From a12a6686ba7301c464e8db857c73bfd1061dbf93 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Sep 2005 00:02:38 +0000 Subject: r10596: Move the credentials code into it's own subsystem, and push it under auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6) --- source4/auth/credentials/credentials.c | 562 +++++++++++++++++++++++++++++++++ 1 file changed, 562 insertions(+) create mode 100644 source4/auth/credentials/credentials.c (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c new file mode 100644 index 0000000000..11b413b1c6 --- /dev/null +++ b/source4/auth/credentials/credentials.c @@ -0,0 +1,562 @@ +/* + Unix SMB/CIFS implementation. + + User credentials handling + + Copyright (C) Jelmer Vernooij 2005 + Copyright (C) Tim Potter 2001 + Copyright (C) Andrew Bartlett 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "lib/ldb/include/ldb.h" +#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ + + +/** + * Create a new credentials structure + * @param mem_ctx TALLOC_CTX parent for credentials structure + */ +struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) +{ + struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials); + if (!cred) { + return cred; + } + + cred->netlogon_creds = NULL; + cred->machine_account_pending = False; + cred->workstation_obtained = CRED_UNINITIALISED; + cred->username_obtained = CRED_UNINITIALISED; + cred->password_obtained = CRED_UNINITIALISED; + cred->domain_obtained = CRED_UNINITIALISED; + cred->realm_obtained = CRED_UNINITIALISED; + cred->ccache_obtained = CRED_UNINITIALISED; + cred->principal_obtained = CRED_UNINITIALISED; + return cred; +} + +/** + * Obtain the username for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will never be NULL except by programmer error. + */ +const char *cli_credentials_get_username(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + if (cred->username_obtained == CRED_CALLBACK) { + cred->username = cred->username_cb(cred); + cred->username_obtained = CRED_SPECIFIED; + } + + return cred->username; +} + +BOOL cli_credentials_set_username(struct cli_credentials *cred, + const char *val, enum credentials_obtained obtained) +{ + if (obtained >= cred->username_obtained) { + cred->username = talloc_strdup(cred, val); + cred->username_obtained = obtained; + return True; + } + + return False; +} + +BOOL cli_credentials_set_username_callback(struct cli_credentials *cred, + const char *(*username_cb) (struct cli_credentials *)) +{ + if (cred->username_obtained < CRED_CALLBACK) { + cred->username_cb = username_cb; + cred->username_obtained = CRED_CALLBACK; + return True; + } + + return False; +} + + + +/** + * Obtain the client principal for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will never be NULL except by programmer error. + */ +const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + if (cred->principal_obtained == CRED_CALLBACK) { + cred->principal = cred->principal_cb(cred); + cred->principal_obtained = CRED_SPECIFIED; + } + + if (cred->principal_obtained < cred->username_obtained) { + if (cred->domain_obtained > cred->realm_obtained) { + return talloc_asprintf(mem_ctx, "%s@%s", + cli_credentials_get_username(cred), + cli_credentials_get_domain(cred)); + } else { + return talloc_asprintf(mem_ctx, "%s@%s", + cli_credentials_get_username(cred), + cli_credentials_get_realm(cred)); + } + } + return talloc_reference(mem_ctx, cred->principal); +} + +BOOL cli_credentials_set_principal(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->principal_obtained) { + cred->principal = talloc_strdup(cred, val); + cred->principal_obtained = obtained; + return True; + } + + return False; +} + +BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, + const char *(*principal_cb) (struct cli_credentials *)) +{ + if (cred->principal_obtained < CRED_CALLBACK) { + cred->principal_cb = principal_cb; + cred->principal_obtained = CRED_CALLBACK; + return True; + } + + return False; +} + +BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) +{ + if (cred->principal_obtained >= CRED_SPECIFIED) { + return True; + } + if (cred->username_obtained >= CRED_SPECIFIED) { + return True; + } + return False; +} + +/** + * Obtain the password for this credentials context. + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +const char *cli_credentials_get_password(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + if (cred->password_obtained == CRED_CALLBACK) { + cred->password = cred->password_cb(cred); + cred->password_obtained = CRED_SPECIFIED; + } + + return cred->password; +} + +BOOL cli_credentials_set_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cred->password = talloc_strdup(cred, val); + cred->password_obtained = obtained; + + cred->nt_hash = NULL; + return True; + } + + return False; +} + +BOOL cli_credentials_set_password_callback(struct cli_credentials *cred, + const char *(*password_cb) (struct cli_credentials *)) +{ + if (cred->password_obtained < CRED_CALLBACK) { + cred->password_cb = password_cb; + cred->password_obtained = CRED_CALLBACK; + return True; + } + + return False; +} + +/** + * Obtain the password for this credentials context. + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx) +{ + const char *password = cli_credentials_get_password(cred); + + if (password) { + struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); + if (!nt_hash) { + return NULL; + } + + E_md4hash(password, nt_hash->hash); + + return nt_hash; + } else { + return cred->nt_hash; + } +} + +BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + cred->nt_hash = talloc(cred, struct samr_Password); + *cred->nt_hash = *nt_hash; + return True; + } + + return False; +} + +/** + * Obtain the 'short' or 'NetBIOS' domain for this credentials context. + * @param cred credentials context + * @retval The domain set on this context. + * @note Return value will never be NULL except by programmer error. + */ +const char *cli_credentials_get_domain(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + if (cred->domain_obtained == CRED_CALLBACK) { + cred->domain = cred->domain_cb(cred); + cred->domain_obtained = CRED_SPECIFIED; + } + + return cred->domain; +} + + +BOOL cli_credentials_set_domain(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->domain_obtained) { + cred->domain = talloc_strdup(cred, val); + cred->domain_obtained = obtained; + return True; + } + + return False; +} + +BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred, + const char *(*domain_cb) (struct cli_credentials *)) +{ + if (cred->domain_obtained < CRED_CALLBACK) { + cred->domain_cb = domain_cb; + cred->domain_obtained = CRED_CALLBACK; + return True; + } + + return False; +} + +void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + const char **username, + const char **domain) +{ + if (cred->principal_obtained > cred->username_obtained) { + *domain = talloc_strdup(mem_ctx, ""); + *username = cli_credentials_get_principal(cred, mem_ctx); + } else { + *domain = cli_credentials_get_domain(cred); + *username = cli_credentials_get_username(cred); + } +} + +/** + * Obtain the Kerberos realm for this credentials context. + * @param cred credentials context + * @retval The realm set on this context. + * @note Return value will never be NULL except by programmer error. + */ +const char *cli_credentials_get_realm(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + if (cred->realm_obtained == CRED_CALLBACK) { + cred->realm = cred->realm_cb(cred); + cred->realm_obtained = CRED_SPECIFIED; + } + + return cred->realm; +} + +/** + * Set the realm for this credentials context, and force it to + * uppercase