diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-01-28 12:15:24 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:33 -0500 |
commit | 44e601b5ad635ba29088fd4c747627dee8d62112 (patch) | |
tree | db7939e1e24dfd0b4e2fdc3a9bb5a447e4922e81 | |
parent | 210d3c1dc760af8e21fbfd5b23e87a1c937051d4 (diff) | |
download | samba-44e601b5ad635ba29088fd4c747627dee8d62112.tar.gz samba-44e601b5ad635ba29088fd4c747627dee8d62112.tar.bz2 samba-44e601b5ad635ba29088fd4c747627dee8d62112.zip |
r13206: This patch finally re-adds a -k option that works reasonably.
From here we can add tests to Samba for kerberos, forcing it on and
off. In the process, I also remove the dependency of credentials on
GENSEC.
This also picks up on the idea of bringing 'set_boolean' into general
code from jpeach's cifsdd patch.
Andrew Bartlett
(This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)
-rw-r--r-- | source4/auth/credentials/config.mk | 5 | ||||
-rw-r--r-- | source4/auth/credentials/credentials.c | 17 | ||||
-rw-r--r-- | source4/auth/credentials/credentials.h | 14 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_gensec.c | 77 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_ntlm.c | 4 | ||||
-rw-r--r-- | source4/auth/gensec/gensec.c | 173 | ||||
-rw-r--r-- | source4/auth/gensec/gensec.h | 1 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 5 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 6 | ||||
-rw-r--r-- | source4/auth/gensec/spnego.c | 9 | ||||
-rw-r--r-- | source4/lib/cmdline/popt_credentials.c | 42 | ||||
-rw-r--r-- | source4/lib/util_str.c | 25 | ||||
-rw-r--r-- | source4/param/loadparm.c | 36 |
13 files changed, 244 insertions, 170 deletions
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk index 5c72630d5a..96c48f7574 100644 --- a/source4/auth/credentials/config.mk +++ b/source4/auth/credentials/config.mk @@ -5,10 +5,9 @@ PRIVATE_PROTO_HEADER = credentials_proto.h OBJ_FILES = credentials.o \ credentials_files.o \ credentials_krb5.o \ - credentials_ntlm.o \ - credentials_gensec.o + credentials_ntlm.o REQUIRED_SUBSYSTEMS = \ - HEIMDAL GENSEC LIBCLI_AUTH LIBLDB SECRETS + HEIMDAL LIBCLI_AUTH LIBLDB SECRETS # End SUBSYSTEM CREDENTIALS ################################# diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index a6bfb15dec..b1554cc9ef 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -24,7 +24,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ - +#include "auth/gensec/gensec.h" /** * Create a new credentials structure @@ -54,13 +54,26 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->smb_krb5_context = NULL; cred->salt_principal = NULL; cred->machine_account = False; - cred->gensec_list = NULL; cred->bind_dn = NULL; + cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); + return cred; } +void cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos use_kerberos) +{ + creds->use_kerberos = use_kerberos; +} + +enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) +{ + return creds->use_kerberos; +} + + /** * Obtain the username for this credentials context. * @param cred credentials context diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 8402676acd..eb4e5c96d0 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -32,15 +32,19 @@ enum credentials_obtained { CRED_SPECIFIED /* Was explicitly specified on the command-line */ }; +enum credentials_use_kerberos { + CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */ + CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */ + CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */ +}; + #define CLI_CRED_NTLM2 0x01 #define CLI_CRED_NTLMv2_AUTH 0x02 #define CLI_CRED_LANMAN_AUTH 0x04 #define CLI_CRED_NTLM_AUTH 0x08 +#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */ struct cli_credentials { - /* Preferred methods, NULL means default */ - const char **preferred_methods; - enum credentials_obtained workstation_obtained; enum credentials_obtained username_obtained; enum credentials_obtained password_obtained; @@ -94,8 +98,8 @@ struct cli_credentials { /* Is this a machine account? */ BOOL machine_account; - /* A list of valid GENSEC mechanisms for use on this account */ - const struct gensec_security_ops **gensec_list; + /* Should we be trying to use kerberos? */ + enum credentials_use_kerberos use_kerberos; }; #include "auth/credentials/credentials_proto.h" diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c deleted file mode 100644 index 7ea15e7988..0000000000 --- a/source4/auth/credentials/credentials_gensec.