search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Part 4 of bug #7028 - include scannedonly VFS module
[Samba/gebeck_regimport.git] / source4 / auth / credentials / credentials_krb5.c
blobefcca3e269f59c136c426f40bc3eb9c9b336a100
1 /*
2 Unix SMB/CIFS implementation.
3
4 Handle user credentials (as regards krb5)
5
6 Copyright (C) Jelmer Vernooij 2005
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
27 #include "auth/credentials/credentials.h"
28 #include "auth/credentials/credentials_proto.h"
29 #include "auth/credentials/credentials_krb5.h"
30 #include "param/param.h"
31
32 _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
33 struct tevent_context *event_ctx,
34 struct loadparm_context *lp_ctx,
35 struct smb_krb5_context **smb_krb5_context)
36 {
37 int ret;
38 if (cred->smb_krb5_context) {
39 *smb_krb5_context = cred->smb_krb5_context;
40 return 0;
41 }
42
43 ret = smb_krb5_init_context(cred, event_ctx, lp_ctx, &cred->smb_krb5_context);
44 if (ret) {
45 cred->smb_krb5_context = NULL;
46 return ret;
47 }
48 *smb_krb5_context = cred->smb_krb5_context;
49 return 0;
50 }
51
52 /* This needs to be called directly after the cli_credentials_init(),
53 * otherwise we might have problems with the krb5 context already
54 * being here.
55 */
56 _PUBLIC_ NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
57 struct smb_krb5_context *smb_krb5_context)
58 {
59 if (!talloc_reference(cred, smb_krb5_context)) {
60 return NT_STATUS_NO_MEMORY;
61 }
62 cred->smb_krb5_context = smb_krb5_context;
63 return NT_STATUS_OK;
64 }
65
66 static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
67 struct ccache_container *ccache,
68 enum credentials_obtained obtained)
69 {
70
71 krb5_principal princ;
72 krb5_error_code ret;
73 char *name;
74
75 if (cred->ccache_obtained > obtained) {
76 return 0;
77 }
78
79 ret = krb5_cc_get_principal(ccache->smb_krb5_context->krb5_context,
80 ccache->ccache, &princ);
81
82 if (ret) {
83 char *err_mess = smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context,
84 ret, cred);
85 DEBUG(1,("failed to get principal from ccache: %s\n",
86 err_mess));
87 talloc_free(err_mess);
88 return ret;
89 }
90
91 ret = krb5_unparse_name(ccache->smb_krb5_context->krb5_context, princ, &name);
92 if (ret) {
93 char *err_mess = smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context, ret, cred);
94 DEBUG(1,("failed to unparse principal from ccache: %s\n",
95 err_mess));
96 talloc_free(err_mess);
97 return ret;
98 }
99
100 cli_credentials_set_principal(cred, name, obtained);
101
102 free(name);
103
104 krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
105
106 /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
107 cred->ccache_obtained = obtained;
108
109 return 0;
110 }
111
112 /* Free a memory ccache */
113 static int free_mccache(struct ccache_container *ccc)
114 {
115 krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, ccc->ccache);
116
117 return 0;
118 }
119
120 /* Free a disk-based ccache */
121 static int free_dccache(struct ccache_container *ccc) {
122 krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
123
124 return 0;
125 }
126
127 _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
128 struct tevent_context *event_ctx,
129 struct loadparm_context *lp_ctx,
130 const char *name,
131 enum credentials_obtained obtained)
132 {
133 krb5_error_code ret;
134 krb5_principal princ;
135 struct ccache_container *ccc;
136 if (cred->ccache_obtained > obtained) {
137 return 0;
138 }
139
140 ccc = talloc(cred, struct ccache_container);
141 if (!ccc) {
142 return ENOMEM;
143 }
144
145 ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
146 &ccc->smb_krb5_context);
147 if (ret) {
148 talloc_free(ccc);
149 return ret;
150 }
151 if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
152 talloc_free(ccc);
153 return ENOMEM;
154 }
155
156 if (name) {
157 ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache);
158 if (ret) {
159 DEBUG(1,("failed to read krb5 ccache: %s: %s\n",
160 name,
161 smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
162 talloc_free(ccc);