for the sainity of our local kerberos libraries + */ +BOOL cli_credentials_set_realm(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->realm_obtained) { + cred->realm = strupper_talloc(cred, val); + cred->realm_obtained = obtained; + return True; + } + + return False; +} + +BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred, + const char *(*realm_cb) (struct cli_credentials *)) +{ + if (cred->realm_obtained < CRED_CALLBACK) { + cred->realm_cb = realm_cb; + cred->realm_obtained = CRED_CALLBACK; + return True; + } + + return False; +} + +/** + * Obtain the 'short' or 'NetBIOS' workstation name for this credentials context. + * + * @param cred credentials context + * @retval The workstation name set on this context. + * @note Return value will never be NULL except by programmer error. + */ +const char *cli_credentials_get_workstation(struct cli_credentials *cred) +{ + if (cred->workstation_obtained == CRED_CALLBACK) { + cred->workstation = cred->workstation_cb(cred); + cred->workstation_obtained = CRED_SPECIFIED; + } + + return cred->workstation; +} + +BOOL cli_credentials_set_workstation(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + if (obtained >= cred->workstation_obtained) { + cred->workstation = talloc_strdup(cred, val); + cred->workstation_obtained = obtained; + return True; + } + + return False; +} + +BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred, + const char *(*workstation_cb) (struct cli_credentials *)) +{ + if (cred->workstation_obtained < CRED_CALLBACK) { + cred->workstation_cb = workstation_cb; + cred->workstation_obtained = CRED_CALLBACK; + return True; + } + + return False; +} + +/** + * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields + * + * The format accepted is [domain\\]user[%password] or user[@realm][%password] + * + * @param credentials Credentials structure on which to set the password + * @param data the string containing the username, password etc + * @param obtained This enum describes how 'specified' this password is + */ + +void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained) +{ + char *uname, *p; + + if (strcmp("%",data) == 0) { + cli_credentials_set_anonymous(credentials); + return; + } + + uname = talloc_strdup(credentials, data); + if ((p = strchr_m(uname,'%'))) { + *p = 0; + cli_credentials_set_password(credentials, p+1, obtained); + } + + if ((p = strchr_m(uname,'@'))) { + cli_credentials_set_principal(credentials, uname, obtained); + *p = 0; + cli_credentials_set_realm(credentials, p+1, obtained); + return; + } else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) { + *p = 0; + cli_credentials_set_domain(credentials, uname, obtained); + uname = p+1; + } + cli_credentials_set_username(credentials, uname, obtained); +} + +/** + * Specifies default values for domain, workstation and realm + * from the smb.conf configuration file + * + * @param cred Credentials structure to fill in + */ +void cli_credentials_set_conf(struct cli_credentials *cred) +{ + cli_credentials_set_username(cred, "", CRED_UNINITIALISED); + cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED); + cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED); + cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED); +} + +/** + * Guess defaults for credentials from environment variables, + * and from the configuration file + * + * @param cred Credentials structure to fill in + */ +void cli_credentials_guess(struct cli_credentials *cred) +{ + char *p; + + cli_credentials_set_conf(cred); + + if (getenv("LOGNAME")) { + cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV); + } + + if (getenv("USER")) { + cli_credentials_parse_string(cred, getenv("USER"), CRED_GUESS_ENV); + if ((p = strchr_m(getenv("USER"),'%'))) { + memset(p,0,strlen(cred->password)); + } + } + + if (getenv("DOMAIN")) { + cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV); + } + + if (getenv("PASSWD")) { + cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV); + } + + if (getenv("PASSWD_FD")) { + cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE); + } + + if (getenv("PASSWD_FILE")) { + cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE); + } + + cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE); +} + +/** + * Attach NETLOGON credentials for use with SCHANNEL + */ + +void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, + struct creds_CredentialState *netlogon_creds) +{ + cred->netlogon_creds = talloc_reference(cred, netlogon_creds); +} + +/** + * Return attached NETLOGON credentials + */ + +struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) +{ + return cred->netlogon_creds; +} + +/** + * Set NETLOGON secure channel type + */ + +void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, + enum netr_SchannelType secure_channel_type) +{ + cred->secure_channel_type = secure_channel_type; +} + +/** + * Return NETLOGON secure chanel type + */ + +enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred) +{ + return cred->secure_channel_type; +} + +/** + * Fill in a credentials structure as the anonymous user + */ +void cli_credentials_set_anonymous(struct cli_credentials *cred) +{ + cli_credentials_set_username(cred, "", CRED_SPECIFIED); + cli_credentials_set_domain(cred, "", CRED_SPECIFIED); + cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); +} + +/** + * Describe a credentials context as anonymous or authenticated + * @retval True if anonymous, False if a username is specified + */ + +BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) +{ + TALLOC_CTX *tmp_ctx = talloc_new(cred); + const char *username = cli_credentials_get_username(cred); + + /* Yes, it is deliberate that we die if we have a NULL pointer + * here - anonymous is "", not NULL, which is 'never specified, + * never guessed', ie programmer bug */ + if (!username[0]) { + talloc_free(tmp_ctx); + return True; + } + + talloc_free(tmp_ctx); + return False; +} -- cgit From f7ff0540d2b2490b2ef502d02b422e74a298b43d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Oct 2005 03:57:35 +0000 Subject: r10981: Pull code to decide between and implement NTLMv2, NTLM and LM authentication out of the various callers and into the kitchen sink.. err, credentials subsystem. This should ensure consistant logic, as well as get us one step closer to security=server operation in future. Andrew Bartlett (This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb) --- source4/auth/credentials/credentials.c | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 11b413b1c6..38c9ba30e8 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -293,19 +293,6 @@ BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred, return False; } -void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, - const char **username, - const char **domain) -{ - if (cred->principal_obtained > cred->username_obtained) { - *domain = talloc_strdup(mem_ctx, ""); - *username = cli_credentials_get_principal(cred, mem_ctx); - } else { - *domain = cli_credentials_get_domain(cred); - *username = cli_credentials_get_username(cred); - } -} - /** * Obtain the Kerberos realm for this credentials context. * @param cred credentials context -- cgit From ebe6f9ea490b686cef393c9b31c2c975dfac0be8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 14 Oct 2005 15:55:51 +0000 Subject: r11058: remove useless talloc context metze (This used to be commit d9d3fe1b8aa34f5d87b73b94253b4230303cba76) --- source4/auth/credentials/credentials.