X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source4%2Fauth%2Fcredentials%2Fcredentials.c;h=549c2691f0301f246b125eda0a79722a905968fe;hb=180ca8ed881593e08c291b504e26ea7b8adf7705;hp=11b413b1c6013bf512f265efd6fff2701203eacf;hpb=a12a6686ba7301c464e8db857c73bfd1061dbf93;p=samba.git diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 11b413b1c60..549c2691f03 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,82 +18,192 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -#include "lib/ldb/include/ldb.h" -#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ - +#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_krb5.h" +#include "auth/credentials/credentials_proto.h" +#include "libcli/auth/libcli_auth.h" +#include "lib/events/events.h" +#include "param/param.h" /** * Create a new credentials structure * @param mem_ctx TALLOC_CTX parent for credentials structure */ -struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) +_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) { struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials); - if (!cred) { + if (cred == NULL) { return cred; } - cred->netlogon_creds = NULL; - cred->machine_account_pending = False; cred->workstation_obtained = CRED_UNINITIALISED; cred->username_obtained = CRED_UNINITIALISED; cred->password_obtained = CRED_UNINITIALISED; cred->domain_obtained = CRED_UNINITIALISED; cred->realm_obtained = CRED_UNINITIALISED; cred->ccache_obtained = CRED_UNINITIALISED; + cred->client_gss_creds_obtained = CRED_UNINITIALISED; cred->principal_obtained = CRED_UNINITIALISED; + cred->keytab_obtained = CRED_UNINITIALISED; + cred->server_gss_creds_obtained = CRED_UNINITIALISED; + + cred->ccache_threshold = CRED_UNINITIALISED; + cred->client_gss_creds_threshold = CRED_UNINITIALISED; + + cred->workstation = NULL; + cred->username = NULL; + cred->password = NULL; + cred->old_password = NULL; + cred->domain = NULL; + cred->realm = NULL; + cred->principal = NULL; + cred->salt_principal = NULL; + + cred->bind_dn = NULL; + + cred->nt_hash = NULL; + + cred->ccache = NULL; + cred->client_gss_creds = NULL; + cred->keytab = NULL; + cred->server_gss_creds = NULL; + + cred->workstation_cb = NULL; + cred->password_cb = NULL; + cred->username_cb = NULL; + cred->domain_cb = NULL; + cred->realm_cb = NULL; + cred->principal_cb = NULL; + + cred->priv_data = NULL; + + cred->netlogon_creds = NULL; + + cred->smb_krb5_context = NULL; + + cred->machine_account_pending = false; + cred->machine_account_pending_lp_ctx = NULL; + + cred->machine_account = false; + + cred->tries = 3; + + cred->callback_running = false; + + cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); + cli_credentials_set_gensec_features(cred, 0); + return cred; } +/** + * Create a new anonymous credential + * @param mem_ctx TALLOC_CTX parent for credentials structure + */ +_PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) +{ + struct cli_credentials *anon_credentials; + + anon_credentials = cli_credentials_init(mem_ctx); + cli_credentials_set_anonymous(anon_credentials); + + return anon_credentials; +} + +_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos use_kerberos) +{ + creds->use_kerberos = use_kerberos; +} + +_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) +{ + return creds->use_kerberos; +} + +_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features) +{ + creds->gensec_features = gensec_features; +} + +_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) +{ + return creds->gensec_features; +} + + /** * Obtain the username for this credentials context. * @param cred credentials context * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_username(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } - if (cred->username_obtained == CRED_CALLBACK) { + if (cred->username_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; cred->username = cred->username_cb(cred); + cred->callback_running = false; cred->username_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->username_obtained); } return cred->username; } -BOOL cli_credentials_set_username(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->username_obtained) { cred->username = talloc_strdup(cred, val); cred->username_obtained = obtained; - return True; + cli_credentials_invalidate_ccache(cred, cred->username_obtained); + return true; } - return False; + return false; } -BOOL cli_credentials_set_username_callback(struct cli_credentials *cred, +bool cli_credentials_set_username_callback(struct cli_credentials *cred, const char *(*username_cb) (struct cli_credentials *)) { if (cred->username_obtained < CRED_CALLBACK) { cred->username_cb = username_cb; cred->username_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } +_PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred, + const char *bind_dn) +{ + cred->bind_dn = talloc_strdup(cred, bind_dn); + return true; +} + +/** + * Obtain the BIND DN for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will be NULL if not specified explictly + */ +_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) +{ + return cred->bind_dn; +} /** @@ -102,15 +212,20 @@ BOOL cli_credentials_set_username_callback(struct cli_credentials *cred, * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) +_PUBLIC_ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } - if (cred->principal_obtained == CRED_CALLBACK) { + if (cred->principal_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; cred->principal = cred->principal_cb(cred); + cred->callback_running = false; cred->principal_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->principal_obtained); } if (cred->principal_obtained < cred->username_obtained) { @@ -127,40 +242,60 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C return talloc_reference(mem_ctx, cred->principal); } -BOOL cli_credentials_set_principal(struct cli_credentials *cred, +bool cli_credentials_set_principal(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->principal_obtained) { cred->principal = talloc_strdup(cred, val); cred->principal_obtained = obtained; - return True; + cli_credentials_invalidate_ccache(cred, cred->principal_obtained); + return true; } - return False; + return false; } -BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, +/* Set a callback to get the principal. This could be a popup dialog, + * a terminal prompt or similar. */ +bool cli_credentials_set_principal_callback(struct cli_credentials *cred, const char *(*principal_cb) (struct cli_credentials *)) { if (cred->principal_obtained < CRED_CALLBACK) { cred->principal_cb = principal_cb; cred->principal_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) +/* Some of our tools are 'anonymous by default'. This is a single + * function to determine if authentication has been explicitly + * requested */ + +_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) { + if (cred->bind_dn) { + return true; + } + + if (cli_credentials_is_anonymous(cred)){ + return false; + } + if (cred->principal_obtained >= CRED_SPECIFIED) { - return True; + return true; } if (cred->username_obtained >= CRED_SPECIFIED) { - return True; + return true; } - return False; + + if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { + return true; + } + + return false; } /** @@ -168,53 +303,92 @@ BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) * @param cred credentials context * @retval If set, the cleartext password, otherwise NULL */ -const char *cli_credentials_get_password(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } - if (cred->password_obtained == CRED_CALLBACK) { + if (cred->password_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; cred->password = cred->password_cb(cred); - cred->password_obtained = CRED_SPECIFIED; + cred->callback_running = false; + cred->password_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); } return cred->password; } -BOOL cli_credentials_set_password(struct cli_credentials *cred, +/* Set a password on the credentials context, including an indication + * of 'how' the password was obtained */ + +_PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->password_obtained) { cred->password = talloc_strdup(cred, val); cred->password_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); cred->nt_hash = NULL; - return True; + cred->lm_response = data_blob(NULL, 0); + cred->nt_response = data_blob(NULL, 0); + return true; } - return False; + return false; } -BOOL cli_credentials_set_password_callback(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred, const char *(*password_cb) (struct cli_credentials *)) { if (cred->password_obtained < CRED_CALLBACK) { cred->password_cb = password_cb; cred->password_obtained = CRED_CALLBACK; - return True; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); + return true; } - return False; + return false; } /** - * Obtain the password for this credentials context. + * Obtain the 'old' password for this credentials context (used for join accounts). * @param cred credentials context * @retval If set, the cleartext password, otherwise NULL */ -const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, +const char *cli_credentials_get_old_password(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + return cred->old_password; +} + +bool cli_credentials_set_old_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + cred->old_password = talloc_strdup(cred, val); + return true; +} + +/** + * Obtain the password, in the form MD4(unicode(password)) for this credentials context. + * + * Sometimes we only have this much of the password, while the rest of + * the time this call avoids calling E_md4hash themselves. + * + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { const char *password = cli_credentials_get_password(cred); @@ -233,77 +407,59 @@ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials * } } -BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred, - const struct samr_Password *nt_hash, - enum credentials_obtained obtained) -{ - if (obtained >= cred->password_obtained) { - cli_credentials_set_password(cred, NULL, obtained); - cred->nt_hash = talloc(cred, struct samr_Password); - *cred->nt_hash = *nt_hash; - return True; - } - - return False; -} - /** * Obtain the 'short' or 'NetBIOS' domain for this credentials context. * @param cred credentials context * @retval The domain set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_domain(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } - if (cred->domain_obtained == CRED_CALLBACK) { + if (cred->domain_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; cred->domain = cred->domain_cb(cred); + cred->callback_running = false; cred->domain_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->domain_obtained); } return cred->domain; } -BOOL cli_credentials_set_domain(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->domain_obtained) { - cred->domain = talloc_strdup(cred, val); + /* it is important that the domain be in upper case, + * particularly for the sensitive NTLMv2 + * calculations */ + cred->domain = strupper_talloc(cred, val); cred->domain_obtained = obtained; - return True; + cli_credentials_invalidate_ccache(cred, cred->domain_obtained); + return true; } - return False; + return false; } -BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred, +bool cli_credentials_set_domain_callback(struct cli_credentials *cred, const char *(*domain_cb) (struct cli_credentials *)) { if (cred->domain_obtained < CRED_CALLBACK) { cred->domain_cb = domain_cb; cred->domain_obtained = CRED_CALLBACK; - return True; + return true; } - return False; -} - -void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, - const char **username, - const char **domain) -{ - if (cred->principal_obtained > cred->username_obtained) { - *domain = talloc_strdup(mem_ctx, ""); - *username = cli_credentials_get_principal(cred, mem_ctx); - } else { - *domain = cli_credentials_get_domain(cred); - *username = cli_credentials_get_username(cred); - } + return false; } /** @@ -312,15 +468,20 @@ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALL * @retval The realm set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_realm(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } - if (cred->realm_obtained == CRED_CALLBACK) { + if (cred->realm_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; cred->realm = cred->realm_cb(cred); + cred->callback_running = false; cred->realm_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->realm_obtained); } return cred->realm; @@ -330,29 +491,30 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred) * Set the realm for this credentials context, and force it to * uppercase for the sainity of our local kerberos libraries */ -BOOL cli_credentials_set_realm(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->realm_obtained) { cred->realm = strupper_talloc(cred, val); cred->realm_obtained = obtained; - return True; + cli_credentials_invalidate_ccache(cred, cred->realm_obtained); + return true; } - return False; + return false; } -BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred, +bool cli_credentials_set_realm_callback(struct cli_credentials *cred, const char *(*realm_cb) (struct cli_credentials *)) { if (cred->realm_obtained < CRED_CALLBACK) { cred->realm_cb = realm_cb; cred->realm_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } /** @@ -362,39 +524,42 @@ BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred, * @retval The workstation name set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_workstation(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred) { - if (cred->workstation_obtained == CRED_CALLBACK) { + if (cred->workstation_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = true; cred->workstation = cred->workstation_cb(cred); + cred->callback_running = false; cred->workstation_obtained = CRED_SPECIFIED; } return cred->workstation; } -BOOL cli_credentials_set_workstation(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->workstation_obtained) { cred->workstation = talloc_strdup(cred, val); cred->workstation_obtained = obtained; - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred, +bool cli_credentials_set_workstation_callback(struct cli_credentials *cred, const char *(*workstation_cb) (struct cli_credentials *)) { if (cred->workstation_obtained < CRED_CALLBACK) { cred->workstation_cb = workstation_cb; cred->workstation_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } /** @@ -407,7 +572,7 @@ BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred, * @param obtained This enum describes how 'specified' this password is */ -void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained) +_PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained) { char *uname, *p; @@ -435,18 +600,50 @@ void cli_credentials_parse_string(struct cli_credentials *credentials, const cha cli_credentials_set_username(credentials, uname, obtained); } +/** + * Given a a credentials structure, print it as a string + * + * The format output is [domain\\]user[%password] or user[@realm][%password] + * + * @param credentials Credentials structure on which to set the password + * @param mem_ctx The memory context to place the result on + */ + +_PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx) +{ + const char *bind_dn = cli_credentials_get_bind_dn(credentials); + const char *domain; + const char *username; + const char *name; + + if (bind_dn) { + name = talloc_reference(mem_ctx, bind_dn); + } else { + cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain); + if (domain && domain[0]) { + name = talloc_asprintf(mem_ctx, "%s\\%s", + domain, username); + } else { + name = talloc_asprintf(mem_ctx, "%s", + username); + } + } + return name; +} + /** * Specifies default values for domain, workstation and realm * from the smb.conf configuration file * * @param cred Credentials structure to fill in */ -void cli_credentials_set_conf(struct cli_credentials *cred) +_PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { cli_credentials_set_username(cred, "", CRED_UNINITIALISED); - cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED); - cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED); - cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED); + cli_credentials_set_domain(cred, lp_workgroup(lp_ctx), CRED_UNINITIALISED); + cli_credentials_set_workstation(cred, lp_netbios_name(lp_ctx), CRED_UNINITIALISED); + cli_credentials_set_realm(cred, lp_realm(lp_ctx), CRED_UNINITIALISED); } /** @@ -455,11 +652,14 @@ void cli_credentials_set_conf(struct cli_credentials *cred) * * @param cred Credentials structure to fill in */ -void cli_credentials_guess(struct cli_credentials *cred) +_PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { char *p; - cli_credentials_set_conf(cred); + if (lp_ctx != NULL) { + cli_credentials_set_conf(cred, lp_ctx); + } if (getenv("LOGNAME")) { cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV); @@ -472,31 +672,31 @@ void cli_credentials_guess(struct cli_credentials *cred) } } - if (getenv("DOMAIN")) { - cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV); - } - if (getenv("PASSWD")) { cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV); } if (getenv("PASSWD_FD")) { - cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE); + cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), + CRED_GUESS_FILE); } - if (getenv("PASSWD_FILE")) { - cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE); + p = getenv("PASSWD_FILE"); + if (p && p[0]) { + cli_credentials_parse_password_file(cred, p, CRED_GUESS_FILE); + } + + if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { + cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE); } - - cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE); } /** * Attach NETLOGON credentials for use with SCHANNEL */ -void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, - struct creds_CredentialState *netlogon_creds) +_PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, + struct netlogon_creds_CredentialState *netlogon_creds) { cred->netlogon_creds = talloc_reference(cred, netlogon_creds); } @@ -505,7 +705,7 @@ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, * Return attached NETLOGON credentials */ -struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) { return cred->netlogon_creds; } @@ -514,7 +714,7 @@ struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_cred * Set NETLOGON secure channel type */ -void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, +_PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, enum netr_SchannelType secure_channel_type) { cred->secure_channel_type = secure_channel_type; @@ -524,7 +724,7 @@ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, * Return NETLOGON secure chanel type */ -enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred) +_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred) { return cred->secure_channel_type; } @@ -532,31 +732,63 @@ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_creden /** * Fill in a credentials structure as the anonymous user */ -void cli_credentials_set_anonymous(struct cli_credentials *cred) +_PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred) { cli_credentials_set_username(cred, "", CRED_SPECIFIED); cli_credentials_set_domain(cred, "", CRED_SPECIFIED); cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED); } /** * Describe a credentials context as anonymous or authenticated - * @retval True if anonymous, False if a username is specified + * @retval true if anonymous, false if a username is specified */ -BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) +_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred) { - TALLOC_CTX *tmp_ctx = talloc_new(cred); - const char *username = cli_credentials_get_username(cred); + const char *username; + + /* if bind dn is set it's not anonymous */ + if (cred->bind_dn) { + return false; + } + + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); + } + + username = cli_credentials_get_username(cred); /* Yes, it is deliberate that we die if we have a NULL pointer * here - anonymous is "", not NULL, which is 'never specified, * never guessed', ie programmer bug */ if (!username[0]) { - talloc_free(tmp_ctx); - return True; + return true; + } + + return false; +} + +/** + * Mark the current password for a credentials struct as wrong. This will + * cause the password to be prompted again (if a callback is set). + * + * This will decrement the number of times the password can be tried. + * + * @retval whether the credentials struct is finished + */ +_PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred) +{ + if (cred->password_obtained != CRED_CALLBACK_RESULT) { + return false; } - talloc_free(tmp_ctx); - return False; + cred->password_obtained = CRED_CALLBACK; + + cred->tries--; + + return (cred->tries > 0); }