163 return ret;
164 }
165 } else {
166 ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache);
167 if (ret) {
168 DEBUG(3,("failed to read default krb5 ccache: %s\n",
169 smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
170 talloc_free(ccc);
171 return ret;
172 }
173 }
174
175 talloc_set_destructor(ccc, free_dccache);
176
177 ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, ccc->ccache, &princ);
178
179 if (ret) {
180 DEBUG(3,("failed to get principal from default ccache: %s\n",
181 smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
182 talloc_free(ccc);
183 return ret;
184 }
185
186 krb5_free_principal(ccc->smb_krb5_context->krb5_context, princ);
187
188 ret = cli_credentials_set_from_ccache(cred, ccc, obtained);
189
190 if (ret) {
191 return ret;
192 }
193
194 cred->ccache = ccc;
195 cred->ccache_obtained = obtained;
196 talloc_steal(cred, ccc);
197
198 cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained);
199 return 0;
200 }
201
202
203 static int cli_credentials_new_ccache(struct cli_credentials *cred,
204 struct tevent_context *event_ctx,
205 struct loadparm_context *lp_ctx,
206 struct ccache_container **_ccc)
207 {
208 krb5_error_code ret;
209 struct ccache_container *ccc = talloc(cred, struct ccache_container);
210 char *ccache_name;
211 if (!ccc) {
212 return ENOMEM;
213 }
214
215 ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
216 ccc);
217
218 if (!ccache_name) {
219 talloc_free(ccc);
220 return ENOMEM;
221 }
222
223 ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
224 &ccc->smb_krb5_context);
225 if (ret) {
226 talloc_free(ccc);
227 return ret;
228 }
229 if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
230 talloc_free(ccc);
231 return ENOMEM;
232 }
233
234 ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name,
235 &ccc->ccache);
236 if (ret) {
237 DEBUG(1,("failed to generate a new krb5 ccache (%s): %s\n",
238 ccache_name,
239 smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
240 talloc_free(ccache_name);
241 talloc_free(ccc);
242 return ret;
243 }
244
245 talloc_set_destructor(ccc, free_mccache);
246
247 talloc_free(ccache_name);
248
249 *_ccc = ccc;
250
251 return ret;
252 }
253
254 _PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
255 struct tevent_context *event_ctx,
256 struct loadparm_context *lp_ctx,
257 struct ccache_container **ccc)
258 {
259 krb5_error_code ret;
260
261 if (cred->machine_account_pending) {
262 cli_credentials_set_machine_account(cred, lp_ctx);
263 }
264
265 if (cred->ccache_obtained >= cred->ccache_threshold &&
266 cred->ccache_obtained > CRED_UNINITIALISED) {
267 *ccc = cred->ccache;
268 return 0;
269 }
270 if (cli_credentials_is_anonymous(cred)) {
271 return EINVAL;
272 }
273
274 ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccc);
275 if (ret) {
276 return ret;
277 }
278
279 ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, (*ccc)->ccache);
280 if (ret) {
281 return ret;
282 }
283
284 ret = cli_credentials_set_from_ccache(cred, *ccc,
285 (MAX(MAX(cred->principal_obtained,
286 cred->username_obtained),
287 cred->password_obtained)));
288
289 cred->ccache = *ccc;
290 cred->ccache_obtained = cred->principal_obtained;
291 if (ret) {
292 return ret;
293 }
294 cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained);
295 return ret;
296 }
297
298 void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred,
299 enum credentials_obtained obtained)
300 {
301 /* If the caller just changed the username/password etc, then
302 * any cached credentials are now invalid */
303 if (obtained >= cred->client_gss_creds_obtained) {
304 if (cred->client_gss_creds_obtained > CRED_UNINITIALISED) {
305 talloc_unlink(cred, cred->client_gss_creds);
306 cred->client_gss_creds = NULL;
307 }
308 cred->client_gss_creds_obtained = CRED_UNINITIALISED;
309 }
310 /* Now that we know that the data is 'this specified', then
311 * don't allow something less 'known' to be returned as a
312 * ccache. Ie, if the username is on the commmand line, we
313 * don't want to later guess to use a file-based ccache */