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 38c9ba30e8..f24c4e2231 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -533,17 +533,14 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) { - TALLOC_CTX *tmp_ctx = talloc_new(cred); const char *username = cli_credentials_get_username(cred); /* Yes, it is deliberate that we die if we have a NULL pointer * here - anonymous is "", not NULL, which is 'never specified, * never guessed', ie programmer bug */ if (!username[0]) { - talloc_free(tmp_ctx); return True; } - - talloc_free(tmp_ctx); + return False; } -- cgit From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:47:55 +0000 Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5 authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b) --- source4/auth/credentials/credentials.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index f24c4e2231..9be877dd2c 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -46,7 +46,12 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->domain_obtained = CRED_UNINITIALISED; cred->realm_obtained = CRED_UNINITIALISED; cred->ccache_obtained = CRED_UNINITIALISED; + cred->keytab_obtained = CRED_UNINITIALISED; cred->principal_obtained = CRED_UNINITIALISED; + + cred->old_password = NULL; + cred->smb_krb5_context = NULL; + return cred; } @@ -209,6 +214,28 @@ BOOL cli_credentials_set_password_callback(struct cli_credentials *cred, return False; } +/** + * Obtain the 'old' password for this credentials context (used for join accounts). + * @param cred credentials context + * @retval If set, the cleartext password, otherwise NULL + */ +const char *cli_credentials_get_old_password(struct cli_credentials *cred) +{ + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + return cred->old_password; +} + +BOOL cli_credentials_set_old_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained) +{ + cred->old_password = talloc_strdup(cred, val); + return True; +} + /** * Obtain the password for this credentials context. * @param cred credentials context -- cgit From b0c7c175b1c1ed45a31a710e4fbe18bbffdd6d38 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 10:28:16 +0000 Subject: r11220: Add the ability to handle the salt prinicpal as part of the credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 9be877dd2c..5fe6daddbe 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -51,6 +51,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->old_password = NULL; cred->smb_krb5_context = NULL; + cred->salt_principal = NULL; return cred; } -- cgit From 2bb739396c75b0d1c06cf124038ccc81ecb3fb22 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 05:17:19 +0000 Subject: r11358: Ensure domains are always upper-case as well. Helps NTLMv2. Andrew Bartlett (This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42) --- source4/auth/credentials/credentials.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 5fe6daddbe..c07f0f6c6a 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -301,7 +301,10 @@ BOOL cli_credentials_set_domain(struct cli_credentials *cred, enum credentials_obtained obtained) { if (obtained >= cred->domain_obtained) { - cred->domain = talloc_strdup(cred, val); + /* it is important that the domain be in upper case, + * particularly for the sensitive NTLMv2 + * calculations */ + cred->domain = strupper_talloc(cred, val); cred->domain_obtained = obtained; return True; } -- cgit From cfa2adf04017c9491d4cc6a69a0bbd4869061b6d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 00:23:38 +0000 Subject: r11401: A simple hack to have our central credentials system deny sending LM authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index c07f0f6c6a..5d2c5c553e 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -52,6 +52,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->old_password = NULL; cred->smb_krb5_context = NULL; cred->salt_principal = NULL; + cred->machine_account = False; return cred; } -- cgit From 3b2a6997b43dcfe37adf67c84e564a4fbff5b108 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Nov 2005 00:31:22 +0000 Subject: r11452: Update Heimdal to current lorikeet, including removing the ccache side of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 5d2c5c553e..86a3df0077 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -46,6 +46,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->domain_obtained = CRED_UNINITIALISED; cred->realm_obtained = CRED_UNINITIALISED; cred->ccache_obtained = CRED_UNINITIALISED; + cred->gss_creds_obtained = CRED_UNINITIALISED; cred->keytab_obtained = CRED_UNINITIALISED; cred->principal_obtained = CRED_UNINITIALISED; -- cgit From 9c6b7f2d62e134a4bc15efc04e05be25e4a53dc7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Dec 2005 05:20:39 +0000 Subject: r11995: A big kerberos-related update. This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d) --- source4/auth/credentials/credentials.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 86a3df0077..75c6795e73 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -46,7 +46,8 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->domain_obtained = CRED_UNINITIALISED; cred->realm_obtained = CRED_UNINITIALISED; cred->ccache_obtained = CRED_UNINITIALISED; - cred->gss_creds_obtained = CRED_UNINITIALISED; + cred->client_gss_creds_obtained = CRED_UNINITIALISED; + cred->server_gss_creds_obtained = CRED_UNINITIALISED; cred->keytab_obtained = CRED_UNINITIALISED; cred->principal_obtained = CRED_UNINITIALISED; @@ -148,6 +149,9 @@ BOOL cli_credentials_set_principal(struct cli_credentials *cred, return False; } +/* Set a callback to get the principal. This could be a popup dialog, + * a terminal prompt or similar. */ + BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, const char *(*principal_cb) (struct cli_credentials *)) { @@ -160,6 +164,10 @@ BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, return False; } +/* Some of our tools are 'anonymous by default'. This is a single + * function to determine if authentication has been explicitly + * requested */ + BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) { if (cred->principal_obtained >= CRED_SPECIFIED) { @@ -190,6 +198,9 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) return cred->password; } +/* Set a password on the credentials context, including an indication + * of 'how' the password was obtained */ + BOOL cli_credentials_set_password(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) @@ -240,7 +251,11 @@ BOOL cli_credentials_set_old_password(struct cli_credentials *cred, } /** - * Obtain the password for this credentials context. + * Obtain the password, in the form MD4(unicode(password)) for this credentials context. + * + * Sometimes we only have this much of the password, while the rest of + * the time this call avoids calling E_md4hash themselves. + * * @param cred credentials context * @retval If set, the cleartext password, otherwise NULL */ @@ -566,7 +581,13 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) { - const char *username = cli_credentials_get_username(cred); + const char *username; + + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + + username = cli_credentials_get_username(cred); /* Yes, it is deliberate that we die if we have a NULL pointer * here - anonymous is "", not NULL, which is 'never specified, -- cgit From 61bd60957418b872688dc22ec41f7a7ec4f267b2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 Dec 2005 03:20:40 +0000 Subject: r12060: Work towards allowing the credentials system to allow/deny certain GENSEC mechansims. This will allow a machine join to an NT4 domain to avoid even trying kerberos, or a sensitive operation to require it. Andrew Bartlett (This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 75c6795e73..22b7772182 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -55,6 +55,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->smb_krb5_context = NULL; cred->salt_principal = NULL; cred->machine_account = False; + cred->gensec_list = NULL; return cred; } -- cgit From a1827a1deba04e0b4b2a508dc4e4e66603a46d16 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Dec 2005 07:22:25 +0000 Subject: r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b) --- source4/auth/credentials/credentials.