT_STATUS_OK;
@@ -960,11 +1050,12 @@ NTSTATUS gensec_register(const void *_ops)
                 return NT_STATUS_OBJECT_NAME_COLLISION;
         }
  
-       generic_security_ops = realloc_p(generic_security_ops, 
-                                        const struct gensec_security_ops *, 
-                                        gensec_num_backends+2);
+       generic_security_ops = talloc_realloc(talloc_autofree_context(), 
+                                             generic_security_ops, 
+                                             struct gensec_security_ops *, 
+                                             gensec_num_backends+2);
         if (!generic_security_ops) {
-               smb_panic("out of memory in gensec_register");
+               smb_panic("out of memory (or failed to realloc referenced memory) in gensec_register");
         }
  
         generic_security_ops[gensec_num_backends] = ops;
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h

index 6821d7f2dbf809c302d3328a55255725a28b9dc2..2084ebb97aaa69aeeacfa0740ecf4647dd39facd 100644 (file)
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -95,6 +95,7 @@ struct gensec_security_ops {
         BOOL (*have_feature)(struct gensec_security *gensec_security,
                                     uint32_t feature); 
         BOOL enabled;
+       BOOL kerberos;
  };
         
  struct gensec_security_ops_wrapper {
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c

index 4eb7b95d6d37ccb6a050c145b3bff9e6e6166213..f9650ee6cc24e65bd5d6ac9972705a988bb15964 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -174,7 +174,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
         
         if (!machine_account) {
                 DEBUG(3, ("No machine account credentials specified\n"));
-               return NT_STATUS_INVALID_PARAMETER;
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
         } else {
                 ret = cli_credentials_get_server_gss_creds(machine_account, &gcc);
                 if (ret) {
@@ -933,7 +933,8 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
         .wrap           = gensec_gssapi_wrap,
         .unwrap         = gensec_gssapi_unwrap,
         .have_feature   = gensec_gssapi_have_feature,
-       .enabled        = True
+       .enabled        = True,
+       .kerberos       = True
  };
  
  NTSTATUS gensec_gssapi_init(void)
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c

index 98f7e726cc8e959e7809a654ec81449c7a6879dd..de93c5bd0cd5bfedfbe0ec17f92fe9d5ab8caa9d 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -718,7 +718,8 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
         .session_key    = gensec_krb5_session_key,
         .session_info   = gensec_krb5_session_info,
         .have_feature   = gensec_krb5_have_feature,
-       .enabled        = False
+       .enabled        = False,
+       .kerberos       = True
  };
  
  static const struct gensec_security_ops gensec_krb5_security_ops = {
@@ -731,7 +732,8 @@ static const struct gensec_security_ops gensec_krb5_security_ops = {
         .have_feature   = gensec_krb5_have_feature,
         .wrap           = gensec_krb5_wrap,
         .unwrap         = gensec_krb5_unwrap,
-       .enabled        = True
+       .enabled        = True,
+       .kerberos       = True
  };
  
  NTSTATUS gensec_krb5_init(void)
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c

index 57853c9c61305cbe5a100927f521dedd0c51eb86..6f38576a3f0c7e0975d4c1b940c4488f83de82eb 100644 (file)
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -246,8 +246,8 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
                                                   const DATA_BLOB in, DATA_BLOB *out) 
  {
         int i,j;
-       const struct gensec_security_ops **all_ops
-               = cli_credentials_gensec_list(gensec_get_credentials(gensec_security));
+       struct gensec_security_ops **all_ops
+               = gensec_security_mechs(gensec_security, out_mem_ctx);
         for (i=0; all_ops[i]; i++) {
                 BOOL is_spnego;
                 NTSTATUS nt_status;
@@ -341,7 +341,8 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                                           out_mem_ctx, 
                                                           unwrapped_in,
                                                           unwrapped_out);
-                               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
+                               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || 
+                                   NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
                                         /* Pretend we never started it (lets the first run find some incompatible demand) */
                                         
                                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n", 
@@ -929,7 +930,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = {
         .session_key    = gensec_spnego_session_key,
         .session_info   = gensec_spnego_session_info,
         .have_feature   = gensec_spnego_have_feature,
-       .enabled        = True
+       .enabled        = True,
  };
  
