This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "lib/ldb/include/ldb.h"
-#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
-
+#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_krb5.h"
+#include "libcli/auth/libcli_auth.h"
+#include "lib/events/events.h"
/**
* Create a new credentials structure
cred->keytab_obtained = CRED_UNINITIALISED;
cred->principal_obtained = CRED_UNINITIALISED;
+ cred->ccache_threshold = CRED_UNINITIALISED;
+ cred->client_gss_creds_threshold = CRED_UNINITIALISED;
+
cred->old_password = NULL;
cred->smb_krb5_context = NULL;
cred->salt_principal = NULL;
cred->machine_account = False;
- cred->gensec_list = NULL;
cred->bind_dn = NULL;
+ cred->tries = 3;
+ cred->callback_running = False;
+ cred->ev = NULL;
+
+ cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
+ cli_credentials_set_gensec_features(cred, 0);
+
return cred;
}
+/**
+ * Create a new anonymous credential
+ * @param mem_ctx TALLOC_CTX parent for credentials structure
+ */
+struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
+{
+ struct cli_credentials *anon_credentials;
+
+ anon_credentials = cli_credentials_init(mem_ctx);
+ cli_credentials_set_conf(anon_credentials);
+ cli_credentials_set_anonymous(anon_credentials);
+
+ return anon_credentials;
+}
+
+void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+ enum credentials_use_kerberos use_kerberos)
+{
+ creds->use_kerberos = use_kerberos;
+}
+
+enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+{
+ return creds->use_kerberos;
+}
+
+void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
+{
+ creds->gensec_features = gensec_features;
+}
+
+uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
+{
+ return creds->gensec_features;
+}
+
+
/**
* Obtain the username for this credentials context.
* @param cred credentials context
cli_credentials_set_machine_account(cred);
}
- if (cred->username_obtained == CRED_CALLBACK) {
+ if (cred->username_obtained == CRED_CALLBACK &&
+ !cred->callback_running) {
+ cred->callback_running = True;
cred->username = cred->username_cb(cred);
+ cred->callback_running = False;
cred->username_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
}
return cred->username;
if (obtained >= cred->username_obtained) {
cred->username = talloc_strdup(cred, val);
cred->username_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
return True;
}
cli_credentials_set_machine_account(cred);
}
- if (cred->principal_obtained == CRED_CALLBACK) {
+ if (cred->principal_obtained == CRED_CALLBACK &&
+ !cred->callback_running) {
+ cred->callback_running = True;
cred->principal = cred->principal_cb(cred);
+ cred->callback_running = False;
cred->principal_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
}
if (cred->principal_obtained < cred->username_obtained) {
if (obtained >= cred->principal_obtained) {
cred->principal = talloc_strdup(cred, val);
cred->principal_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
return True;
}
return True;
}
- if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ if (cli_credentials_is_anonymous(cred)){
+ return False;
}
if (cred->principal_obtained >= CRED_SPECIFIED) {
if (cred->username_obtained >= CRED_SPECIFIED) {
return True;
}
+
+ if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+ return True;
+ }
+
return False;
}
cli_credentials_set_machine_account(cred);
}
- if (cred->password_obtained == CRED_CALLBACK) {
+ if (cred->password_obtained == CRED_CALLBACK &&
+ !cred->callback_running) {
+ cred->callback_running = True;
cred->password = cred->password_cb(cred);
- cred->password_obtained = CRED_SPECIFIED;
+ cred->callback_running = False;
+ cred->password_obtained = CRED_CALLBACK_RESULT;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
}
return cred->password;
if (obtained >= cred->password_obtained) {
cred->password = talloc_strdup(cred, val);
cred->password_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
cred->nt_hash = NULL;
return True;
if (cred->password_obtained < CRED_CALLBACK) {
cred->password_cb = password_cb;
cred->password_obtained = CRED_CALLBACK;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
return True;
}
{
if (obtained >= cred->password_obtained) {
cli_credentials_set_password(cred, NULL, obtained);
