search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pylibsmb: Fix a typo
[Samba.git] / auth / credentials / credentials.h
blob4a39899e751053e0687ca3db7c439a02f686f0af
1 /*
2 samba -- Unix SMB/CIFS implementation.
3
4 Client credentials structure
5
6 Copyright (C) Jelmer Vernooij 2004-2006
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22 #ifndef __CREDENTIALS_H__
23 #define __CREDENTIALS_H__
24
25 #include "../lib/util/time.h"
26 #include "../lib/util/data_blob.h"
27 #include "librpc/gen_ndr/misc.h"
28 #include "libcli/util/ntstatus.h"
29
30 struct cli_credentials;
31 struct ccache_container;
32 struct tevent_context;
33 struct netlogon_creds_CredentialState;
34 struct ldb_context;
35 struct ldb_message;
36 struct loadparm_context;
37 struct ccache_container;
38 struct gssapi_creds_container;
39 struct smb_krb5_context;
40 struct keytab_container;
41 struct db_context;
42 enum smb_signing_setting;
43 enum smb_encryption_setting;
44
45 /* In order of priority */
46 enum credentials_obtained {
47 CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
48 CRED_SMB_CONF, /* Current value should be used, which comes from smb.conf */
49 CRED_CALLBACK, /* Callback should be used to obtain value */
50 CRED_GUESS_ENV, /* Current value should be used, which was guessed */
51 CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
52 CRED_CALLBACK_RESULT, /* Value was obtained from a callback */
53 CRED_SPECIFIED /* Was explicitly specified on the command-line */
54 };
55
56 enum credentials_use_kerberos {
57 /** Sometimes trying kerberos just does 'bad things', so don't */
58 CRED_USE_KERBEROS_DISABLED = 0,
59 /** Default, we try kerberos if available */
60 CRED_USE_KERBEROS_DESIRED,
61 /** Sometimes administrators are paranoid, so always do kerberos */
62 CRED_USE_KERBEROS_REQUIRED,
63 };
64
65 enum credentials_client_protection {
66 CRED_CLIENT_PROTECTION_DEFAULT = -1,
67 CRED_CLIENT_PROTECTION_PLAIN = 0,
68 CRED_CLIENT_PROTECTION_SIGN,
69 CRED_CLIENT_PROTECTION_ENCRYPT,
70 };
71
72 enum credentials_krb_forwardable {
73 CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
74 CRED_NO_KRB_FORWARDABLE, /* not forwardable */
75 CRED_FORCE_KRB_FORWARDABLE /* forwardable */
76 };
77
78 #define CLI_CRED_NTLM2 0x01
79 #define CLI_CRED_NTLMv2_AUTH 0x02
80 #define CLI_CRED_LANMAN_AUTH 0x04
81 #define CLI_CRED_NTLM_AUTH 0x08
82 #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
83
84 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
85 bool cli_credentials_set_workstation(struct cli_credentials *cred,
86 const char *val,
87 enum credentials_obtained obtained);
88 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
89 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
90 struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx,
91 struct loadparm_context *lp_ctx);
92 void cli_credentials_set_anonymous(struct cli_credentials *cred);
93 bool cli_credentials_wrong_password(struct cli_credentials *cred);
94 const char *cli_credentials_get_password(struct cli_credentials *cred);
95 enum credentials_obtained cli_credentials_get_password_obtained(struct cli_credentials *cred);
96 const char *cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
97 enum credentials_obtained *obtained);
98 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
99 const char **username,
100 const char **domain);
101 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
102 int *flags,
103 DATA_BLOB challenge,
104 const NTTIME *server_timestamp,
105 DATA_BLOB target_info,
106 DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
107 DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
108 const char *cli_credentials_get_realm(struct cli_credentials *cred);
109 const char *cli_credentials_get_username(struct cli_credentials *cred);
110 enum credentials_obtained cli_credentials_get_username_obtained(struct cli_credentials *cred);
111 const char *cli_credentials_get_username_and_obtained(struct cli_credentials *cred,
112 enum credentials_obtained *obtained);
113 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
114 struct loadparm_context *lp_ctx,
115 struct smb_krb5_context **smb_krb5_context);
116 int cli_credentials_get_ccache(struct cli_credentials *cred,
117 struct tevent_context *event_ctx,
118 struct loadparm_context *lp_ctx,
119 struct ccache_container **ccc,
120 const char **error_string);
121 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
122 struct tevent_context *event_ctx,
123 struct loadparm_context *lp_ctx,
124 char *ccache_name,
125 struct ccache_container **ccc, const char **error_string);
126 bool cli_credentials_get_ccache_name_obtained(struct cli_credentials *cred,
127 TALLOC_CTX *mem_ctx,
128 char **ccache_name,
129 enum credentials_obtained *obtained);
130 bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
131 const char *principal,
132 unsigned int *count);
133 int cli_credentials_get_keytab(struct cli_credentials *cred,
134 struct loadparm_context *lp_ctx,
135 struct keytab_container **_ktc);
136 const char *cli_credentials_get_domain(struct cli_credentials *cred);
137 const char *cli_credentials_get_domain_and_obtained(
138 struct cli_credentials *cred,
139 enum credentials_obtained *obtained);
140 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
141 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
142 struct loadparm_context *lp_ctx);