  NTSTATUS gensec_spnego_init(void)
diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c

index 49916d0ff34cb8ad888a0053dbb6deb850d21dd1..d037cfd7c4a2a5a45542a908ede3b0ef84c7f0d3 100644 (file)
--- a/source4/lib/cmdline/popt_credentials.c
+++ b/source4/lib/cmdline/popt_credentials.c
@@ -21,6 +21,7 @@
  
  #include "includes.h"
  #include "lib/cmdline/popt_common.h"
+#include "auth/gensec/gensec.h"
  
  /* Handle command line options:
   *             -U,--user
@@ -28,13 +29,16 @@
   *             -k,--use-kerberos
   *             -N,--no-pass
   *             -S,--signing
- *      -P --machine-pass
+ *              -P --machine-pass
+ *                 --simple-bind-dn
+ *                 --password
+ *                 --use-security-mechanisms
   */
  
  
  static BOOL dont_ask;
  
-enum opt { OPT_SIMPLE_BIND_DN };
+enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_GENSEC_MECHS };
  
  /*
    disable asking for a password
@@ -73,11 +77,18 @@ static void popt_common_credentials_callback(poptContext con,
                         if ((lp=strchr_m(arg,'%'))) {
                                 lp[0]='\0';
                                 lp++;
+                               /* Try to prevent this showing up in ps */
                                 memset(lp,0,strlen(lp));
                         }
                 }
                 break;
  
+       case OPT_PASSWORD:
+               cli_credentials_set_password(cmdline_credentials, arg, CRED_SPECIFIED);
+               /* Try to prevent this showing up in ps */
+               memset(arg,0,strlen(arg));
+               break;
+
         case 'A':
                 cli_credentials_parse_file(cmdline_credentials, arg, CRED_SPECIFIED);
                 break;
@@ -89,9 +100,31 @@ static void popt_common_credentials_callback(poptContext con,
         case 'P':
                 /* Later, after this is all over, get the machine account details from the secrets.ldb */
                 cli_credentials_set_machine_account_pending(cmdline_credentials);
+               break;
+
+       case OPT_KERBEROS:
+       {
+               BOOL use_kerberos = True;
+               /* Force us to only use kerberos */
+               if (arg) {
+                       if (!set_boolean(arg, &use_kerberos)) {
+                               fprintf(stderr, "Error parsing -k %s\n", arg);
+                               exit(1);
+                               break;
+                       }
+               }
                 
-               /* machine accounts only work with kerberos (fall though)*/
+               cli_credentials_set_kerberos_state(cmdline_credentials, 
+                                                  use_kerberos 
+                                                  ? CRED_MUST_USE_KERBEROS
+                                                  : CRED_DONT_USE_KERBEROS);
                 break;
+       }
+       case OPT_GENSEC_MECHS:
+               /* Convert a list of strings into a list of available authentication standards */
+               
+               break;
+               
         case OPT_SIMPLE_BIND_DN:
                 cli_credentials_set_bind_dn(cmdline_credentials, arg);
                 break;
@@ -104,9 +137,12 @@ struct poptOption popt_common_credentials[] = {
         { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback },
         { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" },
         { "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" },
+       { "password", 0, POPT_ARG_STRING, NULL, OPT_PASSWORD, "Password" },
         { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
         { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
         { "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
         { "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" },
+       { "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos" },
+       { "use-security-mechanisms", 0, POPT_ARG_STRING, NULL, OPT_GENSEC_MECHS, "Restricted list of authentication mechanisms available for use with this authentication"},
         POPT_TABLEEND
  };
diff --git a/source4/lib/util_str.c b/source4/lib/util_str.c

index eebddf65a56d58928a9c823ce16b5a9a9c46ae06..311f81eaf3bd277edfc0bde32491e5f52f4a43e6 100644 (file)
--- a/source4/lib/util_str.c
+++ b/source4/lib/util_str.c
@@ -1111,3 +1111,28 @@ char *attrib_string(TALLOC_CTX *mem_ctx, uint32_t attrib)
  
