diff options
Diffstat (limited to 'source4/auth/credentials')
-rw-r--r-- | source4/auth/credentials/config.mk | 5 | ||||
-rw-r--r-- | source4/auth/credentials/credentials.c | 17 | ||||
-rw-r--r-- | source4/auth/credentials/credentials.h | 14 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_gensec.c | 77 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_ntlm.c | 4 |
5 files changed, 30 insertions, 87 deletions
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk index 5c72630d5a..96c48f7574 100644 --- a/source4/auth/credentials/config.mk +++ b/source4/auth/credentials/config.mk @@ -5,10 +5,9 @@ PRIVATE_PROTO_HEADER = credentials_proto.h OBJ_FILES = credentials.o \ credentials_files.o \ credentials_krb5.o \ - credentials_ntlm.o \ - credentials_gensec.o + credentials_ntlm.o REQUIRED_SUBSYSTEMS = \ - HEIMDAL GENSEC LIBCLI_AUTH LIBLDB SECRETS + HEIMDAL LIBCLI_AUTH LIBLDB SECRETS # End SUBSYSTEM CREDENTIALS ################################# diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index a6bfb15dec..b1554cc9ef 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -24,7 +24,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ - +#include "auth/gensec/gensec.h" /** * Create a new credentials structure @@ -54,13 +54,26 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->smb_krb5_context = NULL; cred->salt_principal = NULL; cred->machine_account = False; - cred->gensec_list = NULL; cred->bind_dn = NULL; + cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); + return cred; } +void cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos use_kerberos) +{ + creds->use_kerberos = use_kerberos; +} + +enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) +{ + return creds->use_kerberos; +} + + /** * Obtain the username for this credentials context. * @param cred credentials context diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 8402676acd..eb4e5c96d0 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -32,15 +32,19 @@ enum credentials_obtained { CRED_SPECIFIED /* Was explicitly specified on the command-line */ }; +enum credentials_use_kerberos { + CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */ + CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */ + CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */ +}; + #define CLI_CRED_NTLM2 0x01 #define CLI_CRED_NTLMv2_AUTH 0x02 #define CLI_CRED_LANMAN_AUTH 0x04 #define CLI_CRED_NTLM_AUTH 0x08 +#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */ struct cli_credentials { - /* Preferred methods, NULL means default */ - const char **preferred_methods; - enum credentials_obtained workstation_obtained; enum credentials_obtained username_obtained; enum credentials_obtained password_obtained; @@ -94,8 +98,8 @@ struct cli_credentials { /* Is this a machine account? */ BOOL machine_account; - /* A list of valid GENSEC mechanisms for use on this account */ - const struct gensec_security_ops **gensec_list; + /* Should we be trying to use kerberos? */ + enum credentials_use_kerberos use_kerberos; }; #include "auth/credentials/credentials_proto.h" diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c deleted file mode 100644 index 7ea15e7988..0000000000 --- a/source4/auth/credentials/credentials_gensec.c +++ /dev/null @@ -1,77 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - User credentials handling - - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#include "auth/gensec/gensec.h" - -const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) -{ - if (!creds || !creds->gensec_list) { - return gensec_security_all(); - } - return creds->gensec_list; -} - -static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds, - const struct gensec_security_ops *remove_mech) -{ - const struct gensec_security_ops **gensec_list; - const struct gensec_security_ops **new_gensec_list; - int i, j; - - gensec_list = cli_credentials_gensec_list(creds); - - for (i=0; gensec_list && gensec_list[i]; i++) { - /* noop */ - } - - new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1); - if (!new_gensec_list) { - return NT_STATUS_NO_MEMORY; - } - - j = 0; - for (i=0; gensec_list && gensec_list[i]; i++) { - if (gensec_list[i] != remove_mech) { - new_gensec_list[j] = gensec_list[i]; - j++; - } - } - new_gensec_list[j] = NULL; - - creds->gensec_list = new_gensec_list; - - return NT_STATUS_OK; -} - -NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds, - const char *oid) -{ - const struct gensec_security_ops *gensec_by_oid; - - gensec_by_oid = gensec_security_by_oid(NULL, oid); - if (!gensec_by_oid) { - return NT_STATUS_OK; - } - - return cli_credentials_gensec_remove_mech(creds, gensec_by_oid); -} diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index c7932e6f1a..5068540a32 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -66,6 +66,10 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ if (cred->machine_account) { *flags = *flags & ~CLI_CRED_LANMAN_AUTH; } + + if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) { + return NT_STATUS_ACCESS_DENIED; + } if (!nt_hash) { static const uint8_t zeros[16]; |