314 if (obtained > cred->client_gss_creds_threshold) {
315 cred->client_gss_creds_threshold = obtained;
316 }
317 }
318
319 _PUBLIC_ void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
320 enum credentials_obtained obtained)
321 {
322 /* If the caller just changed the username/password etc, then
323 * any cached credentials are now invalid */
324 if (obtained >= cred->ccache_obtained) {
325 if (cred->ccache_obtained > CRED_UNINITIALISED) {
326 talloc_unlink(cred, cred->ccache);
327 cred->ccache = NULL;
328 }
329 cred->ccache_obtained = CRED_UNINITIALISED;
330 }
331 /* Now that we know that the data is 'this specified', then
332 * don't allow something less 'known' to be returned as a
333 * ccache. Ie, if the username is on the commmand line, we
334 * don't want to later guess to use a file-based ccache */
335 if (obtained > cred->ccache_threshold) {
336 cred->ccache_threshold = obtained;
337 }
338
339 cli_credentials_invalidate_client_gss_creds(cred,
340 obtained);
341 }
342
343 static int free_gssapi_creds(struct gssapi_creds_container *gcc)
344 {
345 OM_uint32 min_stat, maj_stat;
346 maj_stat = gss_release_cred(&min_stat, &gcc->creds);
347 return 0;
348 }
349
350 _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
351 struct tevent_context *event_ctx,
352 struct loadparm_context *lp_ctx,
353 struct gssapi_creds_container **_gcc)
354 {
355 int ret = 0;
356 OM_uint32 maj_stat, min_stat;
357 struct gssapi_creds_container *gcc;
358 struct ccache_container *ccache;
359 gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
360 krb5_enctype *etypes = NULL;
361
362 if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold &&
363 cred->client_gss_creds_obtained > CRED_UNINITIALISED) {
364 *_gcc = cred->client_gss_creds;
365 return 0;
366 }
367
368 ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
369 &ccache);
370 if (ret) {
371 DEBUG(1, ("Failed to get CCACHE for GSSAPI client: %s\n", error_message(ret)));
372 return ret;
373 }
374
375 gcc = talloc(cred, struct gssapi_creds_container);
376 if (!gcc) {
377 return ENOMEM;
378 }
379
380 maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
381 &gcc->creds);
382 if (maj_stat) {
383 talloc_free(gcc);
384 if (min_stat) {
385 ret = min_stat;
386 } else {
387 ret = EINVAL;
388 }
389 return ret;
390 }
391
392 /*
393 * transfer the enctypes from the smb_krb5_context to the gssapi layer
394 *
395 * We use 'our' smb_krb5_context to do the AS-REQ and it is possible
396 * to configure the enctypes via the krb5.conf.
397 *
398 * And the gss_init_sec_context() creates it's own krb5_context and
399 * the TGS-REQ had all enctypes in it and only the ones configured
400 * and used for the AS-REQ, so it wasn't possible to disable the usage
401 * of AES keys.
402 */
403 min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context,
404 &etypes);
405 if (min_stat == 0) {
406 OM_uint32 num_ktypes;
407
408 for (num_ktypes = 0; etypes[num_ktypes]; num_ktypes++);
409
410 maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
411 num_ktypes, etypes);
412 krb5_xfree (etypes);
413 if (maj_stat) {
414 talloc_free(gcc);
415 if (min_stat) {
416 ret = min_stat;
417 } else {
418 ret = EINVAL;
419 }
420 return ret;
421 }
422 }
423
424 /* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
425 maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
426 GSS_KRB5_CRED_NO_CI_FLAGS_X,
427 &empty_buffer);
428 if (maj_stat) {
429 talloc_free(gcc);
430 if (min_stat) {
431 ret = min_stat;
432 } else {
433 ret = EINVAL;
434 }
435 return ret;
436 }
437
438 cred->client_gss_creds_obtained = cred->ccache_obtained;
439 talloc_set_destructor(gcc, free_gssapi_creds);
440 cred->client_gss_creds = gcc;
441 *_gcc = gcc;
442 return 0;
443 }
444
445 /**
446 Set a gssapi cred_id_t into the credentials system. (Client case)
447
448 This grabs the credentials both 'intact' and getting the krb5
449 ccache out of it. This routine can be generalised in future for
450 the case where we deal with GSSAPI mechs other than krb5.
451
452 On sucess, the caller must not free gssapi_cred, as it now belongs
453 to the credentials system.
