2 samba -- Unix SMB/CIFS implementation.
4 Client credentials structure
6 Copyright (C) Jelmer Vernooij 2004-2006
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #ifndef __CREDENTIALS_H__
23 #define __CREDENTIALS_H__
25 #include "../lib/util/data_blob.h"
26 #include "librpc/gen_ndr/misc.h"
28 struct ccache_container;
29 struct tevent_context;
31 /* In order of priority */
32 enum credentials_obtained {
33 CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
34 CRED_CALLBACK, /* Callback should be used to obtain value */
35 CRED_GUESS_ENV, /* Current value should be used, which was guessed */
36 CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
37 CRED_CALLBACK_RESULT, /* Value was obtained from a callback */
38 CRED_SPECIFIED /* Was explicitly specified on the command-line */
41 enum credentials_use_kerberos {
42 CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
43 CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
44 CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
47 #define CLI_CRED_NTLM2 0x01
48 #define CLI_CRED_NTLMv2_AUTH 0x02
49 #define CLI_CRED_LANMAN_AUTH 0x04
50 #define CLI_CRED_NTLM_AUTH 0x08
51 #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
53 struct cli_credentials {
54 enum credentials_obtained workstation_obtained;
55 enum credentials_obtained username_obtained;
56 enum credentials_obtained password_obtained;
57 enum credentials_obtained domain_obtained;
58 enum credentials_obtained realm_obtained;
59 enum credentials_obtained ccache_obtained;
60 enum credentials_obtained client_gss_creds_obtained;
61 enum credentials_obtained principal_obtained;
62 enum credentials_obtained keytab_obtained;
63 enum credentials_obtained server_gss_creds_obtained;
65 /* Threshold values (essentially a MAX() over a number of the
66 * above) for the ccache and GSS credentials, to ensure we
67 * regenerate/pick correctly */
69 enum credentials_obtained ccache_threshold;
70 enum credentials_obtained client_gss_creds_threshold;
72 const char *workstation;
75 const char *old_password;
78 const char *principal;
80 char *impersonate_principal;
85 /* Allows authentication from a keytab or similar */
86 struct samr_Password *nt_hash;
88 /* Allows NTLM pass-though authentication */
89 DATA_BLOB lm_response;
90 DATA_BLOB nt_response;
92 struct ccache_container *ccache;
93 struct gssapi_creds_container *client_gss_creds;
94 struct keytab_container *keytab;
95 struct gssapi_creds_container *server_gss_creds;
97 const char *(*workstation_cb) (struct cli_credentials *);
98 const char *(*password_cb) (struct cli_credentials *);
99 const char *(*username_cb) (struct cli_credentials *);
100 const char *(*domain_cb) (struct cli_credentials *);
101 const char *(*realm_cb) (struct cli_credentials *);
102 const char *(*principal_cb) (struct cli_credentials *);
104 /* Private handle for the callback routines to use */
107 struct netlogon_creds_CredentialState *netlogon_creds;
108 enum netr_SchannelType secure_channel_type;
110 time_t password_last_changed_time;
112 struct smb_krb5_context *smb_krb5_context;
114 /* We are flagged to get machine account details from the
115 * secrets.ldb when we are asked for a username or password */
116 bool machine_account_pending;
117 struct loadparm_context *machine_account_pending_lp_ctx;
119 /* Is this a machine account? */
120 bool machine_account;
122 /* Should we be trying to use kerberos? */
123 enum credentials_use_kerberos use_kerberos;
125 /* gensec features which should be used for connections */
126 uint32_t gensec_features;
128 /* Number of retries left before bailing out */
131 /* Whether any callback is currently running */
132 bool callback_running;
136 struct loadparm_context;
137 struct ccache_container;
139 struct gssapi_creds_container;
141 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
142 bool cli_credentials_set_workstation(struct cli_credentials *cred,
144 enum credentials_obtained obtained);
145 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
146 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
147 void cli_credentials_set_anonymous(struct cli_credentials *cred);
148 bool cli_credentials_wrong_password(struct cli_credentials *cred);
149 const char *cli_credentials_get_password(struct cli_credentials *cred);
150 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
151 const char **username,
152 const char **domain);
153 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
155 DATA_BLOB challenge, DATA_BLOB target_info,
156 DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
157 DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
158 const char *cli_credentials_get_realm(struct cli_credentials *cred);
159 const char *cli_credentials_get_username(struct cli_credentials *cred);
160 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
161 struct tevent_context *event_ctx,
162 struct loadparm_context *lp_ctx,
163 struct smb_krb5_context **smb_krb5_context);
164 int cli_credentials_get_ccache(struct cli_credentials *cred,
165 struct tevent_context *event_ctx,
166 struct loadparm_context *lp_ctx,
167 struct ccache_container **ccc,
168 const char **error_string);
169 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
170 struct tevent_context *event_ctx,
171 struct loadparm_context *lp_ctx,
173 struct ccache_container **ccc, const char **error_string);
174 int cli_credentials_get_keytab(struct cli_credentials *cred,