143 bool cli_credentials_set_conf(struct cli_credentials *cred,
144 struct loadparm_context *lp_ctx);
145 char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
146 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
147 struct loadparm_context *lp_ctx,
148 struct gssapi_creds_container **_gcc);
149 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
150 struct tevent_context *event_ctx,
151 struct loadparm_context *lp_ctx,
152 struct gssapi_creds_container **_gcc,
153 const char **error_string);
154 void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
155 const char *sasl_mech);
156 bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
157 enum credentials_use_kerberos kerberos_state,
158 enum credentials_obtained obtained);
159 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
160 enum credentials_krb_forwardable krb_forwardable);
161 bool cli_credentials_set_domain(struct cli_credentials *cred,
162 const char *val,
163 enum credentials_obtained obtained);
164 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
165 const char *(*domain_cb) (struct cli_credentials *));
166 bool cli_credentials_set_username(struct cli_credentials *cred,
167 const char *val, enum credentials_obtained obtained);
168 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
169 const char *(*username_cb) (struct cli_credentials *));
170 bool cli_credentials_set_principal(struct cli_credentials *cred,
171 const char *val,
172 enum credentials_obtained obtained);
173 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
174 const char *(*principal_cb) (struct cli_credentials *));
175 bool cli_credentials_set_password(struct cli_credentials *cred,
176 const char *val,
177 enum credentials_obtained obtained);
178 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
179 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
180 struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
181 TALLOC_CTX *mem_ctx);
182 struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
183 TALLOC_CTX *mem_ctx);
184 bool cli_credentials_set_realm(struct cli_credentials *cred,
185 const char *val,
186 enum credentials_obtained obtained);
187 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
188 enum netr_SchannelType secure_channel_type);
189 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
190 time_t last_change_time);
191 void cli_credentials_set_netlogon_creds(
192 struct cli_credentials *cred,
193 const struct netlogon_creds_CredentialState *netlogon_creds);
194 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
195 struct smb_krb5_context *smb_krb5_context);
196 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
197 struct loadparm_context *lp_ctx,
198 const char *serviceprincipal);
199 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
200 struct loadparm_context *lp_ctx);
201 /**
202 * Fill in credentials for the machine trust account, from the
203 * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
204 *
205 * This version is used in parts of the code that can link in the
206 * CTDB dbwrap backend, by passing down the already open handle.
207 *
208 * @param cred Credentials structure to fill in
209 * @param db_ctx dbwrap context for secrets.tdb
210 * @retval NTSTATUS error detailing any failure
211 */
212 NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
213 struct loadparm_context *lp_ctx,
214 struct db_context *db_ctx);
215
216 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
217 bool cli_credentials_guess(struct cli_credentials *cred,
218 struct loadparm_context *lp_ctx);
219 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
220 const char *bind_dn);
221 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
222 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
223 char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
224 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
225 const char *(*password_cb) (struct cli_credentials *));
226 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
227 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
228 void cli_credentials_set_kvno(struct cli_credentials *cred,
229 int kvno);
230 bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
231 const DATA_BLOB *password_utf16,
232 enum credentials_obtained obtained);
233 bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
234 const DATA_BLOB *password_utf16);
235 void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred,
236 bool val);
237 bool cli_credentials_is_password_nt_hash(struct cli_credentials *cred);
238 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
239 const struct samr_Password *nt_hash,
240 enum credentials_obtained obtained);
241 bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
242 const struct samr_Password *nt_hash);
243 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
244 const DATA_BLOB *lm_response,
245 const DATA_BLOB *lm_session_key,
246 const DATA_BLOB *nt_response,
247 const DATA_BLOB *nt_session_key,
248 enum credentials_obtained obtained);
249 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
250 struct loadparm_context *lp_ctx,
251 const char *keytab_name,
252 enum credentials_obtained obtained);
253 bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
254 uint32_t gensec_features,
255 enum credentials_obtained obtained);
256 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
257 bool cli_credentials_add_gensec_features(struct cli_credentials *creds,
