search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest: Move MIT Kerberos knownfails to separate files in their own directory
[Samba.git] / auth / credentials / credentials.h
blob8a6f26be31cdb2e633bb1f5ffc9be0533216f6e1
1 /*
2 samba -- Unix SMB/CIFS implementation.
3
4 Client credentials structure
5
6 Copyright (C) Jelmer Vernooij 2004-2006
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22 #ifndef __CREDENTIALS_H__
23 #define __CREDENTIALS_H__
24
25 #include "../lib/util/time.h"
26 #include "../lib/util/data_blob.h"
27 #include "librpc/gen_ndr/misc.h"
28
29 struct cli_credentials;
30 struct ccache_container;
31 struct tevent_context;
32 struct netlogon_creds_CredentialState;
33 struct ldb_context;
34 struct ldb_message;
35 struct loadparm_context;
36 struct ccache_container;
37 struct gssapi_creds_container;
38 struct smb_krb5_context;
39 struct keytab_container;
40 struct db_context;
41 enum smb_signing_setting;
42 enum smb_encryption_setting;
43
44 /* In order of priority */
45 enum credentials_obtained {
46 CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
47 CRED_SMB_CONF, /* Current value should be used, which comes from smb.conf */
48 CRED_CALLBACK, /* Callback should be used to obtain value */
49 CRED_GUESS_ENV, /* Current value should be used, which was guessed */
50 CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
51 CRED_CALLBACK_RESULT, /* Value was obtained from a callback */
52 CRED_SPECIFIED /* Was explicitly specified on the command-line */
53 };
54
55 enum credentials_use_kerberos {
56 /** Sometimes trying kerberos just does 'bad things', so don't */
57 CRED_USE_KERBEROS_DISABLED = 0,
58 /** Default, we try kerberos if available */
59 CRED_USE_KERBEROS_DESIRED,
60 /** Sometimes administrators are paranoid, so always do kerberos */
61 CRED_USE_KERBEROS_REQUIRED,
62 };
63
64 enum credentials_client_protection {
65 CRED_CLIENT_PROTECTION_DEFAULT = -1,
66 CRED_CLIENT_PROTECTION_PLAIN = 0,
67 CRED_CLIENT_PROTECTION_SIGN,
68 CRED_CLIENT_PROTECTION_ENCRYPT,
69 };
70
71 enum credentials_krb_forwardable {
72 CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
73 CRED_NO_KRB_FORWARDABLE, /* not forwardable */
74 CRED_FORCE_KRB_FORWARDABLE /* forwardable */
75 };
76
77 #define CLI_CRED_NTLM2 0x01
78 #define CLI_CRED_NTLMv2_AUTH 0x02
79 #define CLI_CRED_LANMAN_AUTH 0x04
80 #define CLI_CRED_NTLM_AUTH 0x08
81 #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
82
83 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
84 bool cli_credentials_set_workstation(struct cli_credentials *cred,
85 const char *val,
86 enum credentials_obtained obtained);
87 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
88 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
89 struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx,
90 struct loadparm_context *lp_ctx);
91 void cli_credentials_set_anonymous(struct cli_credentials *cred);
92 bool cli_credentials_wrong_password(struct cli_credentials *cred);
93 const char *cli_credentials_get_password(struct cli_credentials *cred);
94 enum credentials_obtained cli_credentials_get_password_obtained(struct cli_credentials *cred);
95 const char *cli_credentials_get_password_and_obtained(struct cli_credentials *cred,
96 enum credentials_obtained *obtained);
97 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
98 const char **username,
99 const char **domain);
100 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
101 int *flags,
102 DATA_BLOB challenge,
103 const NTTIME *server_timestamp,
104 DATA_BLOB target_info,
105 DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
106 DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
107 const char *cli_credentials_get_realm(struct cli_credentials *cred);
108 const char *cli_credentials_get_username(struct cli_credentials *cred);
109 enum credentials_obtained cli_credentials_get_username_obtained(struct cli_credentials *cred);
110 const char *cli_credentials_get_username_and_obtained(struct cli_credentials *cred,
111 enum credentials_obtained *obtained);
112 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
113 struct loadparm_context *lp_ctx,
114 struct smb_krb5_context **smb_krb5_context);
115 int cli_credentials_get_ccache(struct cli_credentials *cred,
