2 samba -- Unix SMB/CIFS implementation.
4 Client credentials structure
6 Copyright (C) Jelmer Vernooij 2004-2006
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #ifndef __CREDENTIALS_H__
23 #define __CREDENTIALS_H__
25 #include "../lib/util/data_blob.h"
26 #include "librpc/gen_ndr/misc.h"
28 struct cli_credentials
;
29 struct ccache_container
;
30 struct tevent_context
;
31 struct netlogon_creds_CredentialState
;
34 struct loadparm_context
;
35 struct ccache_container
;
36 struct gssapi_creds_container
;
37 struct smb_krb5_context
;
38 struct keytab_container
;
41 /* In order of priority */
42 enum credentials_obtained
{
43 CRED_UNINITIALISED
= 0, /* We don't even have a guess yet */
44 CRED_CALLBACK
, /* Callback should be used to obtain value */
45 CRED_GUESS_ENV
, /* Current value should be used, which was guessed */
46 CRED_GUESS_FILE
, /* A guess from a file (or file pointed at in env variable) */
47 CRED_CALLBACK_RESULT
, /* Value was obtained from a callback */
48 CRED_SPECIFIED
/* Was explicitly specified on the command-line */
51 enum credentials_use_kerberos
{
52 CRED_AUTO_USE_KERBEROS
= 0, /* Default, we try kerberos if available */
53 CRED_DONT_USE_KERBEROS
, /* Sometimes trying kerberos just does 'bad things', so don't */
54 CRED_MUST_USE_KERBEROS
/* Sometimes administrators are parinoid, so always do kerberos */
57 enum credentials_krb_forwardable
{
58 CRED_AUTO_KRB_FORWARDABLE
= 0, /* Default, follow library defaults */
59 CRED_NO_KRB_FORWARDABLE
, /* not forwardable */
60 CRED_FORCE_KRB_FORWARDABLE
/* forwardable */
63 #define CLI_CRED_NTLM2 0x01
64 #define CLI_CRED_NTLMv2_AUTH 0x02
65 #define CLI_CRED_LANMAN_AUTH 0x04
66 #define CLI_CRED_NTLM_AUTH 0x08
67 #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
69 const char *cli_credentials_get_workstation(struct cli_credentials
*cred
);
70 bool cli_credentials_set_workstation(struct cli_credentials
*cred
,
72 enum credentials_obtained obtained
);
73 bool cli_credentials_is_anonymous(struct cli_credentials
*cred
);
74 struct cli_credentials
*cli_credentials_init(TALLOC_CTX
*mem_ctx
);
75 void cli_credentials_set_anonymous(struct cli_credentials
*cred
);
76 bool cli_credentials_wrong_password(struct cli_credentials
*cred
);
77 const char *cli_credentials_get_password(struct cli_credentials
*cred
);
78 void cli_credentials_get_ntlm_username_domain(struct cli_credentials
*cred
, TALLOC_CTX
*mem_ctx
,
79 const char **username
,
81 NTSTATUS
cli_credentials_get_ntlm_response(struct cli_credentials
*cred
, TALLOC_CTX
*mem_ctx
,
83 DATA_BLOB challenge
, DATA_BLOB target_info
,
84 DATA_BLOB
*_lm_response
, DATA_BLOB
*_nt_response
,
85 DATA_BLOB
*_lm_session_key
, DATA_BLOB
*_session_key
);
86 const char *cli_credentials_get_realm(struct cli_credentials
*cred
);
87 const char *cli_credentials_get_username(struct cli_credentials
*cred
);
88 int cli_credentials_get_krb5_context(struct cli_credentials
*cred
,
89 struct loadparm_context
*lp_ctx
,
90 struct smb_krb5_context
**smb_krb5_context
);
91 int cli_credentials_get_ccache(struct cli_credentials
*cred
,
92 struct tevent_context
*event_ctx
,
93 struct loadparm_context
*lp_ctx
,
94 struct ccache_container
**ccc
,
95 const char **error_string
);
96 int cli_credentials_get_named_ccache(struct cli_credentials
*cred
,
97 struct tevent_context
*event_ctx
,
98 struct loadparm_context
*lp_ctx
,
100 struct ccache_container
**ccc
, const char **error_string
);
101 bool cli_credentials_failed_kerberos_login(struct cli_credentials
*cred
,
102 const char *principal
,
103 unsigned int *count
);
104 int cli_credentials_get_keytab(struct cli_credentials
*cred
,
105 struct loadparm_context
*lp_ctx
,
106 struct keytab_container
**_ktc
);
107 const char *cli_credentials_get_domain(struct cli_credentials
*cred
);
108 struct netlogon_creds_CredentialState
*cli_credentials_get_netlogon_creds(struct cli_credentials
*cred
);
109 void cli_credentials_set_machine_account_pending(struct cli_credentials
*cred
,
110 struct loadparm_context
*lp_ctx
);
111 void cli_credentials_set_conf(struct cli_credentials
*cred
,
112 struct loadparm_context
*lp_ctx
);
113 const char *cli_credentials_get_principal(struct cli_credentials
*cred
, TALLOC_CTX
*mem_ctx
);
114 int cli_credentials_get_server_gss_creds(struct cli_credentials
*cred
,
115 struct loadparm_context
*lp_ctx
,
116 struct gssapi_creds_container
**_gcc
);
117 int cli_credentials_get_client_gss_creds(struct cli_credentials
*cred
,
118 struct tevent_context
*event_ctx
,
