auth/credentials/credentials.h

   1 /*
   2    samba -- Unix SMB/CIFS implementation.
   3
   4    Client credentials structure
   5
   6    Copyright (C) Jelmer Vernooij 2004-2006
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22 #ifndef __CREDENTIALS_H__
  23 #define __CREDENTIALS_H__
  24
  25 #include "../lib/util/data_blob.h"
  26 #include "librpc/gen_ndr/misc.h"
  27
  28 struct ccache_container;
  29 struct tevent_context;
  30 struct netlogon_creds_CredentialState;
  31
  32 /* In order of priority */
  33 enum credentials_obtained {
  34         CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
  35         CRED_CALLBACK,           /* Callback should be used to obtain value */
  36         CRED_GUESS_ENV,          /* Current value should be used, which was guessed */
  37         CRED_GUESS_FILE,         /* A guess from a file (or file pointed at in env variable) */
  38         CRED_CALLBACK_RESULT,    /* Value was obtained from a callback */
  39         CRED_SPECIFIED           /* Was explicitly specified on the command-line */
  40 };
  41
  42 enum credentials_use_kerberos {
  43         CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
  44         CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
  45         CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
  46 };
  47
  48 enum credentials_krb_forwardable {
  49         CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
  50         CRED_NO_KRB_FORWARDABLE,       /* not forwardable */
  51         CRED_FORCE_KRB_FORWARDABLE     /* forwardable */
  52 };
  53
  54 #define CLI_CRED_NTLM2       0x01
  55 #define CLI_CRED_NTLMv2_AUTH 0x02
  56 #define CLI_CRED_LANMAN_AUTH 0x04
  57 #define CLI_CRED_NTLM_AUTH   0x08
  58 #define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
  59
  60 struct cli_credentials {
  61         enum credentials_obtained workstation_obtained;
  62         enum credentials_obtained username_obtained;
  63         enum credentials_obtained password_obtained;
  64         enum credentials_obtained domain_obtained;
  65         enum credentials_obtained realm_obtained;
  66         enum credentials_obtained ccache_obtained;
  67         enum credentials_obtained client_gss_creds_obtained;
  68         enum credentials_obtained principal_obtained;
  69         enum credentials_obtained keytab_obtained;
  70         enum credentials_obtained server_gss_creds_obtained;
  71
  72         /* Threshold values (essentially a MAX() over a number of the
  73          * above) for the ccache and GSS credentials, to ensure we
  74          * regenerate/pick correctly */
  75
  76         enum credentials_obtained ccache_threshold;
  77         enum credentials_obtained client_gss_creds_threshold;
  78
  79         const char *workstation;
  80         const char *username;
  81         const char *password;
  82         const char *old_password;
  83         const char *domain;
  84         const char *realm;
  85         const char *principal;
  86         char *salt_principal;
  87         char *impersonate_principal;
  88         char *self_service;
  89         char *target_service;
  90
  91         const char *bind_dn;
  92
  93         /* Allows authentication from a keytab or similar */
  94         struct samr_Password *nt_hash;
  95
  96         /* Allows NTLM pass-though authentication */
  97         DATA_BLOB lm_response;
  98         DATA_BLOB nt_response;
  99
 100         struct ccache_container *ccache;
 101         struct gssapi_creds_container *client_gss_creds;
 102         struct keytab_container *keytab;
 103         struct gssapi_creds_container *server_gss_creds;
 104
 105         const char *(*workstation_cb) (struct cli_credentials *);
 106         const char *(*password_cb) (struct cli_credentials *);
 107         const char *(*username_cb) (struct cli_credentials *);
 108         const char *(*domain_cb) (struct cli_credentials *);
 109         const char *(*realm_cb) (struct cli_credentials *);
 110         const char *(*principal_cb) (struct cli_credentials *);
 111
 112         /* Private handle for the callback routines to use */
 113         void *priv_data;
 114
 115         struct netlogon_creds_CredentialState *netlogon_creds;
 116         enum netr_SchannelType secure_channel_type;
 117         int kvno;
 118         time_t password_last_changed_time;
 119
 120         struct smb_krb5_context *smb_krb5_context;
 121
 122         /* We are flagged to get machine account details from the
 123          * secrets.ldb when we are asked for a username or password */
 124         bool machine_account_pending;
 125         struct loadparm_context *machine_account_pending_lp_ctx;
 126
 127         /* Is this a machine account? */
 128         bool machine_account;
 129
 130         /* Should we be trying to use kerberos? */
 131         enum credentials_use_kerberos use_kerberos;
 132
 133         /* Should we get a forwardable ticket? */
 134         enum credentials_krb_forwardable krb_forwardable;
 135
 136         /* gensec features which should be used for connections */
 137         uint32_t gensec_features;
 138
 139         /* Number of retries left before bailing out */
 140         int tries;
 141
 142         /* Whether any callback is currently running */
 143         bool callback_running;
 144 };
 145
 146 struct ldb_context;
 147 struct ldb_message;
 148 struct loadparm_context;
 149 struct ccache_container;
 150
 151 struct gssapi_creds_container;
 152
 153 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
 154 bool cli_credentials_set_workstation(struct cli_credentials *cred,
 155                                      const char *val,
 156                                      enum credentials_obtained obtained);
 157 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
 158 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
