selftests-drs: make our generated class subclass of classschema
[Samba/gebeck_regimport.git] / auth / credentials / credentials.h
blobdbc014fd08ce3529390a91d22186313118b6d184
1 /*
2 samba -- Unix SMB/CIFS implementation.
4 Client credentials structure
6 Copyright (C) Jelmer Vernooij 2004-2006
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #ifndef __CREDENTIALS_H__
23 #define __CREDENTIALS_H__
25 #include "../lib/util/data_blob.h"
26 #include "librpc/gen_ndr/misc.h"
28 struct ccache_container;
29 struct tevent_context;
30 struct netlogon_creds_CredentialState;
32 /* In order of priority */
33 enum credentials_obtained {
34 CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
35 CRED_CALLBACK, /* Callback should be used to obtain value */
36 CRED_GUESS_ENV, /* Current value should be used, which was guessed */
37 CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
38 CRED_CALLBACK_RESULT, /* Value was obtained from a callback */
39 CRED_SPECIFIED /* Was explicitly specified on the command-line */
42 enum credentials_use_kerberos {
43 CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
44 CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
45 CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
48 enum credentials_krb_forwardable {
49 CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
50 CRED_NO_KRB_FORWARDABLE, /* not forwardable */
51 CRED_FORCE_KRB_FORWARDABLE /* forwardable */
54 #define CLI_CRED_NTLM2 0x01
55 #define CLI_CRED_NTLMv2_AUTH 0x02
56 #define CLI_CRED_LANMAN_AUTH 0x04
57 #define CLI_CRED_NTLM_AUTH 0x08
58 #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
60 struct cli_credentials {
61 enum credentials_obtained workstation_obtained;
62 enum credentials_obtained username_obtained;
63 enum credentials_obtained password_obtained;
64 enum credentials_obtained domain_obtained;
65 enum credentials_obtained realm_obtained;
66 enum credentials_obtained ccache_obtained;
67 enum credentials_obtained client_gss_creds_obtained;
68 enum credentials_obtained principal_obtained;
69 enum credentials_obtained keytab_obtained;
70 enum credentials_obtained server_gss_creds_obtained;
72 /* Threshold values (essentially a MAX() over a number of the
73 * above) for the ccache and GSS credentials, to ensure we
74 * regenerate/pick correctly */
76 enum credentials_obtained ccache_threshold;
77 enum credentials_obtained client_gss_creds_threshold;
79 const char *workstation;
80 const char *username;
81 const char *password;
82 const char *old_password;
83 const char *domain;
84 const char *realm;
85 const char *principal;
86 char *salt_principal;
87 char *impersonate_principal;
88 char *self_service;
89 char *target_service;
91 const char *bind_dn;
93 /* Allows authentication from a keytab or similar */
94 struct samr_Password *nt_hash;
96 /* Allows NTLM pass-though authentication */
97 DATA_BLOB lm_response;
98 DATA_BLOB nt_response;
100 struct ccache_container *ccache;
101 struct gssapi_creds_container *client_gss_creds;
102 struct keytab_container *keytab;
103 struct gssapi_creds_container *server_gss_creds;
105 const char *(*workstation_cb) (struct cli_credentials *);
106 const char *(*password_cb) (struct cli_credentials *);
107 const char *(*username_cb) (struct cli_credentials *);
108 const char *(*domain_cb) (struct cli_credentials *);
109 const char *(*realm_cb) (struct cli_credentials *);
110 const char *(*principal_cb) (struct cli_credentials *);
112 /* Private handle for the callback routines to use */
113 void *priv_data;
115 struct netlogon_creds_CredentialState *netlogon_creds;
116 enum netr_SchannelType secure_channel_type;
117 int kvno;
118 time_t password_last_changed_time;
120 struct smb_krb5_context *smb_krb5_context;
122 /* We are flagged to get machine account details from the
123 * secrets.ldb when we are asked for a username or password */
124 bool machine_account_pending;
125 struct loadparm_context *machine_account_pending_lp_ctx;
127 /* Is this a machine account? */
128 bool machine_account;
130 /* Should we be trying to use kerberos? */
131 enum credentials_use_kerberos use_kerberos;
133 /* Should we get a forwardable ticket? */
134 enum credentials_krb_forwardable krb_forwardable;
136 /* gensec features which should be used for connections */
137 uint32_t gensec_features;
139 /* Number of retries left before bailing out */
140 int tries;
142 /* Whether any callback is currently running */
143 bool callback_running;
146 struct ldb_context;
147 struct ldb_message;
148 struct loadparm_context;
149 struct ccache_container;
151 struct gssapi_creds_container;
153 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
154 bool cli_credentials_set_workstation(struct cli_credentials *cred,
155 const char *val,
156 enum credentials_obtained obtained);
157 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
158 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
159 void cli_credentials_set_anonymous(struct cli_credentials *cred);
160 bool cli_credentials_wrong_password(struct cli_credentials *cred);
161 const char *cli_credentials_get_password(struct cli_credentials *cred);
162 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
163 const char **username,
164 const char **domain);
165 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
166 int *flags,
167 DATA_BLOB challenge, DATA_BLOB target_info,
168 DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
169 DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
170 const char *cli_credentials_get_realm(struct cli_credentials *cred);
171 const char *cli_credentials_get_username(struct cli_credentials *cred);
172 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
173 struct loadparm_context *lp_ctx,
174 struct smb_krb5_context **smb_krb5_context);
175 int cli_credentials_get_ccache(struct cli_credentials *cred,
176 struct tevent_context *event_ctx,
177 struct loadparm_context *lp_ctx,
178 struct ccache_container **ccc,
179 const char **error_string);
180 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
181 struct tevent_context *event_ctx,
182 struct loadparm_context *lp_ctx,
183 char *ccache_name,
184 struct ccache_container **ccc, const char **error_string);
185 bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
186 const char *principal,
187 unsigned int *count);
188 int cli_credentials_get_keytab(struct cli_credentials *cred,
189 struct loadparm_context *lp_ctx,
190 struct keytab_container **_ktc);
191 const char *cli_credentials_get_domain(struct cli_credentials *cred);
192 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
193 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
194 struct loadparm_context *lp_ctx);
195 void cli_credentials_set_conf(struct cli_credentials *cred,