- cred->nt_hash = talloc(cred, struct samr_Password);
- *cred->nt_hash = *nt_hash;
+ if (nt_hash) {
+ cred->nt_hash = talloc(cred, struct samr_Password);
+ *cred->nt_hash = *nt_hash;
+ } else {
+ cred->nt_hash = NULL;
+ }
return True;
}
cli_credentials_set_machine_account(cred);
}
- if (cred->domain_obtained == CRED_CALLBACK) {
+ if (cred->domain_obtained == CRED_CALLBACK &&
+ !cred->callback_running) {
+ cred->callback_running = True;
cred->domain = cred->domain_cb(cred);
+ cred->callback_running = False;
cred->domain_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
}
return cred->domain;
* calculations */
cred->domain = strupper_talloc(cred, val);
cred->domain_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
return True;
}
cli_credentials_set_machine_account(cred);
}
- if (cred->realm_obtained == CRED_CALLBACK) {
+ if (cred->realm_obtained == CRED_CALLBACK &&
+ !cred->callback_running) {
+ cred->callback_running = True;
cred->realm = cred->realm_cb(cred);
+ cred->callback_running = False;
cred->realm_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
}
return cred->realm;
if (obtained >= cred->realm_obtained) {
cred->realm = strupper_talloc(cred, val);
cred->realm_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
return True;
}
*/
const char *cli_credentials_get_workstation(struct cli_credentials *cred)
{
- if (cred->workstation_obtained == CRED_CALLBACK) {
+ if (cred->workstation_obtained == CRED_CALLBACK &&
+ !cred->callback_running) {
+ cred->callback_running = True;
cred->workstation = cred->workstation_cb(cred);
+ cred->callback_running = False;
cred->workstation_obtained = CRED_SPECIFIED;
}
cli_credentials_set_username(credentials, uname, obtained);
}
+/**
+ * Given a a credentials structure, print it as a string
+ *
+ * The format output is [domain\\]user[%password] or user[@realm][%password]
+ *
+ * @param credentials Credentials structure on which to set the password
+ * @param mem_ctx The memory context to place the result on
+ */
+
+const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx)
+{
+ const char *bind_dn = cli_credentials_get_bind_dn(credentials);
+ const char *domain;
+ const char *username;
+ const char *name;
+
+ if (bind_dn) {
+ name = talloc_reference(mem_ctx, bind_dn);
+ } else {
+ cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
+ if (domain && domain[0]) {
+ name = talloc_asprintf(mem_ctx, "%s\\%s",
+ domain, username);
+ } else {
+ name = talloc_asprintf(mem_ctx, "%s",
+ username);
+ }
+ }
+ return name;
+}
+
/**
* Specifies default values for domain, workstation and realm
* from the smb.conf configuration file
}
}
- if (getenv("DOMAIN")) {
- cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV);
- }
-
if (getenv("PASSWD")) {
cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
}
cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
}
- if (getenv("PASSWD_FILE")) {
- cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE);
+ p = getenv("PASSWD_FILE");
+ if (p && p[0]) {
+ cli_credentials_parse_password_file(cred, p, CRED_GUESS_FILE);
+ }
+
+ if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
+ cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
}
-
- cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
}
/**
return False;
}
+
+/**
+ * Mark the current password for a credentials struct as wrong. This will
+ * cause the password to be prompted again (if a callback is set).
+ *
+ * This will decrement the number of times the password can be tried.
+ *
+ * @retval whether the credentials struct is finished
+ */
+BOOL cli_credentials_wrong_password(struct cli_credentials *cred)
+{
+ if (cred->password_obtained != CRED_CALLBACK_RESULT) {
+ return False;
+ }
+
+ cred->password_obtained = CRED_CALLBACK;
+
+ cred->tries--;
+
+ return (cred->tries > 0);
+}
+
+/*
+ set the common event context for this set of credentials
+ */
+void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev)
+{
+ cred->ev = ev;
+}
+
+/*
+ set the common event context for this set of credentials
+ */
+struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred)
+{
+ if (cred->ev == NULL) {
+ cred->ev = event_context_find(cred);
+ }
+ return cred->ev;
+}
git.samba.org / sfrench / samba-autobuild / .git / blobdiff