 159 void cli_credentials_set_anonymous(struct cli_credentials *cred);
 160 bool cli_credentials_wrong_password(struct cli_credentials *cred);
 161 const char *cli_credentials_get_password(struct cli_credentials *cred);
 162 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 163                                               const char **username,
 164                                               const char **domain);
 165 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 166                                            int *flags,
 167                                            DATA_BLOB challenge, DATA_BLOB target_info,
 168                                            DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
 169                                            DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 170 const char *cli_credentials_get_realm(struct cli_credentials *cred);
 171 const char *cli_credentials_get_username(struct cli_credentials *cred);
 172 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
 173                                      struct loadparm_context *lp_ctx,
 174                                      struct smb_krb5_context **smb_krb5_context);
 175 int cli_credentials_get_ccache(struct cli_credentials *cred,
 176                                struct tevent_context *event_ctx,
 177                                struct loadparm_context *lp_ctx,
 178                                struct ccache_container **ccc,
 179                                const char **error_string);
 180 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 181                                      struct tevent_context *event_ctx,
 182                                      struct loadparm_context *lp_ctx,
 183                                      char *ccache_name,
 184                                      struct ccache_container **ccc, const char **error_string);
 185 int cli_credentials_get_keytab(struct cli_credentials *cred,
 186                                struct loadparm_context *lp_ctx,
 187                                struct keytab_container **_ktc);
 188 const char *cli_credentials_get_domain(struct cli_credentials *cred);
 189 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 190 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 191                                                  struct loadparm_context *lp_ctx);
 192 void cli_credentials_set_conf(struct cli_credentials *cred,
 193                               struct loadparm_context *lp_ctx);
 194 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
 195 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 196                                          struct loadparm_context *lp_ctx,
 197                                          struct gssapi_creds_container **_gcc);
 198 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 199                                          struct tevent_context *event_ctx,
 200                                          struct loadparm_context *lp_ctx,
 201                                          struct gssapi_creds_container **_gcc,
 202                                          const char **error_string);
 203 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
 204                                         enum credentials_use_kerberos use_kerberos);
 205 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
 206                                          enum credentials_krb_forwardable krb_forwardable);
 207 bool cli_credentials_set_domain(struct cli_credentials *cred,
 208                                 const char *val,
 209                                 enum credentials_obtained obtained);
 210 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 211                                          const char *(*domain_cb) (struct cli_credentials *));
 212 bool cli_credentials_set_username(struct cli_credentials *cred,
 213                                   const char *val, enum credentials_obtained obtained);
 214 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 215                                   const char *(*username_cb) (struct cli_credentials *));
 216 bool cli_credentials_set_principal(struct cli_credentials *cred,
 217                                    const char *val,
 218                                    enum credentials_obtained obtained);
 219 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 220                                   const char *(*principal_cb) (struct cli_credentials *));
 221 bool cli_credentials_set_password(struct cli_credentials *cred,
 222                                   const char *val,
 223                                   enum credentials_obtained obtained);
 224 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
 225 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
 226 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 227                                                         TALLOC_CTX *mem_ctx);
 228 bool cli_credentials_set_realm(struct cli_credentials *cred,
 229                                const char *val,
 230                                enum credentials_obtained obtained);
 231 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 232                                      enum netr_SchannelType secure_channel_type);
 233 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
 234                                                              time_t last_change_time);
 235 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 236                                         struct netlogon_creds_CredentialState *netlogon_creds);
 237 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
 238                                           struct smb_krb5_context *smb_krb5_context);
