source4/auth/credentials/credentials.h

   1 /*
   2    samba -- Unix SMB/CIFS implementation.
   3
   4    Client credentials structure
   5
   6    Copyright (C) Jelmer Vernooij 2004-2006
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22 #ifndef __CREDENTIALS_H__
  23 #define __CREDENTIALS_H__
  24
  25 #include "../lib/util/data_blob.h"
  26 #include "librpc/gen_ndr/misc.h"
  27
  28 struct ccache_container;
  29 struct tevent_context;
  30
  31 /* In order of priority */
  32 enum credentials_obtained {
  33         CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
  34         CRED_CALLBACK,           /* Callback should be used to obtain value */
  35         CRED_GUESS_ENV,          /* Current value should be used, which was guessed */
  36         CRED_GUESS_FILE,         /* A guess from a file (or file pointed at in env variable) */
  37         CRED_CALLBACK_RESULT,    /* Value was obtained from a callback */
  38         CRED_SPECIFIED           /* Was explicitly specified on the command-line */
  39 };
  40
  41 enum credentials_use_kerberos {
  42         CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
  43         CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
  44         CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
  45 };
  46
  47 #define CLI_CRED_NTLM2       0x01
  48 #define CLI_CRED_NTLMv2_AUTH 0x02
  49 #define CLI_CRED_LANMAN_AUTH 0x04
  50 #define CLI_CRED_NTLM_AUTH   0x08
  51 #define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
  52
  53 struct cli_credentials {
  54         enum credentials_obtained workstation_obtained;
  55         enum credentials_obtained username_obtained;
  56         enum credentials_obtained password_obtained;
  57         enum credentials_obtained domain_obtained;
  58         enum credentials_obtained realm_obtained;
  59         enum credentials_obtained ccache_obtained;
  60         enum credentials_obtained client_gss_creds_obtained;
  61         enum credentials_obtained principal_obtained;
  62         enum credentials_obtained keytab_obtained;
  63         enum credentials_obtained server_gss_creds_obtained;
  64
  65         /* Threshold values (essentially a MAX() over a number of the
  66          * above) for the ccache and GSS credentials, to ensure we
  67          * regenerate/pick correctly */
  68
  69         enum credentials_obtained ccache_threshold;
  70         enum credentials_obtained client_gss_creds_threshold;
  71
  72         const char *workstation;
  73         const char *username;
  74         const char *password;
  75         const char *old_password;
  76         const char *domain;
  77         const char *realm;
  78         const char *principal;
  79         char *salt_principal;
  80         char *impersonate_principal;
  81         char *target_service;
  82
  83         const char *bind_dn;
  84
  85         /* Allows authentication from a keytab or similar */
  86         struct samr_Password *nt_hash;
  87
  88         /* Allows NTLM pass-though authentication */
  89         DATA_BLOB lm_response;
  90         DATA_BLOB nt_response;
  91
  92         struct ccache_container *ccache;
  93         struct gssapi_creds_container *client_gss_creds;
  94         struct keytab_container *keytab;
  95         struct gssapi_creds_container *server_gss_creds;
  96
  97         const char *(*workstation_cb) (struct cli_credentials *);
  98         const char *(*password_cb) (struct cli_credentials *);
  99         const char *(*username_cb) (struct cli_credentials *);
 100         const char *(*domain_cb) (struct cli_credentials *);
 101         const char *(*realm_cb) (struct cli_credentials *);
 102         const char *(*principal_cb) (struct cli_credentials *);
 103
 104         /* Private handle for the callback routines to use */
 105         void *priv_data;
 106
 107         struct netlogon_creds_CredentialState *netlogon_creds;
 108         enum netr_SchannelType secure_channel_type;
 109         int kvno;
 110         time_t password_last_changed_time;
 111
 112         struct smb_krb5_context *smb_krb5_context;
 113
 114         /* We are flagged to get machine account details from the
 115          * secrets.ldb when we are asked for a username or password */
 116         bool machine_account_pending;
 117         struct loadparm_context *machine_account_pending_lp_ctx;
 118
 119         /* Is this a machine account? */
 120         bool machine_account;
 121
 122         /* Should we be trying to use kerberos? */
 123         enum credentials_use_kerberos use_kerberos;
 124
 125         /* gensec features which should be used for connections */
 126         uint32_t gensec_features;
 127
 128         /* Number of retries left before bailing out */
 129         int tries;
 130
 131         /* Whether any callback is currently running */
 132         bool callback_running;
 133 };
 134
 135 struct ldb_context;
 136 struct loadparm_context;
 137 struct ccache_container;
 138
 139 struct gssapi_creds_container;
 140
 141 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
 142 bool cli_credentials_set_workstation(struct cli_credentials *cred,
 143                                      const char *val,
 144                                      enum credentials_obtained obtained);
 145 bool cli_credentials_is_anonymous(struct cli_credentials *cred);
 146 struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
 147 void cli_credentials_set_anonymous(struct cli_credentials *cred);
 148 bool cli_credentials_wrong_password(struct cli_credentials *cred);
 149 const char *cli_credentials_get_password(struct cli_credentials *cred);
 150 void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 151                                               const char **username,
 152                                               const char **domain);
 153 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
 154                                            int *flags,
 155                                            DATA_BLOB challenge, DATA_BLOB target_info,
 156                                            DATA_BLOB *_lm_response, DATA_BLOB *_nt_response,
 157                                            DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 158 const char *cli_credentials_get_realm(struct cli_credentials *cred);
 159 const char *cli_credentials_get_username(struct cli_credentials *cred);
 160 int cli_credentials_get_krb5_context(struct cli_credentials *cred,
 161                                      struct tevent_context *event_ctx,
 162                                      struct loadparm_context *lp_ctx,
 163                                      struct smb_krb5_context **smb_krb5_context);
 164 int cli_credentials_get_ccache(struct cli_credentials *cred,
 165                                struct tevent_context *event_ctx,
 166                                struct loadparm_context *lp_ctx,
 167                                struct ccache_container **ccc,
 168                                const char **error_string);
 169 int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 170                                      struct tevent_context *event_ctx,
 171                                      struct loadparm_context *lp_ctx,
 172                                      char *ccache_name,
 173                                      struct ccache_container **ccc, const char **error_string);
 174 int cli_credentials_get_keytab(struct cli_credentials *cred,
 175                                struct tevent_context *event_ctx,
 176                                struct loadparm_context *lp_ctx,
 177                                struct keytab_container **_ktc);
 178 const char *cli_credentials_get_domain(struct cli_credentials *cred);
 179 struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred);