119 struct loadparm_context
*lp_ctx
,
120 struct gssapi_creds_container
**_gcc
,
121 const char **error_string
);
122 void cli_credentials_set_forced_sasl_mech(struct cli_credentials
*creds
,
123 const char *sasl_mech
);
124 void cli_credentials_set_kerberos_state(struct cli_credentials
*creds
,
125 enum credentials_use_kerberos use_kerberos
);
126 void cli_credentials_set_krb_forwardable(struct cli_credentials
*creds
,
127 enum credentials_krb_forwardable krb_forwardable
);
128 bool cli_credentials_set_domain(struct cli_credentials
*cred
,
130 enum credentials_obtained obtained
);
131 bool cli_credentials_set_domain_callback(struct cli_credentials
*cred
,
132 const char *(*domain_cb
) (struct cli_credentials
*));
133 bool cli_credentials_set_username(struct cli_credentials
*cred
,
134 const char *val
, enum credentials_obtained obtained
);
135 bool cli_credentials_set_username_callback(struct cli_credentials
*cred
,
136 const char *(*username_cb
) (struct cli_credentials
*));
137 bool cli_credentials_set_principal(struct cli_credentials
*cred
,
139 enum credentials_obtained obtained
);
140 bool cli_credentials_set_principal_callback(struct cli_credentials
*cred
,
141 const char *(*principal_cb
) (struct cli_credentials
*));
142 bool cli_credentials_set_password(struct cli_credentials
*cred
,
144 enum credentials_obtained obtained
);
145 struct cli_credentials
*cli_credentials_init_anon(TALLOC_CTX
*mem_ctx
);
146 void cli_credentials_parse_string(struct cli_credentials
*credentials
, const char *data
, enum credentials_obtained obtained
);
147 struct samr_Password
*cli_credentials_get_nt_hash(struct cli_credentials
*cred
,
148 TALLOC_CTX
*mem_ctx
);
149 bool cli_credentials_set_realm(struct cli_credentials
*cred
,
151 enum credentials_obtained obtained
);
152 void cli_credentials_set_secure_channel_type(struct cli_credentials
*cred
,
153 enum netr_SchannelType secure_channel_type
);
154 void cli_credentials_set_password_last_changed_time(struct cli_credentials
*cred
,
155 time_t last_change_time
);
156 void cli_credentials_set_netlogon_creds(struct cli_credentials
*cred
,
157 struct netlogon_creds_CredentialState
*netlogon_creds
);
158 NTSTATUS
cli_credentials_set_krb5_context(struct cli_credentials
*cred
,
159 struct smb_krb5_context
*smb_krb5_context
);
160 NTSTATUS
cli_credentials_set_stored_principal(struct cli_credentials
*cred
,
161 struct loadparm_context
*lp_ctx
,
162 const char *serviceprincipal
);
163 NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials
*cred
,
164 struct loadparm_context
*lp_ctx
);
166 * Fill in credentials for the machine trust account, from the
167 * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
169 * This version is used in parts of the code that can link in the
170 * CTDB dbwrap backend, by passing down the already open handle.
172 * @param cred Credentials structure to fill in
173 * @param db_ctx dbwrap context for secrets.tdb
174 * @retval NTSTATUS error detailing any failure
176 NTSTATUS
cli_credentials_set_machine_account_db_ctx(struct cli_credentials
*cred
,
177 struct loadparm_context
*lp_ctx
,
178 struct db_context
*db_ctx
);
180 bool cli_credentials_authentication_requested(struct cli_credentials
*cred
);
181 void cli_credentials_guess(struct cli_credentials
*cred
,
182 struct loadparm_context
*lp_ctx
);
183 bool cli_credentials_set_bind_dn(struct cli_credentials
*cred
,
184 const char *bind_dn
);
185 const char *cli_credentials_get_bind_dn(struct cli_credentials
*cred
);
186 bool cli_credentials_parse_file(struct cli_credentials
*cred
, const char *file
, enum credentials_obtained obtained
);
187 const char *cli_credentials_get_unparsed_name(struct cli_credentials
*credentials
, TALLOC_CTX
*mem_ctx
);
188 bool cli_credentials_set_password_callback(struct cli_credentials
*cred
,
189 const char *(*password_cb
) (struct cli_credentials
*));
190 enum netr_SchannelType
cli_credentials_get_secure_channel_type(struct cli_credentials
*cred
);
191 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials
*cred
);
192 void cli_credentials_set_kvno(struct cli_credentials
*cred
,
194 bool cli_credentials_set_utf16_password(struct cli_credentials
*cred
,
195 const DATA_BLOB
*password_utf16
,
196 enum credentials_obtained obtained
);
197 bool cli_credentials_set_nt_hash(struct cli_credentials
*cred
,
198 const struct samr_Password
*nt_hash
,
199 enum credentials_obtained obtained
);
200 bool cli_credentials_set_ntlm_response(struct cli_credentials
*cred
,
