r13206: This patch finally re-adds a -k option that works reasonably.

From here we can add tests to Samba for kerberos, forcing it on and
off.  In the process, I also remove the dependency of credentials on
GENSEC.

This also picks up on the idea of bringing 'set_boolean' into general
code from jpeach's cifsdd patch.

Andrew Bartlett
(This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)

1 files changed, 39 insertions, 3 deletions

diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c
index 49916d0ff3..d037cfd7c4 100644
--- a/source4/lib/cmdline/popt_credentials.c
+++ b/source4/lib/cmdline/popt_credentials.c
@@ -21,6 +21,7 @@
 
 #include "includes.h"
 #include "lib/cmdline/popt_common.h"
+#include "auth/gensec/gensec.h"
 
 /* Handle command line options:
  *		-U,--user
@@ -28,13 +29,16 @@
  *		-k,--use-kerberos
  *		-N,--no-pass
  *		-S,--signing
- *      -P --machine-pass
+ *              -P --machine-pass
+ *                 --simple-bind-dn
+ *                 --password
+ *                 --use-security-mechanisms
  */
 
 
 static BOOL dont_ask;
 
-enum opt { OPT_SIMPLE_BIND_DN };
+enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_GENSEC_MECHS };
 
 /*
   disable asking for a password
@@ -73,11 +77,18 @@ static void popt_common_credentials_callback(poptContext con,
 			if ((lp=strchr_m(arg,'%'))) {
 				lp[0]='\0';
 				lp++;
+				/* Try to prevent this showing up in ps */
 				memset(lp,0,strlen(lp));
 			}
 		}
 		break;
 
+	case OPT_PASSWORD:
+		cli_credentials_set_password(cmdline_credentials, arg, CRED_SPECIFIED);
+		/* Try to prevent this showing up in ps */
+		memset(arg,0,strlen(arg));
+		break;
+
 	case 'A':
 		cli_credentials_parse_file(cmdline_credentials, arg, CRED_SPECIFIED);
 		break;
@@ -89,9 +100,31 @@ static void popt_common_credentials_callback(poptContext con,
 	case 'P':
 		/* Later, after this is all over, get the machine account details from the secrets.ldb */
 		cli_credentials_set_machine_account_pending(cmdline_credentials);
+		break;
+
+	case OPT_KERBEROS:
+	{
+		BOOL use_kerberos = True;
+		/* Force us to only use kerberos */
+		if (arg) {
+			if (!set_boolean(arg, &use_kerberos)) {
+				fprintf(stderr, "Error parsing -k %s\n", arg);
+				exit(1);
+				break;
+			}
+		}
 		
-		/* machine accounts only work with kerberos (fall though)*/
+		cli_credentials_set_kerberos_state(cmdline_credentials, 
+						   use_kerberos 
+						   ? CRED_MUST_USE_KERBEROS
+						   : CRED_DONT_USE_KERBEROS);
 		break;
+	}
+	case OPT_GENSEC_MECHS:
+		/* Convert a list of strings into a list of available authentication standards */
+		
+		break;
+		
 	case OPT_SIMPLE_BIND_DN:
 		cli_credentials_set_bind_dn(cmdline_credentials, arg);
 		break;
@@ -104,9 +137,12 @@ struct poptOption popt_common_credentials[] = {
 	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback },
 	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" },
 	{ "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" },
+	{ "password", 0, POPT_ARG_STRING, NULL, OPT_PASSWORD, "Password" },
 	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
 	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
 	{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
 	{ "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" },
+	{ "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos" },
+	{ "use-security-mechanisms", 0, POPT_ARG_STRING, NULL, OPT_GENSEC_MECHS, "Restricted list of authentication mechanisms available for use with this authentication"},
 	POPT_TABLEEND
 };