2 Unix SMB/CIFS implementation.
3 Common popt routines only used by cmdline utils
5 Copyright (C) Tim Potter 2001,2002
6 Copyright (C) Jelmer Vernooij 2002,2003
7 Copyright (C) James Peach 2006
8 Copyright (C) Christof Schmitt 2018
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 /* Handle command line options:
26 * -A,--authentication-file
27 * -k,--kerberos[=yes|no]
35 #include "popt_common_cmdline.h"
37 #include "auth_info.h"
38 #include "cmdline_contexts.h"
40 static struct user_auth_info *cmdline_auth_info;
42 struct user_auth_info *popt_get_cmdline_auth_info(void)
44 return cmdline_auth_info;
46 void popt_free_cmdline_auth_info(void)
48 TALLOC_FREE(cmdline_auth_info);
51 static bool popt_common_credentials_ignore_missing_conf;
52 static bool popt_common_credentials_delay_post;
54 void popt_common_credentials_set_ignore_missing_conf(void)
56 popt_common_credentials_ignore_missing_conf = true;
59 void popt_common_credentials_set_delay_post(void)
61 popt_common_credentials_delay_post = true;
64 void popt_common_credentials_post(void)
66 if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
67 !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
70 "Failed to use machine account credentials\n");
74 set_cmdline_auth_info_getpass(cmdline_auth_info);
77 * When we set the username during the handling of the options passed to
78 * the binary we haven't loaded the config yet. This means that we
79 * didn't take the 'winbind separator' into account.
81 * The username might contain the domain name and thus it hasn't been
82 * correctly parsed yet. If we have a username we need to set it again
83 * to run the string parser for the username correctly.
85 reset_cmdline_auth_info_username(cmdline_auth_info);
88 static void popt_common_credentials_callback(poptContext con,
89 enum poptCallbackReason reason,
90 const struct poptOption *opt,
91 const char *arg, const void *data)
93 bool use_kerberos = false;
95 if (reason == POPT_CALLBACK_REASON_PRE) {
96 struct user_auth_info *auth_info =
97 user_auth_info_init(NULL);
98 if (auth_info == NULL) {
99 fprintf(stderr, "user_auth_info_init() failed\n");
102 cmdline_auth_info = auth_info;
106 if (reason == POPT_CALLBACK_REASON_POST) {
109 ok = lp_load_client(get_dyn_CONFIGFILE());
111 const char *pname = poptGetInvocationName(con);
113 fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
114 pname, get_dyn_CONFIGFILE());
115 if (!popt_common_credentials_ignore_missing_conf) {
122 set_cmdline_auth_info_guess(cmdline_auth_info);
124 if (popt_common_credentials_delay_post) {
128 popt_common_credentials_post();
134 set_cmdline_auth_info_username(cmdline_auth_info, arg);
138 set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
142 /* Force us to only use kerberos */
144 if (!set_boolean(arg, &use_kerberos)) {
145 fprintf(stderr, "Error parsing -k %s. Should be "
146 "-k [yes|no]\n", arg);
154 d_printf("No kerberos support compiled in\n");
157 set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
159 set_cmdline_auth_info_use_kerberos(cmdline_auth_info, false);
164 if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
166 fprintf(stderr, "Unknown signing option %s\n", arg );
171 set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
174 set_cmdline_auth_info_password(cmdline_auth_info, "");
177 set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
180 set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
183 set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
189 * @brief Burn the commandline password.
191 * This function removes the password from the command line so we
192 * don't leak the password e.g. in 'ps aux'.
194 * It should be called after processing the options and you should pass down
197 * @param[in] argc The number of arguments.
199 * @param[in] argv[] The argument array we will find the array.
201 void popt_burn_cmdline_password(int argc, char *argv[])
207 for (i = 0; i < argc; i++) {
213 if (strncmp(p, "-U", 2) == 0) {
216 } else if (strncmp(p, "--user", 6) == 0) {
222 if (strlen(p) == ulen) {
226 p = strchr_m(p, '%');
228 memset_s(p, strlen(p), '\0', strlen(p));
235 struct poptOption popt_common_credentials[] = {
237 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
238 .arg = (void *)popt_common_credentials_callback,
243 .argInfo = POPT_ARG_STRING,
245 .descrip = "Set the network username",
246 .argDescrip = "USERNAME",
249 .longName = "no-pass",
251 .argInfo = POPT_ARG_NONE,
253 .descrip = "Don't ask for a password",
256 .longName = "kerberos",
258 .argInfo = POPT_ARG_NONE,
260 .descrip = "Use kerberos (active directory) authentication, -k [yes|no]",
263 .longName = "authentication-file",
265 .argInfo = POPT_ARG_STRING,
267 .descrip = "Get the credentials from a file",
268 .argDescrip = "FILE",
271 .longName = "signing",
273 .argInfo = POPT_ARG_STRING,
275 .descrip = "Set the client signing state",
276 .argDescrip = "on|off|required",
279 .longName = "machine-pass",
281 .argInfo = POPT_ARG_NONE,
283 .descrip = "Use stored machine account password",
286 .longName = "encrypt",
288 .argInfo = POPT_ARG_NONE,
290 .descrip = "Encrypt SMB transport",
293 .longName = "use-ccache",
295 .argInfo = POPT_ARG_NONE,
297 .descrip = "Use the winbind ccache for authentication",
300 .longName = "pw-nt-hash",
302 .argInfo = POPT_ARG_NONE,
304 .descrip = "The supplied password is the NT hash",