258 uint32_t gensec_features,
259 enum credentials_obtained obtained);
260 int cli_credentials_set_ccache(struct cli_credentials *cred,
261 struct loadparm_context *lp_ctx,
262 const char *name,
263 enum credentials_obtained obtained,
264 const char **error_string);
265 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
266 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
267 int fd, enum credentials_obtained obtained);
268 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
269 enum credentials_obtained obtained);
270 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
271 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
272 const char *principal,
273 const char *self_service);
274 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
275 char *cli_credentials_get_salt_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
276 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
277 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
278 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
279 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
280 enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
281 const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
282 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
283 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
284 struct loadparm_context *lp_ctx,
285 struct ldb_context *ldb,
286 const char *base,
287 const char *filter,
288 char **error_string);
289 int cli_credentials_get_kvno(struct cli_credentials *cred);
290
291 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
292 const char *(*username_cb) (struct cli_credentials *));
293
294 enum credentials_obtained cli_credentials_get_principal_obtained(struct cli_credentials *cred);
295
296 /**
297 * Obtain the client principal for this credentials context.
298 * @param cred credentials context
299 * @retval The username set on this context.
300 * @note Return value will never be NULL except by programmer error.
301 */
302 char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
303 bool cli_credentials_set_principal(struct cli_credentials *cred,
304 const char *val,
305 enum credentials_obtained obtained);
306 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
307 const char *(*principal_cb) (struct cli_credentials *));
308
309 /**
310 * Obtain the 'old' password for this credentials context (used for join accounts).
311 * @param cred credentials context
312 * @retval If set, the cleartext password, otherwise NULL
313 */
314 const char *cli_credentials_get_old_password(struct cli_credentials *cred);
315 bool cli_credentials_set_old_password(struct cli_credentials *cred,
316 const char *val,
317 enum credentials_obtained obtained);
318 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
319 const char *(*domain_cb) (struct cli_credentials *));
320 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
321 const char *(*realm_cb) (struct cli_credentials *));
322 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
323 const char *(*workstation_cb) (struct cli_credentials *));
324
325 void cli_credentials_set_callback_data(struct cli_credentials *cred,
326 void *callback_data);
327 void *_cli_credentials_callback_data(struct cli_credentials *cred);
328 #define cli_credentials_callback_data(_cred, _type) \
329 talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
330 #define cli_credentials_callback_data_void(_cred) \
331 _cli_credentials_callback_data(_cred)
332
333 bool cli_credentials_set_smb_signing(struct cli_credentials *cred,
334 enum smb_signing_setting signing_state,
335 enum credentials_obtained obtained);
336 enum smb_signing_setting
337 cli_credentials_get_smb_signing(struct cli_credentials *cred);
338
339 bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred,
340 enum smb_signing_setting ipc_signing_state,
341 enum credentials_obtained obtained);
342 enum smb_signing_setting
343 cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred);
344
345 bool cli_credentials_set_smb_encryption(struct cli_credentials *cred,
346 enum smb_encryption_setting encryption_state,
347 enum credentials_obtained obtained);
348 enum smb_encryption_setting
349 cli_credentials_get_smb_encryption(struct cli_credentials *cred);
350
351 bool cli_credentials_set_cmdline_callbacks(struct cli_credentials *cred);
352
353 void cli_credentials_dump(struct cli_credentials *creds);
354
355 /**
356 * Return attached NETLOGON credentials
357 */
358 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
359
360 NTSTATUS netlogon_creds_session_encrypt(
361 struct netlogon_creds_CredentialState *state,
362 DATA_BLOB data);
363
364 /**
365 * Kerberos FAST handling
366 */
367
368 NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds,
369 struct cli_credentials *armor_creds,
370 bool require_fast_armor);
371
372 struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds);
373
374 bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds);
375
376 /**
377 * Group Managed Service Account helper
378 */
379
380 /*
381 * All current callers set "for_keytab = true", but if we start using
382 * this for getting a TGT we need the logic to ignore a very new
383 * key
384 */
385 NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
386 const DATA_BLOB *managed_password_blob,
387 bool for_keytab,
388 const char **error_string);
389
390 #endif /* __CREDENTIALS_H__ */
Samba GIT mirror