1/* 2 samba -- Unix SMB/CIFS implementation. 3 4 Client credentials structure 5 6 Copyright (C) Jelmer Vernooij 2004-2006 7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 8 9 This program is free software; you can redistribute it and/or modify 10 it under the terms of the GNU General Public License as published by 11 the Free Software Foundation; either version 3 of the License, or 12 (at your option) any later version. 13 14 This program is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 GNU General Public License for more details. 18 19 You should have received a copy of the GNU General Public License 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21*/ 22#ifndef __CREDENTIALS_H__ 23#define __CREDENTIALS_H__ 24 25#include "../lib/util/data_blob.h" 26#include "librpc/gen_ndr/misc.h" 27 28struct ccache_container; 29struct tevent_context; 30 31/* In order of priority */ 32enum credentials_obtained { 33 CRED_UNINITIALISED = 0, /* We don't even have a guess yet */ 34 CRED_CALLBACK, /* Callback should be used to obtain value */ 35 CRED_GUESS_ENV, /* Current value should be used, which was guessed */ 36 CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */ 37 CRED_CALLBACK_RESULT, /* Value was obtained from a callback */ 38 CRED_SPECIFIED /* Was explicitly specified on the command-line */ 39}; 40 41enum credentials_use_kerberos { 42 CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */ 43 CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */ 44 CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */ 45}; 46 47#define CLI_CRED_NTLM2 0x01 48#define CLI_CRED_NTLMv2_AUTH 0x02 49#define CLI_CRED_LANMAN_AUTH 0x04 50#define CLI_CRED_NTLM_AUTH 0x08 51#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */ 52 53struct cli_credentials { 54 enum credentials_obtained workstation_obtained; 55 enum credentials_obtained username_obtained; 56 enum credentials_obtained password_obtained; 57 enum credentials_obtained domain_obtained; 58 enum credentials_obtained realm_obtained; 59 enum credentials_obtained ccache_obtained; 60 enum credentials_obtained client_gss_creds_obtained; 61 enum credentials_obtained principal_obtained; 62 enum credentials_obtained keytab_obtained; 63 enum credentials_obtained server_gss_creds_obtained; 64 65 /* Threshold values (essentially a MAX() over a number of the 66 * above) for the ccache and GSS credentials, to ensure we 67 * regenerate/pick correctly */ 68 69 enum credentials_obtained ccache_threshold; 70 enum credentials_obtained client_gss_creds_threshold; 71 72 const char *workstation; 73 const char *username; 74 const char *password; 75 const char *old_password; 76 const char *domain; 77 const char *realm; 78 const char *principal; 79 const char *salt_principal; 80 81 const char *bind_dn; 82 83 /* Allows authentication from a keytab or similar */ 84 struct samr_Password *nt_hash; 85 86 /* Allows NTLM pass-though authentication */ 87 DATA_BLOB lm_response; 88 DATA_BLOB nt_response; 89 90 struct ccache_container *ccache; 91 struct gssapi_creds_container *client_gss_creds; 92 struct keytab_container *keytab; 93 struct gssapi_creds_container *server_gss_creds; 94 95 const char *(*workstation_cb) (struct cli_credentials *); 96 const char *(*password_cb) (struct cli_credentials *); 97 const char *(*username_cb) (struct cli_credentials *); 98 const char *(*domain_cb) (struct cli_credentials *); 99 const char *(*realm_cb) (struct cli_credentials *); 100 const char *(*principal_cb) (struct cli_credentials *); 101 102 /* Private handle for the callback routines to use */ 103 void *priv_data; 104 105 struct netlogon_creds_CredentialState *netlogon_creds; 106 enum netr_SchannelType secure_channel_type; 107 int kvno; 108 109 struct smb_krb5_context *smb_krb5_context; 110 111 /* We are flagged to get machine account details from the 112 * secrets.ldb when we are asked for a username or password */ 113 bool machine_account_pending; 114 struct loadparm_context *machine_account_pending_lp_ctx; 115 116 /* Is this a machine account? */ 117 bool machine_account; 118 119 /* Should we be trying to use kerberos? */ 120 enum credentials_use_kerberos use_kerberos; 121 122 /* gensec features which should be used for connections */ 123 uint32_t gensec_features; 124 125 /* Number of retries left before bailing out */ 126 int tries; 127 128 /* Whether any callback is currently running */ 129 bool callback_running; 130}; 131 132struct ldb_context; 133struct loadparm_context; 134struct ccache_container; 135 136struct gssapi_creds_container; 137 138const char *cli_credentials_get_workstation(struct cli_credentials *cred); 139bool cli_credentials_set_workstation(struct cli_credentials *cred, 140 const char *val, 141 enum credentials_obtained obtained); 142bool cli_credentials_is_anonymous(struct cli_credentials *cred); 143struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx); 144void cli_credentials_set_anonymous(struct cli_credentials *cred); 145bool cli_credentials_wrong_password(struct cli_credentials *cred); 146const char *cli_credentials_get_password(struct cli_credentials *cred); 147void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 148 const char **username, 149 const char **domain); 150NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 151 int *flags, 152 DATA_BLOB challenge, DATA_BLOB target_info, 153 DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 154 DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key); 155const char *cli_credentials_get_realm(struct cli_credentials *cred); 156const char *cli_credentials_get_username(struct cli_credentials *cred); 157int cli_credentials_get_krb5_context(struct cli_credentials *cred, 158 struct