196 struct loadparm_context *lp_ctx);
197 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
198 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
199 struct loadparm_context *lp_ctx,
200 struct gssapi_creds_container **_gcc);
201 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
202 struct tevent_context *event_ctx,
203 struct loadparm_context *lp_ctx,
204 struct gssapi_creds_container **_gcc,
205 const char **error_string);
206 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
207 enum credentials_use_kerberos use_kerberos);
208 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
209 enum credentials_krb_forwardable krb_forwardable);
210 bool cli_credentials_set_domain(struct cli_credentials *cred,
211 const char *val,
212 enum credentials_obtained obtained);
213 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
214 const char *(*domain_cb) (struct cli_credentials *));
215 bool cli_credentials_set_username(struct cli_credentials *cred,
216 const char *val, enum credentials_obtained obtained);
217 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
218 const char *(*username_cb) (struct cli_credentials *));
219 bool cli_credentials_set_principal(struct cli_credentials *cred,
220 const char *val,
221 enum credentials_obtained obtained);
222 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
223 const char *(*principal_cb) (struct cli_credentials *));
224 bool cli_credentials_set_password(struct cli_credentials *cred,
225 const char *val,
226 enum credentials_obtained obtained);
227 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
228 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
229 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
230 TALLOC_CTX *mem_ctx);
231 bool cli_credentials_set_realm(struct cli_credentials *cred,
232 const char *val,
233 enum credentials_obtained obtained);
234 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
235 enum netr_SchannelType secure_channel_type);
236 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
237 time_t last_change_time);
238 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
239 struct netlogon_creds_CredentialState *netlogon_creds);
240 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
241 struct smb_krb5_context *smb_krb5_context);
242 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
243 struct loadparm_context *lp_ctx,
244 const char *serviceprincipal);
245 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
246 struct loadparm_context *lp_ctx);
247 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
248 void cli_credentials_guess(struct cli_credentials *cred,
249 struct loadparm_context *lp_ctx);
250 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
251 const char *bind_dn);
252 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
253 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
254 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
255 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
256 const char *(*password_cb) (struct cli_credentials *));
257 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
258 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
259 void cli_credentials_set_kvno(struct cli_credentials *cred,
260 int kvno);
261 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
262 const struct samr_Password *nt_hash,
263 enum credentials_obtained obtained);
264 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
265 const DATA_BLOB *lm_response,
266 const DATA_BLOB *nt_response,
267 enum credentials_obtained obtained);
268 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
269 struct loadparm_context *lp_ctx,
270 const char *keytab_name,
271 enum credentials_obtained obtained);
272 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
273 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
274 int cli_credentials_set_ccache(struct cli_credentials *cred,
275 struct loadparm_context *lp_ctx,
276 const char *name,
277 enum credentials_obtained obtained,
278 const char **error_string);
279 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
280 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
281 int fd, enum credentials_obtained obtained);
282 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
283 enum credentials_obtained obtained);
284 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
285 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
286 const char *principal,
287 const char *self_service);
288 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
289 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
290 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
291 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
292 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
293 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
294 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
295 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
296 struct loadparm_context *lp_ctx,
297 struct ldb_context *ldb,
298 const char *base,
299 const char *filter,
300 char **error_string);
301 int cli_credentials_get_kvno(struct cli_credentials *cred);
303 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
304 const char *(*username_cb) (struct cli_credentials *));
307 * Obtain the client principal for this credentials context.
308 * @param cred credentials context
309 * @retval The username set on this context.
310 * @note Return value will never be NULL except by programmer error.
312 const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
313 bool cli_credentials_set_principal(struct cli_credentials *cred,
314 const char *val,
315 enum credentials_obtained obtained);
316 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
317 const char *(*principal_cb) (struct cli_credentials *));
320 * Obtain the 'old' password for this credentials context (used for join accounts).
321 * @param cred credentials context
322 * @retval If set, the cleartext password, otherwise NULL
324 const char *cli_credentials_get_old_password(struct cli_credentials *cred);
325 bool cli_credentials_set_old_password(struct cli_credentials *cred,
326 const char *val,
327 enum credentials_obtained obtained);
328 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
329 const char *(*domain_cb) (struct cli_credentials *));
330 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
331 const char *(*realm_cb) (struct cli_credentials *));
332 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
333 const char *(*workstation_cb) (struct cli_credentials *));
336 * Return attached NETLOGON credentials
338 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
340 #endif /* __CREDENTIALS_H__ */