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - User credentials handling - - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#include "auth/gensec/gensec.h" - -const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) -{ - if (!creds || !creds->gensec_list) { - return gensec_security_all(); - } - return creds->gensec_list; -} - -static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds, - const struct gensec_security_ops *remove_mech) -{ - const struct gensec_security_ops **gensec_list; - const struct gensec_security_ops **new_gensec_list; - int i, j; - - gensec_list = cli_credentials_gensec_list(creds); - - for (i=0; gensec_list && gensec_list[i]; i++) { - /* noop */ - } - - new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1); - if (!new_gensec_list) { - return NT_STATUS_NO_MEMORY; - } - - j = 0; - for (i=0; gensec_list && gensec_list[i]; i++) { - if (gensec_list[i] != remove_mech) { - new_gensec_list[j] = gensec_list[i]; - j++; - } - } - new_gensec_list[j] = NULL; - - creds->gensec_list = new_gensec_list; - - return NT_STATUS_OK; -} - -NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds, - const char *oid) -{ - const struct gensec_security_ops *gensec_by_oid; - - gensec_by_oid = gensec_security_by_oid(NULL, oid); - if (!gensec_by_oid) { - return NT_STATUS_OK; - } - - return cli_credentials_gensec_remove_mech(creds, gensec_by_oid); -} diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index c7932e6f1a..5068540a32 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -66,6 +66,10 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ if (cred->machine_account) { *flags = *flags & ~CLI_CRED_LANMAN_AUTH; } + + if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) { + return NT_STATUS_ACCESS_DENIED; + } if (!nt_hash) { static const uint8_t zeros[16]; diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index fa5c877363..4853b53e40 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -27,29 +27,110 @@ #include "smb_build.h" /* the list of currently registered GENSEC backends */ -const static struct gensec_security_ops **generic_security_ops; +static struct gensec_security_ops **generic_security_ops; static int gensec_num_backends; -const struct gensec_security_ops **gensec_security_all(void) +/* Return all the registered mechs. Don't modify the return pointer, + * but you may talloc_reference it if convient */ +struct gensec_security_ops **gensec_security_all(void) { return generic_security_ops; } +/* Sometimes we want to force only kerberos, sometimes we want to + * force it's avoidance. The old list could be either + * gensec_security_all(), or from cli_credentials_gensec_list() (ie, + * an existing list we have trimmed down) */ + +struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, + struct gensec_security_ops **old_gensec_list, + enum credentials_use_kerberos use_kerberos) +{ + struct gensec_security_ops **new_gensec_list; + int i, j, num_mechs_in; + + if (use_kerberos == CRED_AUTO_USE_KERBEROS) { + talloc_reference(mem_ctx, old_gensec_list); + return old_gensec_list; + } + + for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) { + /* noop */ + } + + new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1); + if (!new_gensec_list) { + return NULL; + } + + j = 0; + for (i=0; old_gensec_list && old_gensec_list[i]; i++) { + int oid_idx; + for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) { + if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) { + new_gensec_list[j] = old_gensec_list[i]; + j++; + break; + } + } + switch (use_kerberos) { + case CRED_DONT_USE_KERBEROS: + if (old_gensec_list[i]->kerberos == False) { + new_gensec_list[j] = old_gensec_list[i]; + j++; + } + break; + case CRED_MUST_USE_KERBEROS: + if (old_gensec_list[i]->kerberos == True) { + new_gensec_list[j] = old_gensec_list[i]; + j++; + } + break; + case CRED_AUTO_USE_KERBEROS: + break; + } + } + new_gensec_list[j] = NULL; + + return new_gensec_list; +} + +struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx) +{ + struct gensec_security_ops **backends; + backends = gensec_security_all(); + if (!gensec_security) { + talloc_reference(mem_ctx, backends); + return backends; + } else { + struct cli_credentials *creds = gensec_get_credentials(gensec_security); + enum credentials_use_kerberos use_kerberos + = cli_credentials_get_kerberos_state(creds); + return gensec_use_kerberos_mechs(mem_ctx, backends, use_kerberos); + } + +} + static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security, uint8_t auth_type) { int i; - const struct gensec_security_ops **backends; - if (!gensec_security) { - backends = gensec_security_all(); - } else { - backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; } + backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { if (backends[i]->auth_type == auth_type) { - return backends[i]; + backend = backends[i]; + talloc_free(mem_ctx); + return backend; } } + talloc_free(mem_ctx); return NULL; } @@ -58,22 +139,26 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security const char *oid_string) { int i, j; - const struct gensec_security_ops **backends; - if (!gensec_security) { - backends = gensec_security_all(); - } else { - backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; } + backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { if (backends[i]->oid) { for (j=0; backends[i]->oid[j]; j++) { if (backends[i]->oid[j] && (strcmp(backends[i]->oid[j], oid_string) == 0)) { - return backends[i]; + backend = backends[i]; + talloc_free(mem_ctx); + return backend; } } } } + talloc_free(mem_ctx); return NULL; } @@ -82,18 +167,22 @@ static const struct gensec_security_ops *gensec_security_by_sasl_name(struct gen const char *sasl_name) { int i; - const struct gensec_security_ops **backends; - if (!gensec_security) { - backends = gensec_security_all(); - } else { - backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; } + backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { if (backends[i]->sasl_name && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) { - return backends[i]; + backend = backends[i]; + talloc_free(mem_ctx); + return backend; } } + talloc_free(mem_ctx); return NULL; } @@ -102,19 +191,22 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s const char *name) { int i; - const struct gensec_security_ops **backends; - if (!gensec_security) { - backends = gensec_security_all(); - } else { - backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + struct gensec_security_ops **backends; + const struct gensec_security_ops *backend; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + if (!mem_ctx) { + return NULL; } + backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { if (backends[i]->name && (strcmp(backends[i]->name, name) == 0)) { - return backends[i]; + backend = backends[i]; + talloc_free(mem_ctx); + return backend; } } - + talloc_free(mem_ctx); return NULL; } @@ -131,7 +223,7 @@ const struct gensec_security_ops **gensec_security_by_sasl(struct gensec_securit const char **sasl_names) { const struct gensec_security_ops **backends_out; - const struct gensec_security_ops **backends; + struct gensec_security_ops **backends; int i, k, sasl_idx; int num_backends_out = 0; @@ -139,7 +231,7 @@ const struct gensec_security_ops **gensec_security_by_sasl(struct gensec_securit return NULL; } - backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + backends = gensec_security_mechs(gensec_security, mem_ctx); backends_out = talloc_array(mem_ctx, const struct gensec_security_ops *, 1); if (!backends_out) { @@ -198,7 +290,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen const char *skip) { struct gensec_security_ops_wrapper *backends_out; - const struct gensec_security_ops **backends; + struct gensec_security_ops **backends; int i, j, k, oid_idx; int num_backends_out = 0; @@ -206,7 +298,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen return NULL; } - backends = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + backends = gensec_security_mechs(gensec_security, gensec_security); backends_out = talloc_array(mem_ctx, struct gensec_security_ops_wrapper, 1); if (!backends_out) { @@ -267,7 +359,7 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen */ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx, - const struct gensec_security_ops **ops, + struct gensec_security_ops **ops, const char *skip) { int i; @@ -354,8 +446,8 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, const char *skip) { - const struct gensec_security_ops **ops - = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + struct gensec_security_ops **ops + = gensec_security_mechs(gensec_security, mem_ctx); return gensec_security_oids_from_ops(mem_ctx, ops, skip); } @@ -944,10 +1036,8 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security) The 'name' can be later used by other backends to find the operations structure for this backend. */ -NTSTATUS gensec_register(const void *_ops) +NTSTATUS gensec_register(const struct gensec_security_ops *ops) { - const struct gensec_security_ops *ops = _ops; - if (!lp_parm_bool(-1, "gensec", ops->name, ops->enabled)) { DEBUG(2,("gensec subsystem %s is disabled\n", ops->name)); return NT_STATUS_OK; @@ -960,11 +1050,12 @@ NTSTATUS gensec_register(const void *_ops) return NT_STATUS_OBJECT_NAME_COLLISION; } - generic_security_ops = realloc_p(generic_security_ops, - const struct gensec_security_ops *, - gensec_num_backends+2); + generic_security_ops = talloc_realloc(talloc_autofree_context(), + generic_security_ops, + struct