tevent_context *event_ctx, 159 struct loadparm_context *lp_ctx, 160 struct smb_krb5_context **smb_krb5_context); 161int cli_credentials_get_ccache(struct cli_credentials *cred, 162 struct tevent_context *event_ctx, 163 struct loadparm_context *lp_ctx, 164 struct ccache_container **ccc); 165int cli_credentials_get_keytab(struct cli_credentials *cred, 166 struct tevent_context *event_ctx, 167 struct loadparm_context *lp_ctx, 168 struct keytab_container **_ktc); 169const char *cli_credentials_get_domain(struct cli_credentials *cred); 170struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); 171void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, 172 struct loadparm_context *lp_ctx); 173void cli_credentials_set_conf(struct cli_credentials *cred, 174 struct loadparm_context *lp_ctx); 175const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); 176int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, 177 struct tevent_context *event_ctx, 178 struct loadparm_context *lp_ctx, 179 struct gssapi_creds_container **_gcc); 180int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, 181 struct tevent_context *event_ctx, 182 struct loadparm_context *lp_ctx, 183 struct gssapi_creds_container **_gcc); 184void cli_credentials_set_kerberos_state(struct cli_credentials *creds, 185 enum credentials_use_kerberos use_kerberos); 186bool cli_credentials_set_domain(struct cli_credentials *cred, 187 const char *val, 188 enum credentials_obtained obtained); 189bool cli_credentials_set_domain_callback(struct cli_credentials *cred, 190 const char *(*domain_cb) (struct cli_credentials *)); 191bool cli_credentials_set_username(struct cli_credentials *cred, 192 const char *val, enum credentials_obtained obtained); 193bool cli_credentials_set_username_callback(struct cli_credentials *cred, 194 const char *(*username_cb) (struct cli_credentials *)); 195bool cli_credentials_set_principal(struct cli_credentials *cred, 196 const char *val, 197 enum credentials_obtained obtained); 198bool cli_credentials_set_principal_callback(struct cli_credentials *cred, 199 const char *(*principal_cb) (struct cli_credentials *)); 200bool cli_credentials_set_password(struct cli_credentials *cred, 201 const char *val, 202 enum credentials_obtained obtained); 203struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx); 204void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained); 205const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, 206 TALLOC_CTX *mem_ctx); 207bool cli_credentials_set_realm(struct cli_credentials *cred, 208 const char *val, 209 enum credentials_obtained obtained); 210void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, 211 enum netr_SchannelType secure_channel_type); 212void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, 213 struct netlogon_creds_CredentialState *netlogon_creds); 214NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, 215 struct smb_krb5_context *smb_krb5_context); 216NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, 217 struct tevent_context *event_ctx, 218 struct loadparm_context *lp_ctx, 219 const char *serviceprincipal); 220NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, 221 struct loadparm_context *lp_ctx); 222bool cli_credentials_authentication_requested(struct cli_credentials *cred); 223void cli_credentials_guess(struct cli_credentials *cred, 224 struct loadparm_context *lp_ctx); 225bool cli_credentials_set_bind_dn(struct cli_credentials *cred, 226 const char *bind_dn); 227const char *cli_credentials_get_bind_dn(struct cli_credentials *cred); 228bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained); 229const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx); 230bool cli_credentials_set_password_callback(struct cli_credentials *cred, 231 const char *(*password_cb) (struct cli_credentials *)); 232enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred); 233void cli_credentials_set_kvno(struct cli_credentials *cred, 234 int kvno); 235bool cli_credentials_set_nt_hash(struct cli_credentials *cred, 236 const struct samr_Password *nt_hash, 237 enum credentials_obtained obtained); 238bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, 239 const DATA_BLOB *lm_response, 240 const DATA_BLOB *nt_response, 241 enum credentials_obtained obtained); 242int cli_credentials_set_keytab_name(struct cli_credentials *cred, 243 struct tevent_context *event_ctx, 244 struct loadparm_context *lp_ctx, 245 const char *keytab_name, 246 enum credentials_obtained obtained); 247int cli_credentials_update_keytab(struct cli_credentials *cred, 248 struct tevent_context *event_ctx, 249 struct loadparm_context *lp_ctx); 250void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); 251uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); 252int cli_credentials_set_ccache(struct cli_credentials *cred, 253 struct tevent_context *event_ctx, 254 struct loadparm_context *lp_ctx, 255 const char *name, 256 enum credentials_obtained obtained); 257bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained); 258bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, 259 int fd, enum credentials_obtained obtained); 260void cli_credentials_invalidate_ccache(struct cli_credentials *cred, 261 enum credentials_obtained obtained); 262void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal); 263enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); 264NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, 265 struct tevent_context *event_ctx, 266 struct loadparm_context *lp_ctx, 267 struct ldb_context *ldb, 268 const char *base, 269 const char *filter); 270 int cli_credentials_get_kvno(struct cli_credentials *cred); 271 272#endif /* __CREDENTIALS_H__ */ 273