auth/credentials/credentials.h

   1 /*
   2    samba -- Unix SMB/CIFS implementation.
   3
   4    Client credentials structure
   5
   6    Copyright (C) Jelmer Vernooij 2004-2006
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22 #ifndef __CREDENTIALS_H__
  23 #define __CREDENTIALS_H__
  24
  25 #include "../lib/util/time.h"
  26 #include "../lib/util/data_blob.h"
  27 #include "librpc/gen_ndr/misc.h"
  28
  29 struct cli_credentials;
  30 struct ccache_container;
  31 struct tevent_context;
  32 struct netlogon_creds_CredentialState;
  33 struct ldb_context;
  34 struct ldb_message;
  35 struct loadparm_context;
  36 struct ccache_container;
  37 struct gssapi_creds_container;
  38 struct smb_krb5_context;
  39 struct keytab_container;
  40 struct db_context;
  41
  42 /* In order of priority */
  43 enum credentials_obtained {
  44         CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
  45         CRED_CALLBACK,           /* Callback should be used to obtain value */
  46         CRED_GUESS_ENV,          /* Current value should be used, which was guessed */
  47         CRED_GUESS_FILE,         /* A guess from a file (or file pointed at in env variable) */
  48         CRED_CALLBACK_RESULT,    /* Value was obtained from a callback */
  49         CRED_SPECIFIED           /* Was explicitly specified on the command-line */
  50 };
  51
  52 enum credentials_use_kerberos {
  53         CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
  54         CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
  55         CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
  56 };
  57
  58 enum credentials_krb_forwardable {
  59         CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
  60         CRED_NO_KRB_FORWARDABLE,       /* not forwardable */
  61         CRED_FORCE_KRB_FORWARDABLE     /* forwardable */
  62 };
  63
  64 #define CLI_CRED_NTLM2       0x01
  65 #define CLI_CRED_NTLMv2_AUTH 0x02
  66 #define CLI_CRED_LANMAN_AUTH 0x04
  67 #define CLI_CRED_NTLM_AUTH   0x08
  68 #define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
  69
  70 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
  71 bool cli_credentials_set_workstation(struct cli_credentials *cred,
  72                                      const char *val,
  73                                      enum credentials_obtained obtained);
  74 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
  75 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
  76 void cli_credentials_set_anonymous(struct cli_credentials *cred);
  77 bool cli_credentials_wrong_password(struct cli_credentials *cred);
  78 const char *cli_credentials_get_password(struct cli_credentials *cred);
  79 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
  80                                               const char **username,
  81                                               const char **domain);
  82 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
  83                                            int *flags,
  84                                            DATA_BLOB challenge,
  85                                            const NTTIME *server_timestamp,
  86                                            DATA_BLOB target_info,
  87                                            DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
  88                                            DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
  89 const char *cli_credentials_get_realm(struct cli_credentials *cred);
  90 const char *cli_credentials_get_username(struct cli_credentials *cred);
  91 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
  92                                      struct loadparm_context *lp_ctx,
  93                                      struct smb_krb5_context **smb_krb5_context);
  94 int cli_credentials_get_ccache(struct cli_credentials *cred,
  95                                struct tevent_context *event_ctx,
  96                                struct loadparm_context *lp_ctx,
  97                                struct ccache_container **ccc,
  98                                const char **error_string);
  99 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 100                                      struct tevent_context *event_ctx,
 101                                      struct loadparm_context *lp_ctx,
 102                                      char *ccache_name,
 103                                      struct ccache_container **ccc, const char **error_string);
 104 bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred,
 105                                            const char *principal,
 106                                            unsigned int *count);
 107 int cli_credentials_get_keytab(struct cli_credentials *cred,
 108                                struct loadparm_context *lp_ctx,
 109                                struct keytab_container **_ktc);
 110 const char *cli_credentials_get_domain(struct cli_credentials *cred);
 111 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 112 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 113                                                  struct loadparm_context *lp_ctx);
 114 void cli_credentials_set_conf(struct cli_credentials *cred,
 115                               struct loadparm_context *lp_ctx);
 116 char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
 117 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 118                                          struct loadparm_context *lp_ctx,
 119                                          struct gssapi_creds_container **_gcc);
 120 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 121                                          struct tevent_context *event_ctx,
 122                                          struct loadparm_context *lp_ctx,
 123                                          struct gssapi_creds_container **_gcc,
 124                                          const char **error_string);
 125 void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
 126                                           const char *sasl_mech);
 127 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
 128                                         enum credentials_use_kerberos use_kerberos);
 129 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
 130                                          enum credentials_krb_forwardable krb_forwardable);
 131 bool cli_credentials_set_domain(struct cli_credentials *cred,
 132                                 const char *val,
 133                                 enum credentials_obtained obtained);
 134 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 135                                          const char *(*domain_cb) (struct cli_credentials *));
 136 bool cli_credentials_set_username(struct cli_credentials *cred,
 137                                   const char *val, enum credentials_obtained obtained);
 138 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 139                                   const char *(*username_cb) (struct cli_credentials *));
 140 bool cli_credentials_set_principal(struct cli_credentials *cred,
 141                                    const char *val,
 142                                    enum credentials_obtained obtained);
 143 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 144                                   const char *(*principal_cb) (struct cli_credentials *));
 145 bool cli_credentials_set_password(struct cli_credentials *cred,
 146                                   const char *val,
 147                                   enum credentials_obtained obtained);
 148 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
 149 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
 150 struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 151                                                   TALLOC_CTX *mem_ctx);
 152 struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_credentials *cred,
 153                                                       TALLOC_CTX *mem_ctx);
 154 bool cli_credentials_set_realm(struct cli_credentials *cred,
 155                                const char *val,
 156                                enum credentials_obtained obtained);
 157 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 158                                      enum netr_SchannelType secure_channel_type);
 159 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
 160                                                              time_t last_change_time);
 161 void cli_credentials_set_netlogon_creds(
 162         struct cli_credentials *cred,
 163         const struct netlogon_creds_CredentialState *netlogon_creds);
 164 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
 165                                           struct smb_krb5_context *smb_krb5_context);
 166 bool cli_credentials_ccache_init(struct cli_credentials *cred,
 167                                  struct loadparm_context *lp_ctx,
 168                                  const char *ccache_name);
 169 bool cli_credentials_ccache_reinit(struct cli_credentials *cred,
 170                                    struct loadparm_context *lp_ctx);
 171 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 172                                               struct loadparm_context *lp_ctx,
 173                                               const char *serviceprincipal);
 174 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 175                                              struct loadparm_context *lp_ctx);
 176 /**
 177  * Fill in credentials for the machine trust account, from the
 178  * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
 179  *
 180  * This version is used in parts of the code that can link in the
 181  * CTDB dbwrap backend, by passing down the already open handle.
