search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
[Samba.git] / source3 / libsmb / auth_generic.c
blob527b51900d8cf644620fc22c9f4e29db33a2b2d1
1 /*
2 NLTMSSP wrappers
3
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Andrew Bartlett 2001-2003,2011
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "auth/ntlmssp/ntlmssp.h"
23 #include "auth_generic.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/credentials/credentials.h"
26 #include "librpc/rpc/dcerpc.h"
27 #include "lib/param/param.h"
28 #include "librpc/crypto/gse.h"
29
30 NTSTATUS auth_generic_set_username(struct auth_generic_state *ans,
31 const char *user)
32 {
33 cli_credentials_set_username(ans->credentials, user, CRED_SPECIFIED);
34 return NT_STATUS_OK;
35 }
36
37 NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans,
38 const char *domain)
39 {
40 cli_credentials_set_domain(ans->credentials, domain, CRED_SPECIFIED);
41 return NT_STATUS_OK;
42 }
43
44 NTSTATUS auth_generic_set_password(struct auth_generic_state *ans,
45 const char *password)
46 {
47 cli_credentials_set_password(ans->credentials, password, CRED_SPECIFIED);
48 return NT_STATUS_OK;
49 }
50
51 NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans,
52 struct cli_credentials *creds)
53 {
54 talloc_unlink(ans, ans->credentials);
55 ans->credentials = creds;
56 return NT_STATUS_OK;
57 }
58
59 NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_generic_state)
60 {
61 struct auth_generic_state *ans;
62 NTSTATUS nt_status;
63 size_t idx = 0;
64 struct gensec_settings *gensec_settings;
65 const struct gensec_security_ops **backends = NULL;
66 struct loadparm_context *lp_ctx;
67 bool ok;
68
69 ans = talloc_zero(mem_ctx, struct auth_generic_state);
70 if (!ans) {
71 DEBUG(0,("auth_generic_start: talloc failed!\n"));
72 return NT_STATUS_NO_MEMORY;
73 }
74
75 lp_ctx = loadparm_init_s3(ans, loadparm_s3_helpers());
76 if (lp_ctx == NULL) {
77 DEBUG(10, ("loadparm_init_s3 failed\n"));
78 TALLOC_FREE(ans);
79 return NT_STATUS_INVALID_SERVER_STATE;
80 }
81
82 gensec_settings = lpcfg_gensec_settings(ans, lp_ctx);
83 if (lp_ctx == NULL) {
84 DEBUG(10, ("lpcfg_gensec_settings failed\n"));
85 TALLOC_FREE(ans);
86 return NT_STATUS_NO_MEMORY;
87 }
88
89 backends = talloc_zero_array(gensec_settings,
90 const struct gensec_security_ops *, 7);
91 if (backends == NULL) {
92 TALLOC_FREE(ans);
93 return NT_STATUS_NO_MEMORY;
94 }
95 gensec_settings->backends = backends;
96
97 gensec_init();
98
99 /* These need to be in priority order, krb5 before NTLMSSP */
100 #if defined(HAVE_KRB5)
101 backends[idx++] = &gensec_gse_krb5_security_ops;
102 #endif
103
104 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
105 backends[idx++] = gensec_security_by_name(NULL, "ntlmssp_resume_ccache");
106
107 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
108 backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
109 backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM);
110
111 nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
112
113 if (!NT_STATUS_IS_OK(nt_status)) {
114 TALLOC_FREE(ans);
115 return nt_status;
116 }
117
118 ans->credentials = cli_credentials_init(ans);
119 if (!ans->credentials) {
120 TALLOC_FREE(ans);
121 return NT_STATUS_NO_MEMORY;
122 }
123
124 ok = cli_credentials_guess(ans->credentials, lp_ctx);
125 if (!ok) {
126 TALLOC_FREE(ans);
127 return NT_STATUS_INTERNAL_ERROR;
128 }
129
130 talloc_unlink(ans, lp_ctx);
131 talloc_unlink(ans, gensec_settings);
132
133 *auth_generic_state = ans;
134 return NT_STATUS_OK;
135 }
136
137 NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid)
138 {
139 NTSTATUS status;
140
141 /* Transfer the credentials to gensec */
142 status = gensec_set_credentials(ans->gensec_security, ans->credentials);
143 if (!NT_STATUS_IS_OK(status)) {
144 DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
145 nt_errstr(status)));
146 return status;
147 }
148 talloc_unlink(ans, ans->credentials);
149 ans->credentials = NULL;
150
151 status = gensec_start_mech_by_oid(ans->gensec_security,
152 oid);
153 if (!NT_STATUS_IS_OK(status)) {
154 return status;
155 }
156
157 return NT_STATUS_OK;
158 }
159
160 NTSTATUS auth_generic_client_start_by_name(struct auth_generic_state *ans,
161 const char *name)
162 {
163 NTSTATUS status;
164
165 /* Transfer the credentials to gensec */
166 status = gensec_set_credentials(ans->gensec_security, ans->credentials);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
169 nt_errstr(status)));
170 return status;
171 }
172 talloc_unlink(ans, ans->credentials);
173 ans->credentials = NULL;
174
175 status = gensec_start_mech_by_name(ans->gensec_security, name);
176 if (!NT_STATUS_IS_OK(status)) {
177 return status;
178 }
179
180 return NT_STATUS_OK;
181 }
182
183 NTSTATUS auth_generic_client_start_by_authtype(struct auth_generic_state *ans,
184 uint8_t auth_type,
185 uint8_t auth_level)
186 {
187 NTSTATUS status;
188
189 /* Transfer the credentials to gensec */
190 status = gensec_set_credentials(ans->gensec_security, ans->credentials);
191 if (!NT_STATUS_IS_OK(status)) {
192 DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
193 nt_errstr(status)));
194 return status;
195 }
196 talloc_unlink(ans, ans->credentials);
197 ans->credentials = NULL;
198
199 status = gensec_start_mech_by_authtype(ans->gensec_security,
200 auth_type, auth_level);
201 if (!NT_STATUS_IS_OK(status)) {
202 return status;
203 }
204
205 return NT_STATUS_OK;
206 }
207
208 NTSTATUS auth_generic_client_start_by_sasl(struct auth_generic_state *ans,
209 const char **sasl_list)
210 {
211 NTSTATUS status;
212
213 /* Transfer the credentials to gensec */
214 status = gensec_set_credentials(ans->gensec_security, ans->credentials);
215 if (!NT_STATUS_IS_OK(status)) {
216 DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
217 nt_errstr(status)));
218 return status;
219 }
220 talloc_unlink(ans, ans->credentials);
221 ans->credentials = NULL;
222
223 status = gensec_start_mech_by_sasl_list(ans->gensec_security, sasl_list);
224 if (!NT_STATUS_IS_OK(status)) {
225 return status;
226 }
227
228 return NT_STATUS_OK;
229 }
Samba GIT mirror