454 */
455
456 int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
457 struct tevent_context *event_ctx,
458 struct loadparm_context *lp_ctx,
459 gss_cred_id_t gssapi_cred,
460 enum credentials_obtained obtained)
461 {
462 int ret;
463 OM_uint32 maj_stat, min_stat;
464 struct ccache_container *ccc;
465 struct gssapi_creds_container *gcc;
466 if (cred->client_gss_creds_obtained > obtained) {
467 return 0;
468 }
469
470 gcc = talloc(cred, struct gssapi_creds_container);
471 if (!gcc) {
472 return ENOMEM;
473 }
474
475 ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, &ccc);
476 if (ret != 0) {
477 return ret;
478 }
479
480 maj_stat = gss_krb5_copy_ccache(&min_stat,
481 gssapi_cred, ccc->ccache);
482 if (maj_stat) {
483 if (min_stat) {
484 ret = min_stat;
485 } else {
486 ret = EINVAL;
487 }
488 }
489
490 if (ret == 0) {
491 ret = cli_credentials_set_from_ccache(cred, ccc, obtained);
492 }
493 cred->ccache = ccc;
494 cred->ccache_obtained = obtained;
495 if (ret == 0) {
496 gcc->creds = gssapi_cred;
497 talloc_set_destructor(gcc, free_gssapi_creds);
498
499 /* set the clinet_gss_creds_obtained here, as it just
500 got set to UNINITIALISED by the calls above */
501 cred->client_gss_creds_obtained = obtained;
502 cred->client_gss_creds = gcc;
503 }
504 return ret;
505 }
506
507 /* Get the keytab (actually, a container containing the krb5_keytab)
508 * attached to this context. If this hasn't been done or set before,
509 * it will be generated from the password.
510 */
511 _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
512 struct tevent_context *event_ctx,
513 struct loadparm_context *lp_ctx,
514 struct keytab_container **_ktc)
515 {
516 krb5_error_code ret;
517 struct keytab_container *ktc;
518 struct smb_krb5_context *smb_krb5_context;
519 const char **enctype_strings;
520 TALLOC_CTX *mem_ctx;
521
522 if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
523 cred->username_obtained))) {
524 *_ktc = cred->keytab;
525 return 0;
526 }
527
528 if (cli_credentials_is_anonymous(cred)) {
529 return EINVAL;
530 }
531
532 ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
533 &smb_krb5_context);
534 if (ret) {
535 return ret;
536 }
537
538 mem_ctx = talloc_new(cred);
539 if (!mem_ctx) {
540 return ENOMEM;
541 }
542
543 enctype_strings = cli_credentials_get_enctype_strings(cred);
544
545 ret = smb_krb5_create_memory_keytab(mem_ctx, cred,
546 smb_krb5_context,
547 enctype_strings, &ktc);
548 if (ret) {
549 talloc_free(mem_ctx);
550 return ret;
551 }
552
553 cred->keytab_obtained = (MAX(cred->principal_obtained,
554 cred->username_obtained));
555
556 talloc_steal(cred, ktc);
557 cred->keytab = ktc;
558 *_ktc = cred->keytab;
559 talloc_free(mem_ctx);
560 return ret;
561 }
562
563 /* Given the name of a keytab (presumably in the format
564 * FILE:/etc/krb5.keytab), open it and attach it */
565
566 _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
567 struct tevent_context *event_ctx,
568 struct loadparm_context *lp_ctx,
569 const char *keytab_name,
570 enum credentials_obtained obtained)
571 {
572 krb5_error_code ret;
573 struct keytab_container *ktc;
574 struct smb_krb5_context *smb_krb5_context;
575 TALLOC_CTX *mem_ctx;
576
577 if (cred->keytab_obtained >= obtained) {
578 return 0;
579 }
580
581 ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
582 if (ret) {
583 return ret;
584 }
585
586 mem_ctx = talloc_new(cred);
587 if (!mem_ctx) {
588 return ENOMEM;
589 }
590
591 ret = smb_krb5_open_keytab(mem_ctx, smb_krb5_context,
592 keytab_name, &ktc);
593 if (ret) {
594 return ret;
595 }
596
597 cred->keytab_obtained = obtained;
598
599 talloc_steal(cred, ktc);
600 cred->keytab = ktc;
601 talloc_free(mem_ctx);
602
603 return ret;
604 }
605
606 _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred,