116 struct tevent_context *event_ctx,
117 struct loadparm_context *lp_ctx,
118 struct ccache_container **ccc,
119 const char **error_string);
120 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
121 struct tevent_context *event_ctx,
122 struct loadparm_context *lp_ctx,
123 char *ccache_name,
124 struct ccache_container **ccc, const char **error_string);
125 bool cli_credentials_get_ccache_name_obtained(struct cli_credentials *cred,
126 TALLOC_CTX *mem_ctx,
127 char **ccache_name,
128 enum credentials_obtained *obtained);
129 bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
130 const char *principal,
131 unsigned int *count);
132 int cli_credentials_get_keytab(struct cli_credentials *cred,
133 struct loadparm_context *lp_ctx,
134 struct keytab_container **_ktc);
135 const char *cli_credentials_get_domain(struct cli_credentials *cred);
136 const char *cli_credentials_get_domain_and_obtained(
137 struct cli_credentials *cred,
138 enum credentials_obtained *obtained);
139 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
140 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
141 struct loadparm_context *lp_ctx);
142 bool cli_credentials_set_conf(struct cli_credentials *cred,
143 struct loadparm_context *lp_ctx);
144 char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
145 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
146 struct loadparm_context *lp_ctx,
147 struct gssapi_creds_container **_gcc);
148 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
149 struct tevent_context *event_ctx,
150 struct loadparm_context *lp_ctx,
151 struct gssapi_creds_container **_gcc,
152 const char **error_string);
153 void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
154 const char *sasl_mech);
155 bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
156 enum credentials_use_kerberos kerberos_state,
157 enum credentials_obtained obtained);
158 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
159 enum credentials_krb_forwardable krb_forwardable);
160 bool cli_credentials_set_domain(struct cli_credentials *cred,
161 const char *val,
162 enum credentials_obtained obtained);
163 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
164 const char *(*domain_cb) (struct cli_credentials *));
165 bool cli_credentials_set_username(struct cli_credentials *cred,
166 const char *val, enum credentials_obtained obtained);
167 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
168 const char *(*username_cb) (struct cli_credentials *));
169 bool cli_credentials_set_principal(struct cli_credentials *cred,
170 const char *val,
171 enum credentials_obtained obtained);
172 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
173 const char *(*principal_cb) (struct cli_credentials *));
174 bool cli_credentials_set_password(struct cli_credentials *cred,
175 const char *val,
176 enum credentials_obtained obtained);
177 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
178 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
179 struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
180 TALLOC_CTX *mem_ctx);
181 struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
182 TALLOC_CTX *mem_ctx);
183 bool cli_credentials_set_realm(struct cli_credentials *cred,
184 const char *val,
185 enum credentials_obtained obtained);
186 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
187 enum netr_SchannelType secure_channel_type);
188 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
189 time_t last_change_time);
190 void cli_credentials_set_netlogon_creds(
191 struct cli_credentials *cred,
192 const struct netlogon_creds_CredentialState *netlogon_creds);
193 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
194 struct smb_krb5_context *smb_krb5_context);
195 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
196 struct loadparm_context *lp_ctx,
197 const char *serviceprincipal);
198 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
199 struct loadparm_context *lp_ctx);
200 /**
201 * Fill in credentials for the machine trust account, from the
202 * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
203 *
204 * This version is used in parts of the code that can link in the
205 * CTDB dbwrap backend, by passing down the already open handle.