 182  *
 183  * @param cred Credentials structure to fill in
 184  * @param db_ctx dbwrap context for secrets.tdb
 185  * @retval NTSTATUS error detailing any failure
 186  */
 187 NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
 188                                                     struct loadparm_context *lp_ctx,
 189                                                     struct db_context *db_ctx);
 190
 191 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
 192 void cli_credentials_guess(struct cli_credentials *cred,
 193                            struct loadparm_context *lp_ctx);
 194 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
 195                                  const char *bind_dn);
 196 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
 197 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
 198 char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
 199 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
 200                                            const char *(*password_cb) (struct cli_credentials *));
 201 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
 202 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
 203 void cli_credentials_set_kvno(struct cli_credentials *cred,
 204                               int kvno);
 205 bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
 206                                         const DATA_BLOB *password_utf16,
 207                                         enum credentials_obtained obtained);
 208 bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
 209                                             const DATA_BLOB *password_utf16);
 210 void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred,
 211                                                   bool val);
 212 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
 213                                  const struct samr_Password *nt_hash,
 214                                  enum credentials_obtained obtained);
 215 bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
 216                                      const struct samr_Password *nt_hash);
 217 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
 218                                        const DATA_BLOB *lm_response,
 219                                        const DATA_BLOB *nt_response,
 220                                        enum credentials_obtained obtained);
 221 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
 222                                     struct loadparm_context *lp_ctx,
 223                                     const char *keytab_name,
 224                                     enum credentials_obtained obtained);
 225 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
 226 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
 227 int cli_credentials_set_ccache(struct cli_credentials *cred,
 228                                struct loadparm_context *lp_ctx,
 229                                const char *name,
 230                                enum credentials_obtained obtained,
 231                                const char **error_string);
 232 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
 233 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
 234                                        int fd, enum credentials_obtained obtained);
 235 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
 236                                        enum credentials_obtained obtained);
 237 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
 238 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
 239                                                const char *principal,
 240                                                const char *self_service);
 241 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
 242 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
 243 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
 244 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
 245 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 246 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
 247 const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
 248 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
 249 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 250                                      struct loadparm_context *lp_ctx,
 251                                      struct ldb_context *ldb,
 252                                      const char *base,
 253                                      const char *filter,
 254                                      char **error_string);
 255  int cli_credentials_get_kvno(struct cli_credentials *cred);
 256
 257 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 258                                   const char *(*username_cb) (struct cli_credentials *));
 259
 260 /**
 261  * Obtain the client principal for this credentials context.
 262  * @param cred credentials context
 263  * @retval The username set on this context.
 264  * @note Return value will never be NULL except by programmer error.
 265  */
 266 char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained);
 267 bool cli_credentials_set_principal(struct cli_credentials *cred,
 268                                    const char *val,
 269                                    enum credentials_obtained obtained);
 270 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 271                                   const char *(*principal_cb) (struct cli_credentials *));
 272
 273 /**
 274  * Obtain the 'old' password for this credentials context (used for join accounts).
 275  * @param cred credentials context
 276  * @retval If set, the cleartext password, otherwise NULL
 277  */
 278 const char *cli_credentials_get_old_password(struct cli_credentials *cred);
 279 bool cli_credentials_set_old_password(struct cli_credentials *cred,
 280                                       const char *val,
 281                                       enum credentials_obtained obtained);
 282 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 283                                          const char *(*domain_cb) (struct cli_credentials *));
 284 bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
 285                                         const char *(*realm_cb) (struct cli_credentials *));
 286 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 287                                               const char *(*workstation_cb) (struct cli_credentials *));
 288
 289 void cli_credentials_set_callback_data(struct cli_credentials *cred,
 290                                        void *callback_data);
 291 void *_cli_credentials_callback_data(struct cli_credentials *cred);
 292 #define cli_credentials_callback_data(_cred, _type) \
 293         talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
 294 #define cli_credentials_callback_data_void(_cred) \
 295         _cli_credentials_callback_data(_cred)
 296
 297 /**
 298  * Return attached NETLOGON credentials
 299  */
 300 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 301
 302 NTSTATUS netlogon_creds_session_encrypt(
 303         struct netlogon_creds_CredentialState *state,
 304         DATA_BLOB data);
 305
 306 #endif /* __CREDENTIALS_H__ */