summaryrefslogtreecommitdiff
path: root/source4/auth/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/credentials')
-rw-r--r--source4/auth/credentials/config.mk5
-rw-r--r--source4/auth/credentials/credentials.c17
-rw-r--r--source4/auth/credentials/credentials.h14
-rw-r--r--source4/auth/credentials/credentials_gensec.c77
-rw-r--r--source4/auth/credentials/credentials_ntlm.c4
5 files changed, 30 insertions, 87 deletions
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk
index 5c72630d5a..96c48f7574 100644
--- a/source4/auth/credentials/config.mk
+++ b/source4/auth/credentials/config.mk
@@ -5,10 +5,9 @@ PRIVATE_PROTO_HEADER = credentials_proto.h
OBJ_FILES = credentials.o \
credentials_files.o \
credentials_krb5.o \
- credentials_ntlm.o \
- credentials_gensec.o
+ credentials_ntlm.o
REQUIRED_SUBSYSTEMS = \
- HEIMDAL GENSEC LIBCLI_AUTH LIBLDB SECRETS
+ HEIMDAL LIBCLI_AUTH LIBLDB SECRETS
# End SUBSYSTEM CREDENTIALS
#################################
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index a6bfb15dec..b1554cc9ef 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -24,7 +24,7 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
-
+#include "auth/gensec/gensec.h"
/**
* Create a new credentials structure
@@ -54,13 +54,26 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->smb_krb5_context = NULL;
cred->salt_principal = NULL;
cred->machine_account = False;
- cred->gensec_list = NULL;
cred->bind_dn = NULL;
+ cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
+
return cred;
}
+void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+ enum credentials_use_kerberos use_kerberos)
+{
+ creds->use_kerberos = use_kerberos;
+}
+
+enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+{
+ return creds->use_kerberos;
+}
+
+
/**
* Obtain the username for this credentials context.
* @param cred credentials context
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index 8402676acd..eb4e5c96d0 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -32,15 +32,19 @@ enum credentials_obtained {
CRED_SPECIFIED /* Was explicitly specified on the command-line */
};
+enum credentials_use_kerberos {
+ CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
+ CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
+ CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
+};
+
#define CLI_CRED_NTLM2 0x01
#define CLI_CRED_NTLMv2_AUTH 0x02
#define CLI_CRED_LANMAN_AUTH 0x04
#define CLI_CRED_NTLM_AUTH 0x08
+#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
struct cli_credentials {
- /* Preferred methods, NULL means default */
- const char **preferred_methods;
-
enum credentials_obtained workstation_obtained;
enum credentials_obtained username_obtained;
enum credentials_obtained password_obtained;
@@ -94,8 +98,8 @@ struct cli_credentials {
/* Is this a machine account? */
BOOL machine_account;
- /* A list of valid GENSEC mechanisms for use on this account */
- const struct gensec_security_ops **gensec_list;
+ /* Should we be trying to use kerberos? */
+ enum credentials_use_kerberos use_kerberos;
};
#include "auth/credentials/credentials_proto.h"
diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c
deleted file mode 100644
index 7ea15e7988..0000000000
--- a/source4/auth/credentials/credentials_gensec.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- User credentials handling
-
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "auth/gensec/gensec.h"
-
-const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds)
-{
- if (!creds || !creds->gensec_list) {
- return gensec_security_all();
- }
- return creds->gensec_list;
-}
-
-static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
- const struct gensec_security_ops *remove_mech)
-{
- const struct gensec_security_ops **gensec_list;
- const struct gensec_security_ops **new_gensec_list;
- int i, j;
-
- gensec_list = cli_credentials_gensec_list(creds);
-
- for (i=0; gensec_list && gensec_list[i]; i++) {
- /* noop */
- }
-
- new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
- if (!new_gensec_list) {
- return NT_STATUS_NO_MEMORY;
- }
-
- j = 0;
- for (i=0; gensec_list && gensec_list[i]; i++) {
- if (gensec_list[i] != remove_mech) {
- new_gensec_list[j] = gensec_list[i];
- j++;
- }
- }
- new_gensec_list[j] = NULL;
-
- creds->gensec_list = new_gensec_list;
-
- return NT_STATUS_OK;
-}
-
-NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
- const char *oid)
-{
- const struct gensec_security_ops *gensec_by_oid;
-
- gensec_by_oid = gensec_security_by_oid(NULL, oid);
- if (!gensec_by_oid) {
- return NT_STATUS_OK;
- }
-
- return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
-}
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index c7932e6f1a..5068540a32 100644
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -66,6 +66,10 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
if (cred->machine_account) {
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
}
+
+ if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
if (!nt_hash) {
static const uint8_t zeros[16];