source4/auth/credentials/credentials.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    User credentials handling
   5
   6    Copyright (C) Jelmer Vernooij 2005
   7    Copyright (C) Tim Potter 2001
   8    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "lib/ldb/include/ldb.h"
  27 #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
  28
  29
  30 /**
  31  * Create a new credentials structure
  32  * @param mem_ctx TALLOC_CTX parent for credentials structure
  33  */
  34 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
  35 {
  36         struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
  37         if (!cred) {
  38                 return cred;
  39         }
  40
  41         cred->netlogon_creds = NULL;
  42         cred->machine_account_pending = False;
  43         cred->workstation_obtained = CRED_UNINITIALISED;
  44         cred->username_obtained = CRED_UNINITIALISED;
  45         cred->password_obtained = CRED_UNINITIALISED;
  46         cred->domain_obtained = CRED_UNINITIALISED;
  47         cred->realm_obtained = CRED_UNINITIALISED;
  48         cred->ccache_obtained = CRED_UNINITIALISED;
  49         cred->client_gss_creds_obtained = CRED_UNINITIALISED;
  50         cred->server_gss_creds_obtained = CRED_UNINITIALISED;
  51         cred->keytab_obtained = CRED_UNINITIALISED;
  52         cred->principal_obtained = CRED_UNINITIALISED;
  53
  54         cred->old_password = NULL;
  55         cred->smb_krb5_context = NULL;
  56         cred->salt_principal = NULL;
  57         cred->machine_account = False;
  58         cred->gensec_list = NULL;
  59
  60         cred->bind_dn = NULL;
  61
  62         return cred;
  63 }
  64
  65 /**
  66  * Obtain the username for this credentials context.
  67  * @param cred credentials context
  68  * @retval The username set on this context.
  69  * @note Return value will never be NULL except by programmer error.
  70  */
  71 const char *cli_credentials_get_username(struct cli_credentials *cred)
  72 {
  73         if (cred->machine_account_pending) {
  74                 cli_credentials_set_machine_account(cred);
  75         }
  76
  77         if (cred->username_obtained == CRED_CALLBACK) {
  78                 cred->username = cred->username_cb(cred);
  79                 cred->username_obtained = CRED_SPECIFIED;
  80         }
  81
  82         return cred->username;
  83 }
  84
  85 BOOL cli_credentials_set_username(struct cli_credentials *cred,
  86                                   const char *val, enum credentials_obtained obtained)
  87 {
  88         if (obtained >= cred->username_obtained) {
  89                 cred->username = talloc_strdup(cred, val);
  90                 cred->username_obtained = obtained;
  91                 return True;
  92         }
  93
  94         return False;
  95 }
  96
  97 BOOL cli_credentials_set_username_callback(struct cli_credentials *cred,
  98                                   const char *(*username_cb) (struct cli_credentials *))
  99 {
 100         if (cred->username_obtained < CRED_CALLBACK) {
 101                 cred->username_cb = username_cb;
 102                 cred->username_obtained = CRED_CALLBACK;
 103                 return True;
 104         }
 105
 106         return False;
 107 }
 108
 109 BOOL cli_credentials_set_bind_dn(struct cli_credentials *cred,
 110                                  const char *bind_dn)
 111 {
 112         cred->bind_dn = talloc_strdup(cred, bind_dn);
 113         return True;
 114 }
 115
 116 /**
 117  * Obtain the BIND DN for this credentials context.
 118  * @param cred credentials context
 119  * @retval The username set on this context.
 120  * @note Return value will be NULL if not specified explictly
 121  */
 122 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
 123 {
 124         return cred->bind_dn;
 125 }
 126
 127
 128 /**
 129  * Obtain the client principal for this credentials context.
 130  * @param cred credentials context
 131  * @retval The username set on this context.
 132  * @note Return value will never be NULL except by programmer error.