206 *
207 * @param cred Credentials structure to fill in
208 * @param db_ctx dbwrap context for secrets.tdb
209 * @retval NTSTATUS error detailing any failure
210 */
211 NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
212 struct loadparm_context *lp_ctx,
213 struct db_context *db_ctx);
214
215 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
216 bool cli_credentials_guess(struct cli_credentials *cred,
217 struct loadparm_context *lp_ctx);
218 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
219 const char *bind_dn);
220 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
221 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
222 char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
223 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
224 const char *(*password_cb) (struct cli_credentials *));
225 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
226 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
227 void cli_credentials_set_kvno(struct cli_credentials *cred,
228 int kvno);
229 bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
230 const DATA_BLOB *password_utf16,
231 enum credentials_obtained obtained);
232 bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
233 const DATA_BLOB *password_utf16);
234 void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred,
235 bool val);
236 bool cli_credentials_is_password_nt_hash(struct cli_credentials *cred);
237 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
238 const struct samr_Password *nt_hash,
239 enum credentials_obtained obtained);
240 bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
241 const struct samr_Password *nt_hash);
242 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
243 const DATA_BLOB *lm_response,
244 const DATA_BLOB *lm_session_key,
245 const DATA_BLOB *nt_response,
246 const DATA_BLOB *nt_session_key,
247 enum credentials_obtained obtained);
248 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
249 struct loadparm_context *lp_ctx,
250 const char *keytab_name,
251 enum credentials_obtained obtained);
252 bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
253 uint32_t gensec_features,
254 enum credentials_obtained obtained);
255 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
256 bool cli_credentials_add_gensec_features(struct cli_credentials *creds,
257 uint32_t gensec_features,
258 enum credentials_obtained obtained);
259 int cli_credentials_set_ccache(struct cli_credentials *cred,
260 struct loadparm_context *lp_ctx,
261 const char *name,
262 enum credentials_obtained obtained,
263 const char **error_string);
264 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
265 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
266 int fd, enum credentials_obtained obtained);
267 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
268 enum credentials_obtained obtained);
269 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
270 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
271 const char *principal,
272 const char *self_service);
273 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
274 char *cli_credentials_get_salt_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
275 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
276 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
277 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
278 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
279 enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
280 const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
281 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
282 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
283 struct loadparm_context *lp_ctx,
284 struct ldb_context *ldb,
285 const char *base,
286 const char *filter,
287 char **error_string);
288 int cli_credentials_get_kvno(struct cli_credentials *cred);
289
290 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
291 const char *(*username_cb) (struct cli_credentials *));
292
293 enum credentials_obtained cli_credentials_get_principal_obtained(struct cli_credentials *cred);
294
295 /**
296 * Obtain the client principal for this credentials context.
297 * @param cred credentials context
298 * @retval The username set on this context.
299 * @note Return value will never be NULL except by programmer error.
300 */
301 char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
302 bool cli_credentials_set_principal(struct cli_credentials *cred,
303 const char *val,
304 enum credentials_obtained obtained);
305 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
306 const char *(*principal_cb) (struct cli_credentials *));
307
308 /**
309 * Obtain the 'old' password for this credentials context (used for join accounts).
310 * @param cred credentials context
311 * @retval If set, the cleartext password, otherwise NULL
312 */
313 const char *cli_credentials_get_old_password(struct cli_credentials *cred);
314 bool cli_credentials_set_old_password(struct cli_credentials *cred,
315 const char *val,
316 enum credentials_obtained obtained);
317 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
318 const char *(*domain_cb) (struct cli_credentials *));
319 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
320 const char *(*realm_cb) (struct cli_credentials *));
321 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
322 const char *(*workstation_cb) (struct cli_credentials *));
323
324 void cli_credentials_set_callback_data(struct cli_credentials *cred,
325 void *callback_data);
326 void *_cli_credentials_callback_data(struct cli_credentials *cred);
327 #define cli_credentials_callback_data(_cred, _type) \
328 talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
329 #define cli_credentials_callback_data_void(_cred) \
330 _cli_credentials_callback_data(_cred)
331
332 bool cli_credentials_set_smb_signing(struct cli_credentials *cred,
333 enum smb_signing_setting signing_state,
334 enum credentials_obtained obtained);
335 enum smb_signing_setting
336 cli_credentials_get_smb_signing(struct cli_credentials *cred);
337
338 bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred,
339 enum smb_signing_setting ipc_signing_state,
340 enum credentials_obtained obtained);
341 enum smb_signing_setting
342 cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred);
343
344 bool cli_credentials_set_smb_encryption(struct cli_credentials *cred,
345 enum smb_encryption_setting encryption_state,
346 enum credentials_obtained obtained);
347 enum smb_encryption_setting
348 cli_credentials_get_smb_encryption(struct cli_credentials *cred);
349
350 bool cli_credentials_set_cmdline_callbacks(struct cli_credentials *cred);
351
352 void cli_credentials_dump(struct cli_credentials *creds);
353
354 /**
355 * Return attached NETLOGON credentials
356 */
357 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
358
359 NTSTATUS netlogon_creds_session_encrypt(
360 struct netlogon_creds_CredentialState *state,
361 DATA_BLOB data);
362
363 /**
364 * Kerberos FAST handling
365 */
366
367 NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds,
368 struct cli_credentials *armor_creds,
369 bool require_fast_armor);
370
371 struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds);
372
373 bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds);
374
375 /**
376 * Group Managed Service Account helper
377 */
378
379 /*
380 * All current callers set "for_keytab = true", but if we start using
381 * this for getting a TGT we need the logic to ignore a very new
382 * key
383 */
384 NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
385 const DATA_BLOB *managed_password_blob,
386 bool for_keytab,
387 const char **error_string);
388
389 #endif /* __CREDENTIALS_H__ */
Samba GIT mirror