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 22b7772182..0e37fdc4a6 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -171,6 +171,10 @@ BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) { + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + if (cred->principal_obtained >= CRED_SPECIFIED) { return True; } -- cgit From 97b54b007e0f8a44074fa570b06b7ff9d4f2489b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 18 Dec 2005 05:01:15 +0000 Subject: r12310: Link simple bind support in our internal LDAP libs to LDB and the command line processing system. This is a little ugly at the moment, but works. What I cannot manage to get to work is the extraction and propogation of command line credentials into the js interface to ldb. Andrew Bartlett (This used to be commit f34ede763e7f80507d06224d114cf6b5ac7c8f7d) --- source4/auth/credentials/credentials.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 0e37fdc4a6..0ea2a01ea1 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -57,6 +57,8 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->machine_account = False; cred->gensec_list = NULL; + cred->bind_dn = NULL; + return cred; } @@ -104,6 +106,23 @@ BOOL cli_credentials_set_username_callback(struct cli_credentials *cred, return False; } +BOOL cli_credentials_set_bind_dn(struct cli_credentials *cred, + const char *bind_dn) +{ + cred->bind_dn = talloc_strdup(cred, bind_dn); + return True; +} + +/** + * Obtain the BIND DN for this credentials context. + * @param cred credentials context + * @retval The username set on this context. + * @note Return value will be NULL if not specified explictly + */ +const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) +{ + return cred->bind_dn; +} /** @@ -171,6 +190,10 @@ BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) { + if (cred->bind_dn) { + return True; + } + if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred); } -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/auth/credentials/credentials.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 0ea2a01ea1..a6bfb15dec 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -23,7 +23,6 @@ */ #include "includes.h" -#include "lib/ldb/include/ldb.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ -- cgit From 44e601b5ad635ba29088fd4c747627dee8d62112 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 28 Jan 2006 12:15:24 +0000 Subject: r13206: This patch finally re-adds a -k option that works reasonably. From here we can add tests to Samba for kerberos, forcing it on and off. In the process, I also remove the dependency of credentials on GENSEC. This also picks up on the idea of bringing 'set_boolean' into general code from jpeach's cifsdd patch. Andrew Bartlett (This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228) --- source4/auth/credentials/credentials.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index a6bfb15dec..b1554cc9ef 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -24,7 +24,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ - +#include "auth/gensec/gensec.h" /** * Create a new credentials structure @@ -54,13 +54,26 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->smb_krb5_context = NULL; cred->salt_principal = NULL; cred->machine_account = False; - cred->gensec_list = NULL; cred->bind_dn = NULL; + cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); + return cred; } +void cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos use_kerberos) +{ + creds->use_kerberos = use_kerberos; +} + +enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) +{ + return creds->use_kerberos; +} + + /** * Obtain the username for this credentials context. * @param cred credentials context -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index b1554cc9ef..4162c2a10a 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -25,6 +25,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ #include "auth/gensec/gensec.h" +#include "libcli/auth/proto.h" /** * Create a new credentials structure -- cgit From e3f2414cf9e582a4e4deecc662b64a7bb2679a34 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 15:03:25 +0000 Subject: r14380: Reduce the size of structs.h (This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe) --- source4/auth/credentials/credentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 4162c2a10a..01a00c3dfc 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -25,7 +25,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ #include "auth/gensec/gensec.h" -#include "libcli/auth/proto.h" +#include "libcli/auth/libcli_auth.h" /** * Create a new credentials structure -- cgit From 8528016978b084213ef53d66e1b6e831b1a01acc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 00:23:11 +0000 Subject: r14464: Don't include ndr_BASENAME.h files unless strictly required, instead try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd) --- source4/auth/credentials/credentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 01a00c3dfc..ee90c8228a 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -23,7 +23,7 @@ */ #include "includes.h" -#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ +#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ #include "auth/gensec/gensec.h" #include "libcli/auth/libcli_auth.h" -- cgit From 557c98bd5f4e5268d4793d51037f59ef3482fe8c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 3 May 2006 14:15:31 +0000 Subject: r15414: Support retrying different username/password combinations (This used to be commit 5de894fb8bac8efa5bff004dbfc2e8b386d4003b) --- source4/auth/credentials/credentials.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index ee90c8228a..66b6c120cf 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -639,3 +639,24 @@ BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) return False; } + +/** + * Mark the current password for a credentials struct as wrong. This will + * cause the password to be prompted again (if a callback is set). + * + * This will decremebt the number of times the password can be tried. + * + * @retval whether the credentials struct is finished + */ +BOOL cli_credentials_wrong_password(struct cli_credentials *cred) +{ + if (cred->password_obtained != CRED_CALLBACK_RESULT) { + return False; + } + + cred->password_obtained = CRED_CALLBACK; + + cred->tries--; + + return (cred->tries > 0); +} -- cgit From ed752c800425ffd3db39a770ddaee3ad2d73c494 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 3 May 2006 14:54:57 +0000 Subject: r15415: Use Jelmer's new credentials 'wrong password' code to give the user 3 attempts for the password, when talking to a remote CIFS server. Andrew Bartlett (This used to be commit 3a4ddc8f5978210ab3ad79f0332cee80a0d6e6c9) --- source4/auth/credentials/credentials.