 133  */
 134 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
 135 {
 136         if (cred->machine_account_pending) {
 137                 cli_credentials_set_machine_account(cred);
 138         }
 139
 140         if (cred->principal_obtained == CRED_CALLBACK) {
 141                 cred->principal = cred->principal_cb(cred);
 142                 cred->principal_obtained = CRED_SPECIFIED;
 143         }
 144
 145         if (cred->principal_obtained < cred->username_obtained) {
 146                 if (cred->domain_obtained > cred->realm_obtained) {
 147                         return talloc_asprintf(mem_ctx, "%s@%s",
 148                                                cli_credentials_get_username(cred),
 149                                                cli_credentials_get_domain(cred));
 150                 } else {
 151                         return talloc_asprintf(mem_ctx, "%s@%s",
 152                                                cli_credentials_get_username(cred),
 153                                                cli_credentials_get_realm(cred));
 154                 }
 155         }
 156         return talloc_reference(mem_ctx, cred->principal);
 157 }
 158
 159 BOOL cli_credentials_set_principal(struct cli_credentials *cred,
 160                                    const char *val,
 161                                    enum credentials_obtained obtained)
 162 {
 163         if (obtained >= cred->principal_obtained) {
 164                 cred->principal = talloc_strdup(cred, val);
 165                 cred->principal_obtained = obtained;
 166                 return True;
 167         }
 168
 169         return False;
 170 }
 171
 172 /* Set a callback to get the principal.  This could be a popup dialog,
 173  * a terminal prompt or similar.  */
 174
 175 BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred,
 176                                   const char *(*principal_cb) (struct cli_credentials *))
 177 {
 178         if (cred->principal_obtained < CRED_CALLBACK) {
 179                 cred->principal_cb = principal_cb;
 180                 cred->principal_obtained = CRED_CALLBACK;
 181                 return True;
 182         }
 183
 184         return False;
 185 }
 186
 187 /* Some of our tools are 'anonymous by default'.  This is a single
 188  * function to determine if authentication has been explicitly
 189  * requested */
 190
 191 BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
 192 {
 193         if (cred->bind_dn) {
 194                 return True;
 195         }
 196
 197         if (cred->machine_account_pending) {
 198                 cli_credentials_set_machine_account(cred);
 199         }
 200
 201         if (cred->principal_obtained >= CRED_SPECIFIED) {
 202                 return True;
 203         }
 204         if (cred->username_obtained >= CRED_SPECIFIED) {
 205                 return True;
 206         }
 207         return False;
 208 }
 209
 210 /**
 211  * Obtain the password for this credentials context.
 212  * @param cred credentials context
 213  * @retval If set, the cleartext password, otherwise NULL
 214  */
 215 const char *cli_credentials_get_password(struct cli_credentials *cred)
 216 {
 217         if (cred->machine_account_pending) {
 218                 cli_credentials_set_machine_account(cred);
 219         }
 220
 221         if (cred->password_obtained == CRED_CALLBACK) {
 222                 cred->password = cred->password_cb(cred);
 223                 cred->password_obtained = CRED_SPECIFIED;
 224         }
 225
 226         return cred->password;
 227 }
 228
 229 /* Set a password on the credentials context, including an indication
 230  * of 'how' the password was obtained */
 231
 232 BOOL cli_credentials_set_password(struct cli_credentials *cred,
 233                                   const char *val,
 234                                   enum credentials_obtained obtained)
 235 {
 236         if (obtained >= cred->password_obtained) {
 237                 cred->password = talloc_strdup(cred, val);
 238                 cred->password_obtained = obtained;
 239
 240                 cred->nt_hash = NULL;
 241                 return True;
 242         }
 243
 244         return False;
 245 }
 246
 247 BOOL cli_credentials_set_password_callback(struct cli_credentials *cred,
 248                                            const char *(*password_cb) (struct cli_credentials *))
 249 {
 250         if (cred->password_obtained < CRED_CALLBACK) {
 251                 cred->password_cb = password_cb;
 252                 cred->password_obtained = CRED_CALLBACK;
 253                 return True;
 254         }
 255
 256         return False;
 257 }
 258
 259 /**
 260  * Obtain the 'old' password for this credentials context (used for join accounts).
 261  * @param cred credentials context
 262  * @retval If set, the cleartext password, otherwise NULL
 263  */
 264 const char *cli_credentials_get_old_password(struct cli_credentials *cred)
 265 {
 266         if (cred->machine_account_pending) {
 267                 cli_credentials_set_machine_account(cred);
 268         }
 269
 270         return cred->old_password;
 271 }
 272
 273 BOOL cli_credentials_set_old_password(struct cli_credentials *cred,
 274                                       const char *val,
 275                                       enum credentials_obtained obtained)
 276 {
 277         cred->old_password = talloc_strdup(cred, val);
 278         return True;
 279 }
 280
 281 /**
 282  * Obtain the password, in the form MD4(unicode(password)) for this credentials context.
 283  *
 284  * Sometimes we only have this much of the password, while the rest of
 285  * the time this call avoids calling E_md4hash themselves.
 286  *
 287  * @param cred credentials context
 288  * @retval If set, the cleartext password, otherwise NULL
 289  */
 290 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 291                                                         TALLOC_CTX *mem_ctx)
 292 {
 293         const char *password = cli_credentials_get_password(cred);
 294
 295         if (password) {
 296                 struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
 297                 if (!nt_hash) {
 298                         return NULL;
 299                 }
 300
 301                 E_md4hash(password, nt_hash->hash);
 302
 303                 return nt_hash;
 304         } else {
 305                 return cred->nt_hash;
 306         }
 307 }
 308
 309 BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred,
 310                                  const struct samr_Password *nt_hash,
 311                                  enum credentials_obtained obtained)
 312 {
 313         if (obtained >= cred->password_obtained) {
 314                 cli_credentials_set_password(cred, NULL, obtained);
 315                 cred->nt_hash = talloc(cred, struct samr_Password);
 316                 *cred->nt_hash = *nt_hash;
 317                 return True;
 318         }
 319
 320         return False;
 321 }
 322
 323 /**
 324  * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
 325  * @param cred credentials context
 326  * @retval The domain set on this context.