gensec_security_ops *, + gensec_num_backends+2); if (!generic_security_ops) { - smb_panic("out of memory in gensec_register"); + smb_panic("out of memory (or failed to realloc referenced memory) in gensec_register"); } generic_security_ops[gensec_num_backends] = ops; diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 6821d7f2db..2084ebb97a 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -95,6 +95,7 @@ struct gensec_security_ops { BOOL (*have_feature)(struct gensec_security *gensec_security, uint32_t feature); BOOL enabled; + BOOL kerberos; }; struct gensec_security_ops_wrapper { diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 4eb7b95d6d..f9650ee6cc 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -174,7 +174,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi if (!machine_account) { DEBUG(3, ("No machine account credentials specified\n")); - return NT_STATUS_INVALID_PARAMETER; + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else { ret = cli_credentials_get_server_gss_creds(machine_account, &gcc); if (ret) { @@ -933,7 +933,8 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = { .wrap = gensec_gssapi_wrap, .unwrap = gensec_gssapi_unwrap, .have_feature = gensec_gssapi_have_feature, - .enabled = True + .enabled = True, + .kerberos = True }; NTSTATUS gensec_gssapi_init(void) diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 98f7e726cc..de93c5bd0c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -718,7 +718,8 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = { .session_key = gensec_krb5_session_key, .session_info = gensec_krb5_session_info, .have_feature = gensec_krb5_have_feature, - .enabled = False + .enabled = False, + .kerberos = True }; static const struct gensec_security_ops gensec_krb5_security_ops = { @@ -731,7 +732,8 @@ static const struct gensec_security_ops gensec_krb5_security_ops = { .have_feature = gensec_krb5_have_feature, .wrap = gensec_krb5_wrap, .unwrap = gensec_krb5_unwrap, - .enabled = True + .enabled = True, + .kerberos = True }; NTSTATUS gensec_krb5_init(void) diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 57853c9c61..6f38576a3f 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -246,8 +246,8 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec const DATA_BLOB in, DATA_BLOB *out) { int i,j; - const struct gensec_security_ops **all_ops - = cli_credentials_gensec_list(gensec_get_credentials(gensec_security)); + struct gensec_security_ops **all_ops + = gensec_security_mechs(gensec_security, out_mem_ctx); for (i=0; all_ops[i]; i++) { BOOL is_spnego; NTSTATUS nt_status; @@ -341,7 +341,8 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ out_mem_ctx, unwrapped_in, unwrapped_out); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || + NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) { /* Pretend we never started it (lets the first run find some incompatible demand) */ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n", @@ -929,7 +930,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = { .session_key = gensec_spnego_session_key, .session_info = gensec_spnego_session_info, .have_feature = gensec_spnego_have_feature, - .enabled = True + .enabled = True, }; NTSTATUS gensec_spnego_init(void) diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c index 49916d0ff3..d037cfd7c4 100644 --- a/source4/lib/cmdline/popt_credentials.c +++ b/source4/lib/cmdline/popt_credentials.c @@ -21,6 +21,7 @@ #include "includes.h" #include "lib/cmdline/popt_common.h" +#include "auth/gensec/gensec.h" /* Handle command line options: * -U,--user @@ -28,13 +29,16 @@ * -k,--use-kerberos * -N,--no-pass * -S,--signing - * -P --machine-pass + * -P --machine-pass + * --simple-bind-dn + * --password + * --use-security-mechanisms */ static BOOL dont_ask; -enum opt { OPT_SIMPLE_BIND_DN }; +enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_GENSEC_MECHS }; /* disable asking for a password @@ -73,11 +77,18 @@ static void popt_common_credentials_callback(poptContext con, if ((lp=strchr_m(arg,'%'))) { lp[0]='\0'; lp++; + /* Try to prevent this showing up in ps */ memset(lp,0,strlen(lp)); } } break; + case OPT_PASSWORD: + cli_credentials_set_password(cmdline_credentials, arg, CRED_SPECIFIED); + /* Try to prevent this showing up in ps */ + memset(arg,0,strlen(arg)); + break; + case 'A': cli_credentials_parse_file(cmdline_credentials, arg, CRED_SPECIFIED); break; @@ -89,9 +100,31 @@ static void popt_common_credentials_callback(poptContext con, case 'P': /* Later, after this is all over, get the machine account details from the secrets.ldb */ cli_credentials_set_machine_account_pending(cmdline_credentials); + break; + + case OPT_KERBEROS: + { + BOOL use_kerberos = True; + /* Force us to only use kerberos */ + if (arg) { + if (!set_boolean(arg, &use_kerberos)) { + fprintf(stderr, "Error parsing -k %s\n", arg); + exit(1); + break; + } + } - /* machine accounts only work with kerberos (fall though)*/ + cli_credentials_set_kerberos_state(cmdline_credentials, + use_kerberos + ? CRED_MUST_USE_KERBEROS + : CRED_DONT_USE_KERBEROS); break; + } + case OPT_GENSEC_MECHS: + /* Convert a list of strings into a list of available authentication standards */ + + break; + case OPT_SIMPLE_BIND_DN: cli_credentials_set_bind_dn(cmdline_credentials, arg); break; @@ -104,9 +137,12 @@ struct poptOption popt_common_credentials[] = { { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback }, { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" }, { "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" }, + { "password", 0, POPT_ARG_STRING, NULL, OPT_PASSWORD, "Password" }, { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" }, { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" }, { "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" }, { "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" }, + { "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos" }, + { "use-security-mechanisms", 0, POPT_ARG_STRING, NULL, OPT_GENSEC_MECHS, "Restricted list of authentication mechanisms available for use with this authentication"}, POPT_TABLEEND }; diff --git a/source4/lib/util_str.c b/source4/lib/util_str.c index eebddf65a5..311f81eaf3 100644 --- a/source4/lib/util_str.c +++ b/source4/lib/util_str.c @@ -1111,3 +1111,28 @@ char *attrib_string(TALLOC_CTX *mem_ctx, uint32_t attrib) return ret; } + +/*************************************************************************** + Set a boolean variable from the text value stored in the passed string. + Returns True in success, False if the passed string does not correctly + represent a boolean. +***************************************************************************/ + +BOOL set_boolean(const char *boolean_string, BOOL *boolean) +{ + if (strwicmp(boolean_string, "yes") == 0 || + strwicmp(boolean_string, "true") == 0 || + strwicmp(boolean_string, "on") == 0 || + strwicmp(boolean_string, "1") == 0) { + *boolean = True; + return True; + } else if (strwicmp(boolean_string, "no") == 0 || + strwicmp(boolean_string, "false") == 0 || + strwicmp(boolean_string, "off") == 0 || + strwicmp(boolean_string, "0") == 0) { + *boolean = False; + return True; + } + return False; +} + diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index a92bc68371..bd01581eae 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -912,7 +912,6 @@ FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) /* local prototypes */ static int map_parameter(const char *pszParmName); -static BOOL set_boolean(BOOL *pb, const char *pszParmValue); static int getservicebyname(const char *pszServiceName, service * pserviceDest); static void copy_service(service * pserviceDest, @@ -1004,7 +1003,7 @@ static BOOL lp_bool(const char *s) return False; } - if (!set_boolean(&ret,s)) { + if (!set_boolean(s, &ret)) { DEBUG(0,("lp_bool(%s): value is not boolean!\n",s)); return False; } @@ -1374,34 +1373,6 @@ void *lp_parm_ptr(int snum, struct parm_struct *parm) } /*************************************************************************** - Set a boolean variable from the text value stored in the passed string. - Returns True in success, False if the passed string does not correctly - represent a boolean. -***************************************************************************/ - -static BOOL set_boolean(BOOL *pb, const char *pszParmValue) -{ - BOOL bRetval; - - bRetval = True; - if (strwicmp(pszParmValue, "yes") == 0 || - strwicmp(pszParmValue, "true") == 0 || - strwicmp(pszParmValue, "1") == 0) - *pb = True; - else if (strwicmp(pszParmValue, "no") == 0 || - strwicmp(pszParmValue, "False") == 0 || - strwicmp(pszParmValue, "0") == 0) - *pb = False; - else { - DEBUG(0, - ("ERROR: Badly formed boolean in configuration file: \"%s\".\n", - pszParmValue)); - bRetval = False; - } - return (bRetval); -} - -/*************************************************************************** Find a service by name. Otherwise works like get_service. ***************************************************************************/ @@ -1841,7 +1812,10 @@ BOOL lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue switch (parm_table[parmnum].type) { case P_BOOL: - set_boolean(parm_ptr, pszParmValue); + if (!set_boolean(pszParmValue, parm_ptr)) { + DEBUG(0,("lp_do_parameter(%s): value is not boolean!\n", pszParmValue)); + return False; + } break; case P_INTEGER: |