201 const DATA_BLOB
*lm_response
,
202 const DATA_BLOB
*nt_response
,
203 enum credentials_obtained obtained
);
204 int cli_credentials_set_keytab_name(struct cli_credentials
*cred
,
205 struct loadparm_context
*lp_ctx
,
206 const char *keytab_name
,
207 enum credentials_obtained obtained
);
208 void cli_credentials_set_gensec_features(struct cli_credentials
*creds
, uint32_t gensec_features
);
209 uint32_t cli_credentials_get_gensec_features(struct cli_credentials
*creds
);
210 int cli_credentials_set_ccache(struct cli_credentials
*cred
,
211 struct loadparm_context
*lp_ctx
,
213 enum credentials_obtained obtained
,
214 const char **error_string
);
215 bool cli_credentials_parse_password_file(struct cli_credentials
*credentials
, const char *file
, enum credentials_obtained obtained
);
216 bool cli_credentials_parse_password_fd(struct cli_credentials
*credentials
,
217 int fd
, enum credentials_obtained obtained
);
218 void cli_credentials_invalidate_ccache(struct cli_credentials
*cred
,
219 enum credentials_obtained obtained
);
220 void cli_credentials_set_salt_principal(struct cli_credentials
*cred
, const char *principal
);
221 void cli_credentials_set_impersonate_principal(struct cli_credentials
*cred
,
222 const char *principal
,
223 const char *self_service
);
224 void cli_credentials_set_target_service(struct cli_credentials
*cred
, const char *principal
);
225 const char *cli_credentials_get_salt_principal(struct cli_credentials
*cred
);
226 const char *cli_credentials_get_impersonate_principal(struct cli_credentials
*cred
);
227 const char *cli_credentials_get_self_service(struct cli_credentials
*cred
);
228 const char *cli_credentials_get_target_service(struct cli_credentials
*cred
);
229 enum credentials_use_kerberos
cli_credentials_get_kerberos_state(struct cli_credentials
*creds
);
230 const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials
*cred
);
231 enum credentials_krb_forwardable
cli_credentials_get_krb_forwardable(struct cli_credentials
*creds
);
232 NTSTATUS
cli_credentials_set_secrets(struct cli_credentials
*cred
,
233 struct loadparm_context
*lp_ctx
,
234 struct ldb_context
*ldb
,
237 char **error_string
);
238 int cli_credentials_get_kvno(struct cli_credentials
*cred
);
240 bool cli_credentials_set_username_callback(struct cli_credentials
*cred
,
241 const char *(*username_cb
) (struct cli_credentials
*));
244 * Obtain the client principal for this credentials context.
245 * @param cred credentials context
246 * @retval The username set on this context.
247 * @note Return value will never be NULL except by programmer error.
249 const char *cli_credentials_get_principal_and_obtained(struct cli_credentials
*cred
, TALLOC_CTX
*mem_ctx
, enum credentials_obtained
*obtained
);
250 bool cli_credentials_set_principal(struct cli_credentials
*cred
,
252 enum credentials_obtained obtained
);
253 bool cli_credentials_set_principal_callback(struct cli_credentials
*cred
,
254 const char *(*principal_cb
) (struct cli_credentials
*));
257 * Obtain the 'old' password for this credentials context (used for join accounts).
258 * @param cred credentials context
259 * @retval If set, the cleartext password, otherwise NULL
261 const char *cli_credentials_get_old_password(struct cli_credentials
*cred
);
262 bool cli_credentials_set_old_password(struct cli_credentials
*cred
,
264 enum credentials_obtained obtained
);
265 bool cli_credentials_set_domain_callback(struct cli_credentials
*cred
,
266 const char *(*domain_cb
) (struct cli_credentials
*));
267 bool cli_credentials_set_realm_callback(struct cli_credentials
*cred
,
268 const char *(*realm_cb
) (struct cli_credentials
*));
269 bool cli_credentials_set_workstation_callback(struct cli_credentials
*cred
,
270 const char *(*workstation_cb
) (struct cli_credentials
*));
272 void cli_credentials_set_callback_data(struct cli_credentials
*cred
,
273 void *callback_data
);
274 void *_cli_credentials_callback_data(struct cli_credentials
*cred
);
275 #define cli_credentials_callback_data(_cred, _type) \
276 talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
277 #define cli_credentials_callback_data_void(_cred) \
278 _cli_credentials_callback_data(_cred)
280 struct cli_credentials
*cli_credentials_shallow_copy(TALLOC_CTX
*mem_ctx
,
281 struct cli_credentials
*src
);
284 * Return attached NETLOGON credentials
286 struct netlogon_creds_CredentialState
*cli_credentials_get_netlogon_creds(struct cli_credentials
*cred
);
288 #endif /* __CREDENTIALS_H__ */