 327  * @note Return value will never be NULL except by programmer error.
 328  */
 329 const char *cli_credentials_get_domain(struct cli_credentials *cred)
 330 {
 331         if (cred->machine_account_pending) {
 332                 cli_credentials_set_machine_account(cred);
 333         }
 334
 335         if (cred->domain_obtained == CRED_CALLBACK) {
 336                 cred->domain = cred->domain_cb(cred);
 337                 cred->domain_obtained = CRED_SPECIFIED;
 338         }
 339
 340         return cred->domain;
 341 }
 342
 343
 344 BOOL cli_credentials_set_domain(struct cli_credentials *cred,
 345                                 const char *val,
 346                                 enum credentials_obtained obtained)
 347 {
 348         if (obtained >= cred->domain_obtained) {
 349                 /* it is important that the domain be in upper case,
 350                  * particularly for the sensitive NTLMv2
 351                  * calculations */
 352                 cred->domain = strupper_talloc(cred, val);
 353                 cred->domain_obtained = obtained;
 354                 return True;
 355         }
 356
 357         return False;
 358 }
 359
 360 BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred,
 361                                          const char *(*domain_cb) (struct cli_credentials *))
 362 {
 363         if (cred->domain_obtained < CRED_CALLBACK) {
 364                 cred->domain_cb = domain_cb;
 365                 cred->domain_obtained = CRED_CALLBACK;
 366                 return True;
 367         }
 368
 369         return False;
 370 }
 371
 372 /**
 373  * Obtain the Kerberos realm for this credentials context.
 374  * @param cred credentials context
 375  * @retval The realm set on this context.
 376  * @note Return value will never be NULL except by programmer error.
 377  */
 378 const char *cli_credentials_get_realm(struct cli_credentials *cred)
 379 {
 380         if (cred->machine_account_pending) {
 381                 cli_credentials_set_machine_account(cred);
 382         }
 383
 384         if (cred->realm_obtained == CRED_CALLBACK) {
 385                 cred->realm = cred->realm_cb(cred);
 386                 cred->realm_obtained = CRED_SPECIFIED;
 387         }
 388
 389         return cred->realm;
 390 }
 391
 392 /**
 393  * Set the realm for this credentials context, and force it to
 394  * uppercase for the sainity of our local kerberos libraries
 395  */
 396 BOOL cli_credentials_set_realm(struct cli_credentials *cred,
 397                                const char *val,
 398                                enum credentials_obtained obtained)
 399 {
 400         if (obtained >= cred->realm_obtained) {
 401                 cred->realm = strupper_talloc(cred, val);
 402                 cred->realm_obtained = obtained;
 403                 return True;
 404         }
 405
 406         return False;
 407 }
 408
 409 BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred,
 410                                         const char *(*realm_cb) (struct cli_credentials *))
 411 {
 412         if (cred->realm_obtained < CRED_CALLBACK) {
 413                 cred->realm_cb = realm_cb;
 414                 cred->realm_obtained = CRED_CALLBACK;
 415                 return True;
 416         }
 417
 418         return False;
 419 }
 420
 421 /**
 422  * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context.
 423  *
 424  * @param cred credentials context
 425  * @retval The workstation name set on this context.
 426  * @note Return value will never be NULL except by programmer error.