         return ret;
  }
+
+/***************************************************************************
+ Set a boolean variable from the text value stored in the passed string.
+ Returns True in success, False if the passed string does not correctly 
+ represent a boolean.
+***************************************************************************/
+
+BOOL set_boolean(const char *boolean_string, BOOL *boolean)
+{
+       if (strwicmp(boolean_string, "yes") == 0 ||
+           strwicmp(boolean_string, "true") == 0 ||
+           strwicmp(boolean_string, "on") == 0 ||
+           strwicmp(boolean_string, "1") == 0) {
+               *boolean = True;
+               return True;
+       } else if (strwicmp(boolean_string, "no") == 0 ||
+                  strwicmp(boolean_string, "false") == 0 ||
+                  strwicmp(boolean_string, "off") == 0 ||
+                  strwicmp(boolean_string, "0") == 0) {
+               *boolean = False;
+               return True;
+       }
+       return False;
+}
+
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c

index a92bc68371c21f9115af694edec2fcc788887eb8..bd01581eae2f2e24b498e3714d4c4ed1efcf0c99 100644 (file)
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -912,7 +912,6 @@ FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
  /* local prototypes */
  
  static int map_parameter(const char *pszParmName);
-static BOOL set_boolean(BOOL *pb, const char *pszParmValue);
  static int getservicebyname(const char *pszServiceName,
                             service * pserviceDest);
  static void copy_service(service * pserviceDest,
@@ -1004,7 +1003,7 @@ static BOOL lp_bool(const char *s)
                 return False;
         }
         
-       if (!set_boolean(&ret,s)) {
+       if (!set_boolean(s, &ret)) {
                 DEBUG(0,("lp_bool(%s): value is not boolean!\n",s));
                 return False;
         }
@@ -1373,34 +1372,6 @@ void *lp_parm_ptr(int snum, struct parm_struct *parm)
         return ((char *)ServicePtrs[snum]) + PTR_DIFF(parm->ptr, &sDefault);
  }
  
-/***************************************************************************
- Set a boolean variable from the text value stored in the passed string.
- Returns True in success, False if the passed string does not correctly 
- represent a boolean.
-***************************************************************************/
-
-static BOOL set_boolean(BOOL *pb, const char *pszParmValue)
-{
-       BOOL bRetval;
-
-       bRetval = True;
-       if (strwicmp(pszParmValue, "yes") == 0 ||
-           strwicmp(pszParmValue, "true") == 0 ||
-           strwicmp(pszParmValue, "1") == 0)
-               *pb = True;
-       else if (strwicmp(pszParmValue, "no") == 0 ||
-                   strwicmp(pszParmValue, "False") == 0 ||
-                   strwicmp(pszParmValue, "0") == 0)
-               *pb = False;
-       else {
-               DEBUG(0,
-                     ("ERROR: Badly formed boolean in configuration file: \"%s\".\n",
-                      pszParmValue));
-               bRetval = False;
-       }
-       return (bRetval);
-}
-
  /***************************************************************************
  Find a service by name. Otherwise works like get_service.
  ***************************************************************************/
@@ -1841,7 +1812,10 @@ BOOL lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue
         switch (parm_table[parmnum].type)
         {
                 case P_BOOL:
-                       set_boolean(parm_ptr, pszParmValue);
+                       if (!set_boolean(pszParmValue, parm_ptr)) {
+                               DEBUG(0,("lp_do_parameter(%s): value is not boolean!\n", pszParmValue));
+                               return False;
+                       }
                         break;
  
                 case P_INTEGER:
author	Andrew Bartlett <abartlet@samba.org>
	Sat, 28 Jan 2006 12:15:24 +0000 (12:15 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 18:51:33 +0000 (13:51 -0500)
source4/auth/credentials/config.mk		patch \| blob \| history
source4/auth/credentials/credentials.c		patch \| blob \| history
source4/auth/credentials/credentials.h		patch \| blob \| history
source4/auth/credentials/credentials_gensec.c	[deleted file]	patch \| blob \| history
source4/auth/credentials/credentials_ntlm.c		patch \| blob \| history
source4/auth/gensec/gensec.c		patch \| blob \| history
source4/auth/gensec/gensec.h		patch \| blob \| history
source4/auth/gensec/gensec_gssapi.c		patch \| blob \| history
source4/auth/gensec/gensec_krb5.c		patch \| blob \| history
source4/auth/gensec/spnego.c		patch \| blob \| history
source4/lib/cmdline/popt_credentials.c		patch \| blob \| history
source4/lib/util_str.c		patch \| blob \| history
source4/param/loadparm.c		patch \| blob \| history