source4/auth/credentials/credentials.h

   1 /*
   2    samba -- Unix SMB/CIFS implementation.
   3
   4    Client credentials structure
   5
   6    Copyright (C) Jelmer Vernooij 2004-2006
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22 #ifndef __CREDENTIALS_H__
  23 #define __CREDENTIALS_H__
  24
  25 #include "../lib/util/data_blob.h"
  26 #include "librpc/gen_ndr/misc.h"
  27
  28 struct ccache_container;
  29 struct tevent_context;
  30
  31 /* In order of priority */
  32 enum credentials_obtained {
  33         CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
  34         CRED_CALLBACK,           /* Callback should be used to obtain value */
  35         CRED_GUESS_ENV,          /* Current value should be used, which was guessed */
  36         CRED_GUESS_FILE,         /* A guess from a file (or file pointed at in env variable) */
  37         CRED_CALLBACK_RESULT,    /* Value was obtained from a callback */
  38         CRED_SPECIFIED           /* Was explicitly specified on the command-line */
  39 };
  40
  41 enum credentials_use_kerberos {
  42         CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
  43         CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
  44         CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
  45 };
  46
  47 enum credentials_krb_forwardable {
  48         CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
  49         CRED_NO_KRB_FORWARDABLE,       /* not forwardable */
  50         CRED_FORCE_KRB_FORWARDABLE     /* forwardable */
  51 };
  52
  53 #define CLI_CRED_NTLM2       0x01
  54 #define CLI_CRED_NTLMv2_AUTH 0x02
  55 #define CLI_CRED_LANMAN_AUTH 0x04
  56 #define CLI_CRED_NTLM_AUTH   0x08
  57 #define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
  58
  59 struct cli_credentials {
  60         enum credentials_obtained workstation_obtained;
  61         enum credentials_obtained username_obtained;
  62         enum credentials_obtained password_obtained;
  63         enum credentials_obtained domain_obtained;
  64         enum credentials_obtained realm_obtained;
  65         enum credentials_obtained ccache_obtained;
  66         enum credentials_obtained client_gss_creds_obtained;
  67         enum credentials_obtained principal_obtained;
  68         enum credentials_obtained keytab_obtained;
  69         enum credentials_obtained server_gss_creds_obtained;
  70
  71         /* Threshold values (essentially a MAX() over a number of the
  72          * above) for the ccache and GSS credentials, to ensure we
  73          * regenerate/pick correctly */
  74
  75         enum credentials_obtained ccache_threshold;
  76         enum credentials_obtained client_gss_creds_threshold;
  77
  78         const char *workstation;
  79         const char *username;
  80         const char *password;
  81         const char *old_password;
  82         const char *domain;
  83         const char *realm;
  84         const char *principal;
  85         char *salt_principal;
  86         char *impersonate_principal;
  87         char *target_service;
  88
  89         const char *bind_dn;
  90
  91         /* Allows authentication from a keytab or similar */
  92         struct samr_Password *nt_hash;
  93
  94         /* Allows NTLM pass-though authentication */
  95         DATA_BLOB lm_response;
  96         DATA_BLOB nt_response;
  97
  98         struct ccache_container *ccache;
  99         struct gssapi_creds_container *client_gss_creds;
 100         struct keytab_container *keytab;
 101         struct gssapi_creds_container *server_gss_creds;
 102
 103         const char *(*workstation_cb) (struct cli_credentials *);
 104         const char *(*password_cb) (struct cli_credentials *);
 105         const char *(*username_cb) (struct cli_credentials *);
 106         const char *(*domain_cb) (struct cli_credentials *);
 107         const char *(*realm_cb) (struct cli_credentials *);
 108         const char *(*principal_cb) (struct cli_credentials *);
 109
 110         /* Private handle for the callback routines to use */
 111         void *priv_data;
 112
 113         struct netlogon_creds_CredentialState *netlogon_creds;
 114         enum netr_SchannelType secure_channel_type;
 115         int kvno;
 116         time_t password_last_changed_time;
 117
 118         struct smb_krb5_context *smb_krb5_context;
 119
 120         /* We are flagged to get machine account details from the
 121          * secrets.ldb when we are asked for a username or password */
 122         bool machine_account_pending;
 123         struct loadparm_context *machine_account_pending_lp_ctx;
 124
 125         /* Is this a machine account? */
 126         bool machine_account;
 127
 128         /* Should we be trying to use kerberos? */
 129         enum credentials_use_kerberos use_kerberos;
 130
 131         /* Should we get a forwardable ticket? */
 132         enum credentials_krb_forwardable krb_forwardable;
 133
 134         /* gensec features which should be used for connections */
 135         uint32_t gensec_features;
 136
 137         /* Number of retries left before bailing out */
 138         int tries;
 139
 140         /* Whether any callback is currently running */
 141         bool callback_running;
 142 };
 143
 144 struct ldb_context;
 145 struct loadparm_context;
 146 struct ccache_container;
 147
 148 struct gssapi_creds_container;
 149
 150 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
 151 bool cli_credentials_set_workstation(struct cli_credentials *cred,
 152                                      const char *val,
 153                                      enum credentials_obtained obtained);
 154 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
 155 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
 156 void cli_credentials_set_anonymous(struct cli_credentials *cred);
 157 bool cli_credentials_wrong_password(struct cli_credentials *cred);
 158 const char *cli_credentials_get_password(struct cli_credentials *cred);
 159 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 160                                               const char **username,
 161                                               const char **domain);
 162 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 163                                            int *flags,
 164                                            DATA_BLOB challenge, DATA_BLOB target_info,
 165                                            DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
 166                                            DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 167 const char *cli_credentials_get_realm(struct cli_credentials *cred);
 168 const char *cli_credentials_get_username(struct cli_credentials *cred);
 169 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
 170                                      struct tevent_context *event_ctx,
 171                                      struct loadparm_context *lp_ctx,
 172                                      struct smb_krb5_context **smb_krb5_context);
 173 int cli_credentials_get_ccache(struct cli_credentials *cred,
 174                                struct tevent_context *event_ctx,
 175                                struct loadparm_context *lp_ctx,
 176                                struct ccache_container **ccc,
 177                                const char **error_string);
 178 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 179                                      struct tevent_context *event_ctx,
 180                                      struct loadparm_context *lp_ctx,
 181                                      char *ccache_name,
 182                                      struct ccache_container **ccc, const char **error_string);
 183 int cli_credentials_get_keytab(struct cli_credentials *cred,
 184                                struct tevent_context *event_ctx,
 185                                struct loadparm_context *lp_ctx,
 186                                struct keytab_container **_ktc);