 180 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 181                                                  struct loadparm_context *lp_ctx);
 182 void cli_credentials_set_conf(struct cli_credentials *cred,
 183                               struct loadparm_context *lp_ctx);
 184 const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
 185 int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 186                                          struct tevent_context *event_ctx,
 187                                          struct loadparm_context *lp_ctx,
 188                                          struct gssapi_creds_container **_gcc);
 189 int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 190                                          struct tevent_context *event_ctx,
 191                                          struct loadparm_context *lp_ctx,
 192                                          struct gssapi_creds_container **_gcc,
 193                                          const char **error_string);
 194 void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
 195                                         enum credentials_use_kerberos use_kerberos);
 196 bool cli_credentials_set_domain(struct cli_credentials *cred,
 197                                 const char *val,
 198                                 enum credentials_obtained obtained);
 199 bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
 200                                          const char *(*domain_cb) (struct cli_credentials *));
 201 bool cli_credentials_set_username(struct cli_credentials *cred,
 202                                   const char *val, enum credentials_obtained obtained);
 203 bool cli_credentials_set_username_callback(struct cli_credentials *cred,
 204                                   const char *(*username_cb) (struct cli_credentials *));
 205 bool cli_credentials_set_principal(struct cli_credentials *cred,
 206                                    const char *val,
 207                                    enum credentials_obtained obtained);
 208 bool cli_credentials_set_principal_callback(struct cli_credentials *cred,
 209                                   const char *(*principal_cb) (struct cli_credentials *));
 210 bool cli_credentials_set_password(struct cli_credentials *cred,
 211                                   const char *val,
 212                                   enum credentials_obtained obtained);
 213 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
 214 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
 215 const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
 216                                                         TALLOC_CTX *mem_ctx);
 217 bool cli_credentials_set_realm(struct cli_credentials *cred,
 218                                const char *val,
 219                                enum credentials_obtained obtained);
 220 void cli_credentials_set_secure_channel_type(struct cli_credentials *cred,
 221                                      enum netr_SchannelType secure_channel_type);
 222 void cli_credentials_set_password_last_changed_time(struct cli_credentials *cred,
 223                                                              time_t last_change_time);
 224 void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
 225                                         struct netlogon_creds_CredentialState *netlogon_creds);
 226 NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
 227                                           struct smb_krb5_context *smb_krb5_context);
 228 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 229                                               struct tevent_context *event_ctx,
 230                                               struct loadparm_context *lp_ctx,
 231                                               const char *serviceprincipal);
 232 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 233                                              struct loadparm_context *lp_ctx);
 234 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
 235 void cli_credentials_guess(struct cli_credentials *cred,
 236                            struct loadparm_context *lp_ctx);
 237 bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
 238                                  const char *bind_dn);
 239 const char *cli_credentials_get_bind_dn(struct cli_credentials *cred);
 240 bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained);
 241 const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx);
 242 bool cli_credentials_set_password_callback(struct cli_credentials *cred,
 243                                            const char *(*password_cb) (struct cli_credentials *));
 244 enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred);
 245 time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
 246 void cli_credentials_set_kvno(struct cli_credentials *cred,
 247                               int kvno);
 248 bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
 249                                  const struct samr_Password *nt_hash,
 250                                  enum credentials_obtained obtained);
 251 bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
 252                                        const DATA_BLOB *lm_response,
 253                                        const DATA_BLOB *nt_response,
 254                                        enum credentials_obtained obtained);
 255 int cli_credentials_set_keytab_name(struct cli_credentials *cred,
 256                                     struct tevent_context *event_ctx,
 257                                     struct loadparm_context *lp_ctx,
 258                                     const char *keytab_name,
 259                                     enum credentials_obtained obtained);
 260 int cli_credentials_update_keytab(struct cli_credentials *cred,
 261                                   struct tevent_context *event_ctx,
 262                                   struct loadparm_context *lp_ctx);
 263 void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
 264 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
 265 int cli_credentials_set_ccache(struct cli_credentials *cred,
 266                                struct tevent_context *event_ctx,
 267                                struct loadparm_context *lp_ctx,
 268                                const char *name,
 269                                enum credentials_obtained obtained,
 270                                const char **error_string);
 271 bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained);
 272 bool cli_credentials_parse_password_fd(struct cli_credentials *credentials,
 273                                        int fd, enum credentials_obtained obtained);
 274 void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
 275                                        enum credentials_obtained obtained);
 276 void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
 277 void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal);
 278 void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
 279 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
 280 const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
 281 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 282 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
 283 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 284                                      struct tevent_context *event_ctx,
 285                                      struct loadparm_context *lp_ctx,
 286                                      struct ldb_context *ldb,
 287                                      const char *base,
 288                                      const char *filter,
 289                                      char **error_string);
 290  int cli_credentials_get_kvno(struct cli_credentials *cred);
 291
 292 #endif /* __CREDENTIALS_H__ */