 239 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 240                                               struct loadparm_context *lp_ctx,
 241                                               const char *serviceprincipal);
 242 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 243                                              struct loadparm_context *lp_ctx);
 244 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
 245 void cli_credentials_guess(struct cli_credentials *cred,
 246                            struct loadparm_context *lp_ctx);
 247 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
 248                                  const char *bind_dn);
 249 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
 250 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
 251 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
 252 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
 253                                            const char *(*password_cb) (struct cli_credentials *));
 254 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
 255 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
 256 void cli_credentials_set_kvno(struct cli_credentials *cred,
 257                               int kvno);
 258 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
 259                                  const struct samr_Password *nt_hash,
 260                                  enum credentials_obtained obtained);
 261 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
 262                                        const DATA_BLOB *lm_response,
 263                                        const DATA_BLOB *nt_response,
 264                                        enum credentials_obtained obtained);
 265 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
 266                                     struct loadparm_context *lp_ctx,
 267                                     const char *keytab_name,
 268                                     enum credentials_obtained obtained);
 269 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
 270 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
 271 int cli_credentials_set_ccache(struct cli_credentials *cred,
 272                                struct loadparm_context *lp_ctx,
 273                                const char *name,
 274                                enum credentials_obtained obtained,
 275                                const char **error_string);
 276 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
 277 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
 278                                        int fd, enum credentials_obtained obtained);
 279 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
 280                                        enum credentials_obtained obtained);
 281 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
 282 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
 283                                                const char *principal,
 284                                                const char *self_service);
 285 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
 286 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
 287 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
 288 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
 289 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 290 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
 291 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
 292 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 293                                      struct loadparm_context *lp_ctx,
 294                                      struct ldb_context *ldb,
 295                                      const char *base,
 296                                      const char *filter,
 297                                      char **error_string);
 298  int cli_credentials_get_kvno(struct cli_credentials *cred);
 299
 300 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 301                                   const char *(*username_cb) (struct cli_credentials *));
 302
 303 /**
 304  * Obtain the client principal for this credentials context.
 305  * @param cred credentials context
 306  * @retval The username set on this context.
 307  * @note Return value will never be NULL except by programmer error.
 308  */
 309 const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
 310 bool cli_credentials_set_principal(struct cli_credentials *cred,
 311                                    const char *val,
 312                                    enum credentials_obtained obtained);
 313 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 314                                   const char *(*principal_cb) (struct cli_credentials *));
 315
 316 /**
 317  * Obtain the 'old' password for this credentials context (used for join accounts).
 318  * @param cred credentials context
 319  * @retval If set, the cleartext password, otherwise NULL
 320  */
 321 const char *cli_credentials_get_old_password(struct cli_credentials *cred);
 322 bool cli_credentials_set_old_password(struct cli_credentials *cred,
 323                                       const char *val,
 324                                       enum credentials_obtained obtained);
 325 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 326                                          const char *(*domain_cb) (struct cli_credentials *));
 327 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
 328                                         const char *(*realm_cb) (struct cli_credentials *));
 329 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 330                                               const char *(*workstation_cb) (struct cli_credentials *));
 331
 332 /**
 333  * Return attached NETLOGON credentials
 334  */
 335 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 336
 337 #endif /* __CREDENTIALS_H__ */