175 struct tevent_context *event_ctx,
176 struct loadparm_context *lp_ctx,
177 struct keytab_container **_ktc);
178 const char *cli_credentials_get_domain(struct cli_credentials *cred);
179 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
180 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
181 struct loadparm_context *lp_ctx);
182 void cli_credentials_set_conf(struct cli_credentials *cred,
183 struct loadparm_context *lp_ctx);
184 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
185 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
186 struct tevent_context *event_ctx,
187 struct loadparm_context *lp_ctx,
188 struct gssapi_creds_container **_gcc);
189 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
190 struct tevent_context *event_ctx,
191 struct loadparm_context *lp_ctx,
192 struct gssapi_creds_container **_gcc,
193 const char **error_string);
194 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
195 enum credentials_use_kerberos use_kerberos);
196 bool cli_credentials_set_domain(struct cli_credentials *cred,
198 enum credentials_obtained obtained);
199 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
200 const char *(*domain_cb) (struct cli_credentials *));
201 bool cli_credentials_set_username(struct cli_credentials *cred,
202 const char *val, enum credentials_obtained obtained);
203 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
204 const char *(*username_cb) (struct cli_credentials *));
205 bool cli_credentials_set_principal(struct cli_credentials *cred,
207 enum credentials_obtained obtained);
208 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
209 const char *(*principal_cb) (struct cli_credentials *));
210 bool cli_credentials_set_password(struct cli_credentials *cred,
212 enum credentials_obtained obtained);
213 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
214 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
215 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
216 TALLOC_CTX *mem_ctx);
217 bool cli_credentials_set_realm(struct cli_credentials *cred,
219 enum credentials_obtained obtained);
220 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
221 enum netr_SchannelType secure_channel_type);
222 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
223 time_t last_change_time);
224 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
225 struct netlogon_creds_CredentialState *netlogon_creds);
226 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
227 struct smb_krb5_context *smb_krb5_context);
228 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
229 struct tevent_context *event_ctx,
230 struct loadparm_context *lp_ctx,
231 const char *serviceprincipal);
232 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
233 struct loadparm_context *lp_ctx);
234 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
235 void cli_credentials_guess(struct cli_credentials *cred,
236 struct loadparm_context *lp_ctx);
237 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
238 const char *bind_dn);
239 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
240 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
241 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
242 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
243 const char *(*password_cb) (struct cli_credentials *));
244 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
245 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
246 void cli_credentials_set_kvno(struct cli_credentials *cred,
248 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
249 const struct samr_Password *nt_hash,
250 enum credentials_obtained obtained);
251 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
252 const DATA_BLOB *lm_response,
253 const DATA_BLOB *nt_response,
254 enum credentials_obtained obtained);
255 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
256 struct tevent_context *event_ctx,
257 struct loadparm_context *lp_ctx,
258 const char *keytab_name,
259 enum credentials_obtained obtained);
260 int cli_credentials_update_keytab(struct cli_credentials *cred,
261 struct tevent_context *event_ctx,
262 struct loadparm_context *lp_ctx);
263 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
264 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
265 int cli_credentials_set_ccache(struct cli_credentials *cred,
266 struct tevent_context *event_ctx,
267 struct loadparm_context *lp_ctx,
269 enum credentials_obtained obtained,
270 const char **error_string);
271 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
272 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
273 int fd, enum credentials_obtained obtained);
274 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
275 enum credentials_obtained obtained);
276 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
277 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal);
278 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
279 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
280 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
281 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
282 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
283 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
284 struct tevent_context *event_ctx,
285 struct loadparm_context *lp_ctx,
286 struct ldb_context *ldb,
289 char **error_string);
290 int cli_credentials_get_kvno(struct cli_credentials *cred);
292 #endif /* __CREDENTIALS_H__ */