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 66b6c120cf..cf54bfe3b5 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -58,6 +58,8 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->bind_dn = NULL; + cred->tries = 3; + cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); return cred; @@ -233,7 +235,7 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) if (cred->password_obtained == CRED_CALLBACK) { cred->password = cred->password_cb(cred); - cred->password_obtained = CRED_SPECIFIED; + cred->password_obtained = CRED_CALLBACK_RESULT; } return cred->password; -- cgit From 1789976c172085569026e62bc563ff0ea017fe9d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 3 May 2006 20:23:19 +0000 Subject: r15420: Add a new function to print a the 'unparsed' string format for usernames. This is used in the password prompt, and should be reversable by the parse string function. Also, don't look at the ccache, even for the guess code, if kerberos is disabled. Andrew Bartlett (This used to be commit 4c4b8e4b396ca44270a0456c732d3b9c3c34d69d) --- source4/auth/credentials/credentials.c | 40 +++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index cf54bfe3b5..e00251d69f 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -513,6 +513,38 @@ void cli_credentials_parse_string(struct cli_credentials *credentials, const cha cli_credentials_set_username(credentials, uname, obtained); } +/** + * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields + * + * The format accepted is [domain\\]user[%password] or user[@realm][%password] + * + * @param credentials Credentials structure on which to set the password + * @param data the string containing the username, password etc + * @param obtained This enum describes how 'specified' this password is + */ + +const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx) +{ + const char *bind_dn = cli_credentials_get_bind_dn(credentials); + const char *domain; + const char *username; + const char *name; + + if (bind_dn) { + name = talloc_reference(mem_ctx, bind_dn); + } else { + cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain); + if (domain && domain[0]) { + name = talloc_asprintf(mem_ctx, "%s\\%s", + domain, username); + } else { + name = talloc_asprintf(mem_ctx, "%s", + username); + } + } + return name; +} + /** * Specifies default values for domain, workstation and realm * from the smb.conf configuration file @@ -565,8 +597,10 @@ void cli_credentials_guess(struct cli_credentials *cred) if (getenv("PASSWD_FILE")) { cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE); } - - cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE); + + if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { + cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE); + } } /** @@ -646,7 +680,7 @@ BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) * Mark the current password for a credentials struct as wrong. This will * cause the password to be prompted again (if a callback is set). * - * This will decremebt the number of times the password can be tried. + * This will decrement the number of times the password can be tried. * * @retval whether the credentials struct is finished */ -- cgit From b2f8c9b82d1d96bd49d314a60191b7a62ffc52ca Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 3 May 2006 20:31:24 +0000 Subject: r15421: Correct function comments. Andrew Bartlett (This used to be commit f9899277898ee7ef1118cbc49f5f277623ff7444) --- source4/auth/credentials/credentials.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index e00251d69f..28ba5eb32d 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -514,13 +514,12 @@ void cli_credentials_parse_string(struct cli_credentials *credentials, const cha } /** - * Given a string, typically obtained from a -U argument, parse it into domain, username, realm and password fields + * Given a a credentials structure, print it as a string * - * The format accepted is [domain\\]user[%password] or user[@realm][%password] + * The format output is [domain\\]user[%password] or user[@realm][%password] * * @param credentials Credentials structure on which to set the password - * @param data the string containing the username, password etc - * @param obtained This enum describes how 'specified' this password is + * @param mem_ctx The memory context to place the result on */ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx) -- cgit From 086c9cc5f4a9145ee93060db2eebb3badc325e44 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 3 May 2006 20:56:14 +0000 Subject: r15422: Fix issues with functions being called recursively in the credentials callback code. (This used to be commit edf0701e877592695bd69124e528338c27f24efd) --- source4/auth/credentials/credentials.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 28ba5eb32d..1ffc27dab6 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -89,8 +89,11 @@ const char *cli_credentials_get_username(struct cli_credentials *cred) cli_credentials_set_machine_account(cred); } - if (cred->username_obtained == CRED_CALLBACK) { + if (cred->username_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = True; cred->username = cred->username_cb(cred); + cred->callback_running = False; cred->username_obtained = CRED_SPECIFIED; } @@ -152,8 +155,11 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C cli_credentials_set_machine_account(cred); } - if (cred->principal_obtained == CRED_CALLBACK) { + if (cred->principal_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = False; cred->principal = cred->principal_cb(cred); + cred->callback_running = True; cred->principal_obtained = CRED_SPECIFIED; } @@ -233,8 +239,11 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) cli_credentials_set_machine_account(cred); } - if (cred->password_obtained == CRED_CALLBACK) { + if (cred->password_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = False; cred->password = cred->password_cb(cred); + cred->callback_running = True; cred->password_obtained = CRED_CALLBACK_RESULT; } @@ -347,8 +356,11 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred) cli_credentials_set_machine_account(cred); } - if (cred->domain_obtained == CRED_CALLBACK) { + if (cred->domain_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = True; cred->domain = cred->domain_cb(cred); + cred->callback_running = False; cred->domain_obtained = CRED_SPECIFIED; } @@ -396,8 +408,11 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred) cli_credentials_set_machine_account(cred); } - if (cred->realm_obtained == CRED_CALLBACK) { + if (cred->realm_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = True; cred->realm = cred->realm_cb(cred); + cred->callback_running = False; cred->realm_obtained = CRED_SPECIFIED; } @@ -442,8 +457,11 @@ BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred, */ const char *cli_credentials_get_workstation(struct cli_credentials *cred) { - if (cred->workstation_obtained == CRED_CALLBACK) { + if (cred->workstation_obtained == CRED_CALLBACK && + !cred->callback_running) { + cred->callback_running = True; cred->workstation = cred->workstation_cb(cred); + cred->callback_running = False; cred->workstation_obtained = CRED_SPECIFIED; } -- cgit From bfbc269d0d8b06537c540d4052bf8e1b47d454e5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 7 May 2006 18:08:57 +0000 Subject: r15498: Initialise the callback_running field, and get the flag set/clear the right way around for all the callers. Andrew Bartlett (This used to be commit f9bcfb04aa3ec93eed7076dbb1fed50cf1edb424) --- source4/auth/credentials/credentials.