 427  */
 428 const char *cli_credentials_get_workstation(struct cli_credentials *cred)
 429 {
 430         if (cred->workstation_obtained == CRED_CALLBACK) {
 431                 cred->workstation = cred->workstation_cb(cred);
 432                 cred->workstation_obtained = CRED_SPECIFIED;
 433         }
 434
 435         return cred->workstation;
 436 }
 437
 438 BOOL cli_credentials_set_workstation(struct cli_credentials *cred,
 439                                      const char *val,
 440                                      enum credentials_obtained obtained)
 441 {
 442         if (obtained >= cred->workstation_obtained) {
 443                 cred->workstation = talloc_strdup(cred, val);
 444                 cred->workstation_obtained = obtained;
 445                 return True;
 446         }
 447
 448         return False;
 449 }
 450
 451 BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 452                                               const char *(*workstation_cb) (struct cli_credentials *))
 453 {
 454         if (cred->workstation_obtained < CRED_CALLBACK) {
 455                 cred->workstation_cb = workstation_cb;
 456                 cred->workstation_obtained = CRED_CALLBACK;
 457                 return True;
 458         }
 459
 460         return False;
 461 }
 462
 463 /**
 464  * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields
 465  *
 466  * The format accepted is [domain\\]user[%password] or user[@realm][%password]
 467  *
 468  * @param credentials Credentials structure on which to set the password
 469  * @param data the string containing the username, password etc
 470  * @param obtained This enum describes how 'specified' this password is
 471  */
 472
 473 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
 474 {
 475         char *uname, *p;
 476
 477         if (strcmp("%",data) == 0) {
 478                 cli_credentials_set_anonymous(credentials);
 479                 return;
 480         }
 481
 482         uname = talloc_strdup(credentials, data);
 483         if ((p = strchr_m(uname,'%'))) {
 484                 *p = 0;
 485                 cli_credentials_set_password(credentials, p+1, obtained);
 486         }
 487
 488         if ((p = strchr_m(uname,'@'))) {
 489                 cli_credentials_set_principal(credentials, uname, obtained);
 490                 *p = 0;
 491                 cli_credentials_set_realm(credentials, p+1, obtained);
 492                 return;
 493         } else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
 494                 *p = 0;
 495                 cli_credentials_set_domain(credentials, uname, obtained);
 496                 uname = p+1;
 497         }
 498         cli_credentials_set_username(credentials, uname, obtained);
 499 }
 500
 501 /**
 502  * Specifies default values for domain, workstation and realm
 503  * from the smb.conf configuration file
 504  *
 505  * @param cred Credentials structure to fill in
 506  */
 507 void cli_credentials_set_conf(struct cli_credentials *cred)
 508 {
 509         cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
 510         cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED);
 511         cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED);
 512         cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED);
 513 }
 514
 515 /**
 516  * Guess defaults for credentials from environment variables,
 517  * and from the configuration file
 518  *
 519  * @param cred Credentials structure to fill in
 520  */
 521 void cli_credentials_guess(struct cli_credentials *cred)
 522 {
 523         char *p;
 524
 525         cli_credentials_set_conf(cred);
 526
 527         if (getenv("LOGNAME")) {
 528                 cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV);
 529         }
 530
 531         if (getenv("USER")) {
 532                 cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESS_ENV);
 533                 if ((p = strchr_m(getenv("USER"),'%'))) {
 534                         memset(p,0,strlen(cred->password));
 535                 }
 536         }
 537
 538         if (getenv("DOMAIN")) {
 539                 cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV);
 540         }
 541
 542         if (getenv("PASSWD")) {
 543                 cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV);
 544         }
 545
 546         if (getenv("PASSWD_FD")) {
 547                 cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE);
 548         }
 549
 550         if (getenv("PASSWD_FILE")) {
 551                 cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE);
 552         }
 553
 554         cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
 555 }
 556
 557 /**
 558  * Attach NETLOGON credentials for use with SCHANNEL
 559  */
 560
 561 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 562                                         struct creds_CredentialState *netlogon_creds)
 563 {
 564         cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
 565 }
 566
 567 /**
 568  * Return attached NETLOGON credentials
 569  */
 570
 571 struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred)
 572 {
 573         return cred->netlogon_creds;
 574 }
 575
 576 /**
 577  * Set NETLOGON secure channel type
 578  */
 579
 580 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 581                                              enum netr_SchannelType secure_channel_type)
 582 {
 583         cred->secure_channel_type = secure_channel_type;
 584 }
 585
 586 /**
 587  * Return NETLOGON secure chanel type
 588  */
 589
 590 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred)
 591 {
 592         return cred->secure_channel_type;
 593 }
 594
 595 /**
 596  * Fill in a credentials structure as the anonymous user
 597  */
 598 void cli_credentials_set_anonymous(struct cli_credentials *cred)
 599 {
 600         cli_credentials_set_username(cred, "", CRED_SPECIFIED);
 601         cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
 602         cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
 603 }
 604
 605 /**
 606  * Describe a credentials context as anonymous or authenticated
 607  * @retval True if anonymous, False if a username is specified
 608  */
 609
 610 BOOL cli_credentials_is_anonymous(struct cli_credentials *cred)
 611 {
 612         const char *username;
 613
 614         if (cred->machine_account_pending) {
 615                 cli_credentials_set_machine_account(cred);
 616         }
 617
 618         username = cli_credentials_get_username(cred);
 619
 620         /* Yes, it is deliberate that we die if we have a NULL pointer
 621          * here - anonymous is "", not NULL, which is 'never specified,
 622          * never guessed', ie programmer bug */
 623         if (!username[0]) {
 624                 return True;
 625         }
 626
 627         return False;
 628 }