607 struct tevent_context *event_ctx,
608 struct loadparm_context *lp_ctx)
609 {
610 krb5_error_code ret;
611 struct keytab_container *ktc;
612 struct smb_krb5_context *smb_krb5_context;
613 const char **enctype_strings;
614 TALLOC_CTX *mem_ctx;
615
616 mem_ctx = talloc_new(cred);
617 if (!mem_ctx) {
618 return ENOMEM;
619 }
620
621 ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
622 if (ret) {
623 talloc_free(mem_ctx);
624 return ret;
625 }
626
627 enctype_strings = cli_credentials_get_enctype_strings(cred);
628
629 ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
630 if (ret != 0) {
631 talloc_free(mem_ctx);
632 return ret;
633 }
634
635 ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, enctype_strings, ktc);
636
637 talloc_free(mem_ctx);
638 return ret;
639 }
640
641 /* Get server gss credentials (in gsskrb5, this means the keytab) */
642
643 _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
644 struct tevent_context *event_ctx,
645 struct loadparm_context *lp_ctx,
646 struct gssapi_creds_container **_gcc)
647 {
648 int ret = 0;
649 OM_uint32 maj_stat, min_stat;
650 struct gssapi_creds_container *gcc;
651 struct keytab_container *ktc;
652 struct smb_krb5_context *smb_krb5_context;
653 TALLOC_CTX *mem_ctx;
654 krb5_principal princ;
655
656 if (cred->server_gss_creds_obtained >= (MAX(cred->keytab_obtained,
657 MAX(cred->principal_obtained,
658 cred->username_obtained)))) {
659 *_gcc = cred->server_gss_creds;
660 return 0;
661 }
662
663 ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
664 if (ret) {
665 return ret;
666 }
667
668 ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
669 if (ret) {
670 DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret)));
671 return ret;
672 }
673
674 mem_ctx = talloc_new(cred);
675 if (!mem_ctx) {
676 return ENOMEM;
677 }
678
679 ret = principal_from_credentials(mem_ctx, cred, smb_krb5_context, &princ);
680 if (ret) {
681 DEBUG(1,("cli_credentials_get_server_gss_creds: makeing krb5 principal failed (%s)\n",
682 smb_get_krb5_error_message(smb_krb5_context->krb5_context,
683 ret, mem_ctx)));
684 talloc_free(mem_ctx);
685 return ret;
686 }
687
688 gcc = talloc(cred, struct gssapi_creds_container);
689 if (!gcc) {
690 talloc_free(mem_ctx);
691 return ENOMEM;
692 }
693
694 /* This creates a GSSAPI cred_id_t with the principal and keytab set */
695 maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
696 &gcc->creds);
697 if (maj_stat) {
698 if (min_stat) {
699 ret = min_stat;
700 } else {
701 ret = EINVAL;
702 }
703 }
704 if (ret == 0) {
705 cred->server_gss_creds_obtained = cred->keytab_obtained;
706 talloc_set_destructor(gcc, free_gssapi_creds);
707 cred->server_gss_creds = gcc;
708 *_gcc = gcc;
709 }
710 talloc_free(mem_ctx);
711 return ret;
712 }
713
714 /**
715 * Set Kerberos KVNO
716 */
717
718 _PUBLIC_ void cli_credentials_set_kvno(struct cli_credentials *cred,
719 int kvno)
720 {
721 cred->kvno = kvno;
722 }
723
724 /**
725 * Return Kerberos KVNO
726 */
727
728 _PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred)
729 {
730 return cred->kvno;
731 }
732
733
734 const char **cli_credentials_get_enctype_strings(struct cli_credentials *cred)
735 {
736 /* If this is ever made user-configurable, we need to add code
737 * to remove/hide the other entries from the generated
738 * keytab */
739 static const char *default_enctypes[] = {
740 "des-cbc-md5",
741 "aes256-cts-hmac-sha1-96",
742 "des3-cbc-sha1",
743 "arcfour-hmac-md5",
744 NULL
745 };
746 return default_enctypes;
747 }
748
749 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred)
750 {
751 return cred->salt_principal;
752 }
753
754 _PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal)
755 {
756 cred->salt_principal = talloc_strdup(cred, principal);
757 }
758
759
reg import