 187 const char *cli_credentials_get_domain(struct cli_credentials *cred);
 188 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 189 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 190                                                  struct loadparm_context *lp_ctx);
 191 void cli_credentials_set_conf(struct cli_credentials *cred,
 192                               struct loadparm_context *lp_ctx);
 193 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
 194 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 195                                          struct tevent_context *event_ctx,
 196                                          struct loadparm_context *lp_ctx,
 197                                          struct gssapi_creds_container **_gcc);
 198 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 199                                          struct tevent_context *event_ctx,
 200                                          struct loadparm_context *lp_ctx,
 201                                          struct gssapi_creds_container **_gcc,
 202                                          const char **error_string);
 203 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
 204                                         enum credentials_use_kerberos use_kerberos);
 205 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
 206                                          enum credentials_krb_forwardable krb_forwardable);
 207 bool cli_credentials_set_domain(struct cli_credentials *cred,
 208                                 const char *val,
 209                                 enum credentials_obtained obtained);
 210 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 211                                          const char *(*domain_cb) (struct cli_credentials *));
 212 bool cli_credentials_set_username(struct cli_credentials *cred,
 213                                   const char *val, enum credentials_obtained obtained);
 214 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 215                                   const char *(*username_cb) (struct cli_credentials *));
 216 bool cli_credentials_set_principal(struct cli_credentials *cred,
 217                                    const char *val,
 218                                    enum credentials_obtained obtained);
 219 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 220                                   const char *(*principal_cb) (struct cli_credentials *));
 221 bool cli_credentials_set_password(struct cli_credentials *cred,
 222                                   const char *val,
 223                                   enum credentials_obtained obtained);
 224 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
 225 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
 226 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 227                                                         TALLOC_CTX *mem_ctx);
 228 bool cli_credentials_set_realm(struct cli_credentials *cred,
 229                                const char *val,
 230                                enum credentials_obtained obtained);
 231 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 232                                      enum netr_SchannelType secure_channel_type);
 233 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
 234                                                              time_t last_change_time);
 235 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 236                                         struct netlogon_creds_CredentialState *netlogon_creds);
 237 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
 238                                           struct smb_krb5_context *smb_krb5_context);
 239 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 240                                               struct tevent_context *event_ctx,
 241                                               struct loadparm_context *lp_ctx,
 242                                               const char *serviceprincipal);
 243 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 244                                              struct loadparm_context *lp_ctx);
 245 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
 246 void cli_credentials_guess(struct cli_credentials *cred,
 247                            struct loadparm_context *lp_ctx);
 248 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
 249                                  const char *bind_dn);
 250 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
 251 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
 252 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
 253 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
 254                                            const char *(*password_cb) (struct cli_credentials *));
 255 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
 256 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
 257 void cli_credentials_set_kvno(struct cli_credentials *cred,
 258                               int kvno);
 259 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
 260                                  const struct samr_Password *nt_hash,
 261                                  enum credentials_obtained obtained);
 262 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
 263                                        const DATA_BLOB *lm_response,
 264                                        const DATA_BLOB *nt_response,
 265                                        enum credentials_obtained obtained);
 266 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
 267                                     struct tevent_context *event_ctx,
 268                                     struct loadparm_context *lp_ctx,
 269                                     const char *keytab_name,
 270                                     enum credentials_obtained obtained);
 271 int cli_credentials_update_keytab(struct cli_credentials *cred,
 272                                   struct tevent_context *event_ctx,
 273                                   struct loadparm_context *lp_ctx);
 274 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
 275 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
 276 int cli_credentials_set_ccache(struct cli_credentials *cred,
 277                                struct tevent_context *event_ctx,
 278                                struct loadparm_context *lp_ctx,
 279                                const char *name,
 280                                enum credentials_obtained obtained,
 281                                const char **error_string);
 282 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
 283 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
 284                                        int fd, enum credentials_obtained obtained);
 285 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
 286                                        enum credentials_obtained obtained);
 287 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
 288 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal);
 289 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
 290 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
 291 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
 292 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 293 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
 294 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
 295 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 296                                      struct tevent_context *event_ctx,
 297                                      struct loadparm_context *lp_ctx,
 298                                      struct ldb_context *ldb,
 299                                      const char *base,
 300                                      const char *filter,
 301                                      char **error_string);
 302  int cli_credentials_get_kvno(struct cli_credentials *cred);
 303
 304 #endif /* __CREDENTIALS_H__ */