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 1ffc27dab6..d884fb59ce 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -59,6 +59,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->bind_dn = NULL; cred->tries = 3; + cred->callback_running = False; cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); @@ -157,9 +158,9 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C if (cred->principal_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = False; - cred->principal = cred->principal_cb(cred); cred->callback_running = True; + cred->principal = cred->principal_cb(cred); + cred->callback_running = False; cred->principal_obtained = CRED_SPECIFIED; } @@ -241,9 +242,9 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) if (cred->password_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = False; - cred->password = cred->password_cb(cred); cred->callback_running = True; + cred->password = cred->password_cb(cred); + cred->callback_running = False; cred->password_obtained = CRED_CALLBACK_RESULT; } -- cgit From 9482de397977fc6b7c18795f0398bcc3768fd189 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jun 2006 04:00:42 +0000 Subject: r16218: If a connection is forced as 'anonymous', don't treat it as 'authentication requested'... Andrew Bartlett (This used to be commit d5fc88c93697dbcab13b2356ef4e5d1d2a7d59eb) --- source4/auth/credentials/credentials.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index d884fb59ce..caaef3e0c2 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -216,8 +216,8 @@ BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) return True; } - if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + if (cli_credentials_is_anonymous(cred)){ + return False; } if (cred->principal_obtained >= CRED_SPECIFIED) { -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/auth/credentials/credentials.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index caaef3e0c2..d4db0a0180 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -24,7 +24,8 @@ #include "includes.h" #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ -#include "auth/gensec/gensec.h" +#include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_krb5.h" #include "libcli/auth/libcli_auth.h" /** -- cgit From 38a472c994b5c4a02632bf55a044dfc12cf694fd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 12 Dec 2006 21:47:56 +0000 Subject: r20135: attach default gensec features to the cli_credentials structure, so make it possible to force encryption or signing. metze (This used to be commit a91dc4a02a46370c52f59cbd4dea9580fa6efafa) --- source4/auth/credentials/credentials.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index d4db0a0180..2a64a7c50c 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -63,6 +63,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->callback_running = False; cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); + cli_credentials_set_gensec_features(cred, 0); return cred; } @@ -78,6 +79,16 @@ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_cred return creds->use_kerberos; } +void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features) +{ + creds->gensec_features = gensec_features; +} + +uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) +{ + return creds->gensec_features; +} + /** * Obtain the username for this credentials context. -- cgit From 744dddd75be73e4e883241b808b37a12a7a39ac1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 4 Feb 2007 07:17:03 +0000 Subject: r21135: Instead of having hooks to update keytabs as an explicit thing, update them as a hook on ldb modify, via a module. This should allow the secrets.ldb to be edited by the admin, and to have things update in the on-disk keytab just as an in-memory keytab would. This isn't really a dsdb plugin, but I don't have any other good ideas about where to put it. Andrew Bartlett (This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54) --- source4/auth/credentials/credentials.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 2a64a7c50c..48d44ad8e7 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -349,8 +349,12 @@ BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred, { if (obtained >= cred->password_obtained) { cli_credentials_set_password(cred, NULL, obtained); - cred->nt_hash = talloc(cred, struct samr_Password); - *cred->nt_hash = *nt_hash; + if (nt_hash) { + cred->nt_hash = talloc(cred, struct samr_Password); + *cred->nt_hash = *nt_hash; + } else { + cred->nt_hash = NULL; + } return True; } -- cgit From 908bc58cdd2642fe61f6e3a07e9d362de6e18ae6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 19 Feb 2007 16:43:56 +0000 Subject: r21451: if kerberos is requested ( -k yes ), we should use authentificated connections metze (This used to be commit 426238eb45f0cc41d99961ac554c2528fd8e96f5) --- source4/auth/credentials/credentials.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 48d44ad8e7..38bd701b76 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -238,6 +238,11 @@ BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) if (cred->username_obtained >= CRED_SPECIFIED) { return True; } + + if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { + return True; + } + return False; } -- cgit From fcaeedeff3c7d65f65da19440eb7b1ac01481167 Mon Sep 17 00:00:00 2001 From: James Peach Date: Fri, 2 Mar 2007 23:24:27 +0000 Subject: r21668: Add SMB_QFS_POSIX_WHOAMI to trans2.h so it's easy to find. Add convenience API to create an anonymous credential. Don't clobber cmdline_credentials in the UNIX-WHOAMI test. (This used to be commit 73cea4e0c66f57057ed12b07bbb94b4e783ba6bf) --- source4/auth/credentials/credentials.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 38bd701b76..6f740d95c3 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -68,6 +68,21 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) return cred; } +/** + * Create a new anonymous credential + * @param mem_ctx TALLOC_CTX parent for credentials structure + */ +struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) +{ + struct cli_credentials *anon_credentials; + + anon_credentials = cli_credentials_init(mem_ctx); + cli_credentials_set_conf(anon_credentials); + cli_credentials_set_anonymous(anon_credentials); + + return anon_credentials; +} + void cli_credentials_set_kerberos_state(struct cli_credentials *creds, enum credentials_use_kerberos use_kerberos) { -- cgit From 847102c6ca17f7b7d665863b8caa1d85baef46ad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 7 Mar 2007 04:20:10 +0000 Subject: r21736: Fix the smbclient test to do something more interesting with the last few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa) --- source4/auth/credentials/credentials.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 6f740d95c3..55ada8e5a5 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -648,8 +648,9 @@ void cli_credentials_guess(struct cli_credentials *cred) cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE); } - if (getenv("PASSWD_FILE")) { - cli_credentials_parse_password_file(cred, getenv("PASSWD_FILE"), CRED_GUESS_FILE); + p = getenv("PASSWD_FILE"); + if (p && p[0]) { + cli_credentials_parse_password_file(cred, p, CRED_GUESS_FILE); } if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { -- cgit From 68094302c118962ba07561eb4da7633eaec7ea0d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 7 Apr 2007 00:47:39 +0000 Subject: r22115: I don't like the DOMAIN environment variable. It really isn't a good match for what we are using it for here. Andrew Bartlett (This used to be commit 305d1421efff3f01db1dce499568874965058e79) --- source4/auth/credentials/credentials.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 55ada8e5a5..c76c170c6d 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -636,10 +636,6 @@ void cli_credentials_guess(struct cli_credentials *cred) } } - if (getenv("DOMAIN")) { - cli_credentials_set_domain(cred, getenv("DOMAIN"), CRED_GUESS_ENV); - } - if (getenv("PASSWD")) { cli_credentials_set_password(cred, getenv("PASSWD"), CRED_GUESS_ENV); } -- cgit From c42219d7352bd2e7a6413f7ae1cd0fd5cded1d95 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 17 May 2007 08:47:04 +0000 Subject: r22969: fix some more places where we could end up with more than one event context. We now have an event context on the torture_context, and we can also get one from the cli_credentials structure (This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17) --- source4/auth/credentials/credentials.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index c76c170c6d..39b22df729 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -27,6 +27,7 @@ #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_krb5.h" #include "libcli/auth/libcli_auth.h" +#include "lib/events/events.h" /** * Create a new credentials structure @@ -61,6 +62,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->tries = 3; cred->callback_running = False; + cred->ev = NULL; cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); cli_credentials_set_gensec_features(cred, 0); @@ -747,3 +749,22 @@ BOOL cli_credentials_wrong_password(struct cli_credentials *cred) return (cred->tries > 0); } + +/* + set the common event context for this set of credentials + */ +void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev) +{ + cred->ev = ev; +} + +/* + set the common event context for this set of credentials + */ +struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred) +{ + if (cred->ev == NULL) { + cred->ev = event_context_find(cred); + } + return cred->ev; +} -- cgit From c83c39909ed4979d455f94c9b842b542fb38e76b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 May 2007 05:21:59 +0000 Subject: r23063: Make sure to invalidate the ccache when we set a username/password/realm/etc from the command line. Also make sure it can't 'come back' from a later call to cli_credentials_guess(), buy setting a threshold. This should fix the issues with the build farm... Andrew Bartlett (This used to be commit 3b1dfb9306beb9f40d85d38cf6786ef161ec63f1) --- source4/auth/credentials/credentials.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 39b22df729..951c523b64 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -53,6 +53,9 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->keytab_obtained = CRED_UNINITIALISED; cred->principal_obtained = CRED_UNINITIALISED; + cred->ccache_threshold = CRED_UNINITIALISED; + cred->client_gss_creds_threshold = CRED_UNINITIALISED; + cred->old_password = NULL; cred->smb_krb5_context = NULL; cred->salt_principal = NULL; @@ -125,6 +128,7 @@ const char *cli_credentials_get_username(struct cli_credentials *cred) cred->username = cred->username_cb(cred); cred->callback_running = False; cred->username_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->username_obtained); } return cred->username; @@ -136,6 +140,7 @@ BOOL cli_credentials_set_username(struct cli_credentials *cred, if (obtained >= cred->username_obtained) { cred->username = talloc_strdup(cred, val); cred->username_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->username_obtained); return True; } @@ -191,6 +196,7 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C cred->principal = cred->principal_cb(cred); cred->callback_running = False; cred->principal_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->principal_obtained); } if (cred->principal_obtained < cred->username_obtained) { @@ -214,6 +220,7 @@ BOOL cli_credentials_set_principal(struct cli_credentials *cred, if (obtained >= cred->principal_obtained) { cred->principal = talloc_strdup(cred, val); cred->principal_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->principal_obtained); return True; } @@ -280,6 +287,7 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) cred->password = cred->password_cb(cred); cred->callback_running = False; cred->password_obtained = CRED_CALLBACK_RESULT; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); } return cred->password; @@ -295,6 +303,7 @@ BOOL cli_credentials_set_password(struct cli_credentials *cred, if (obtained >= cred->password_obtained) { cred->password = talloc_strdup(cred, val); cred->password_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); cred->nt_hash = NULL; return True; @@ -309,6 +318,7 @@ BOOL cli_credentials_set_password_callback(struct cli_credentials *cred, if (cred->password_obtained < CRED_CALLBACK) { cred->password_cb = password_cb; cred->password_obtained = CRED_CALLBACK; + cli_credentials_invalidate_ccache(cred, cred->password_obtained); return True; } @@ -401,6 +411,7 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred) cred->domain = cred->domain_cb(cred); cred->callback_running = False; cred->domain_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->domain_obtained); } return cred->domain; @@ -417,6 +428,7 @@ BOOL cli_credentials_set_domain(struct cli_credentials *cred, * calculations */ cred->domain = strupper_talloc(cred, val); cred->domain_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->domain_obtained); return True; } @@ -453,6 +465,7 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred) cred->realm = cred->realm_cb(cred); cred->callback_running = False; cred->realm_obtained = CRED_SPECIFIED; + cli_credentials_invalidate_ccache(cred, cred->realm_obtained); } return cred->realm; @@ -469,6 +482,7 @@ BOOL cli_credentials_set_realm(struct cli_credentials *cred, if (obtained >= cred->realm_obtained) { cred->realm = strupper_talloc(cred, val); cred->realm_obtained = obtained; + cli_credentials_invalidate_ccache(cred, cred->realm_obtained); return True; } -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/auth/credentials/credentials.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 951c523b64..c32efb045f 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index c32efb045f..2899bc5605 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -27,6 +27,7 @@ #include "auth/credentials/credentials_krb5.h" #include "libcli/auth/libcli_auth.h" #include "lib/events/events.h" +#include "param/param.h" /** * Create a new credentials structure -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/auth/credentials/credentials.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 2899bc5605..e88e05cfb0 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -82,7 +82,7 @@ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) struct cli_credentials *anon_credentials; anon_credentials = cli_credentials_init(mem_ctx); - cli_credentials_set_conf(anon_credentials); + cli_credentials_set_conf(anon_credentials, global_loadparm); cli_credentials_set_anonymous(anon_credentials); return anon_credentials; @@ -621,12 +621,13 @@ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credential * * @param cred Credentials structure to fill in */ -void cli_credentials_set_conf(struct cli_credentials *cred) +void cli_credentials_set_conf(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { cli_credentials_set_username(cred, "", CRED_UNINITIALISED); - cli_credentials_set_domain(cred, lp_workgroup(), CRED_UNINITIALISED); - cli_credentials_set_workstation(cred, lp_netbios_name(), CRED_UNINITIALISED); - cli_credentials_set_realm(cred, lp_realm(), CRED_UNINITIALISED); + cli_credentials_set_domain(cred, lp_workgroup(lp_ctx), CRED_UNINITIALISED); + cli_credentials_set_workstation(cred, lp_netbios_name(lp_ctx), CRED_UNINITIALISED); + cli_credentials_set_realm(cred, lp_realm(lp_ctx), CRED_UNINITIALISED); } /** @@ -639,7 +640,7 @@ void cli_credentials_guess(struct cli_credentials *cred) { char *p; - cli_credentials_set_conf(cred); + cli_credentials_set_conf(cred, global_loadparm); if (getenv("LOGNAME")) { cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV); @@ -657,7 +658,8 @@ void cli_credentials_guess(struct cli_credentials *cred) } if (getenv("PASSWD_FD")) { - cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), CRED_GUESS_FILE); + cli_credentials_parse_password_fd(cred, atoi(getenv("PASSWD_FD")), + CRED_GUESS_FILE); } p = getenv("PASSWD_FILE"); -- cgit From 3642f3b40d755209a843745f160a9d7962a6deca Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:16:19 +0000 Subject: r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245) --- source4/auth/credentials/credentials.c | 142 ++++++++++++++++----------------- 1 file changed, 71 insertions(+), 71 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index e88e05cfb0..d6c0bbc0ba 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -41,7 +41,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) } cred->netlogon_creds = NULL; - cred->machine_account_pending = False; + cred->machine_account_pending = false; cred->workstation_obtained = CRED_UNINITIALISED; cred->username_obtained = CRED_UNINITIALISED; cred->password_obtained = CRED_UNINITIALISED; @@ -59,12 +59,12 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->old_password = NULL; cred->smb_krb5_context = NULL; cred->salt_principal = NULL; - cred->machine_account = False; + cred->machine_account = false; cred->bind_dn = NULL; cred->tries = 3; - cred->callback_running = False; + cred->callback_running = false; cred->ev = NULL; cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); @@ -124,9 +124,9 @@ const char *cli_credentials_get_username(struct cli_credentials *cred) if (cred->username_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = True; + cred->callback_running = true; cred->username = cred->username_cb(cred); - cred->callback_running = False; + cred->callback_running = false; cred->username_obtained = CRED_SPECIFIED; cli_credentials_invalidate_ccache(cred, cred->username_obtained); } @@ -134,36 +134,36 @@ const char *cli_credentials_get_username(struct cli_credentials *cred) return cred->username; } -BOOL cli_credentials_set_username(struct cli_credentials *cred, +bool cli_credentials_set_username(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->username_obtained) { cred->username = talloc_strdup(cred, val); cred->username_obtained = obtained; cli_credentials_invalidate_ccache(cred, cred->username_obtained); - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_username_callback(struct cli_credentials *cred, +bool cli_credentials_set_username_callback(struct cli_credentials *cred, const char *(*username_cb) (struct cli_credentials *)) { if (cred->username_obtained < CRED_CALLBACK) { cred->username_cb = username_cb; cred->username_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_bind_dn(struct cli_credentials *cred, +bool cli_credentials_set_bind_dn(struct cli_credentials *cred, const char *bind_dn) { cred->bind_dn = talloc_strdup(cred, bind_dn); - return True; + return true; } /** @@ -192,9 +192,9 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C if (cred->principal_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = True; + cred->callback_running = true; cred->principal = cred->principal_cb(cred); - cred->callback_running = False; + cred->callback_running = false; cred->principal_obtained = CRED_SPECIFIED; cli_credentials_invalidate_ccache(cred, cred->principal_obtained); } @@ -213,7 +213,7 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C return talloc_reference(mem_ctx, cred->principal); } -BOOL cli_credentials_set_principal(struct cli_credentials *cred, +bool cli_credentials_set_principal(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -221,53 +221,53 @@ BOOL cli_credentials_set_principal(struct cli_credentials *cred, cred->principal = talloc_strdup(cred, val); cred->principal_obtained = obtained; cli_credentials_invalidate_ccache(cred, cred->principal_obtained); - return True; + return true; } - return False; + return false; } /* Set a callback to get the principal. This could be a popup dialog, * a terminal prompt or similar. */ -BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, +bool cli_credentials_set_principal_callback(struct cli_credentials *cred, const char *(*principal_cb) (struct cli_credentials *)) { if (cred->principal_obtained < CRED_CALLBACK) { cred->principal_cb = principal_cb; cred->principal_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } /* Some of our tools are 'anonymous by default'. This is a single * function to determine if authentication has been explicitly * requested */ -BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) +bool cli_credentials_authentication_requested(struct cli_credentials *cred) { if (cred->bind_dn) { - return True; + return true; } if (cli_credentials_is_anonymous(cred)){ - return False; + return false; } if (cred->principal_obtained >= CRED_SPECIFIED) { - return True; + return true; } if (cred->username_obtained >= CRED_SPECIFIED) { - return True; + return true; } if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { - return True; + return true; } - return False; + return false; } /** @@ -283,9 +283,9 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) if (cred->password_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = True; + cred->callback_running = true; cred->password = cred->password_cb(cred); - cred->callback_running = False; + cred->callback_running = false; cred->password_obtained = CRED_CALLBACK_RESULT; cli_credentials_invalidate_ccache(cred, cred->password_obtained); } @@ -296,7 +296,7 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) /* Set a password on the credentials context, including an indication * of 'how' the password was obtained */ -BOOL cli_credentials_set_password(struct cli_credentials *cred, +bool cli_credentials_set_password(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -306,23 +306,23 @@ BOOL cli_credentials_set_password(struct cli_credentials *cred, cli_credentials_invalidate_ccache(cred, cred->password_obtained); cred->nt_hash = NULL; - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_password_callback(struct cli_credentials *cred, +bool cli_credentials_set_password_callback(struct cli_credentials *cred, const char *(*password_cb) (struct cli_credentials *)) { if (cred->password_obtained < CRED_CALLBACK) { cred->password_cb = password_cb; cred->password_obtained = CRED_CALLBACK; cli_credentials_invalidate_ccache(cred, cred->password_obtained); - return True; + return true; } - return False; + return false; } /** @@ -339,12 +339,12 @@ const char *cli_credentials_get_old_password(struct cli_credentials *cred) return cred->old_password; } -BOOL cli_credentials_set_old_password(struct cli_credentials *cred, +bool cli_credentials_set_old_password(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { cred->old_password = talloc_strdup(cred, val); - return True; + return true; } /** @@ -375,7 +375,7 @@ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials * } } -BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred, +bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained) { @@ -387,10 +387,10 @@ BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred, } else { cred->nt_hash = NULL; } - return True; + return true; } - return False; + return false; } /** @@ -407,9 +407,9 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred) if (cred->domain_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = True; + cred->callback_running = true; cred->domain = cred->domain_cb(cred); - cred->callback_running = False; + cred->callback_running = false; cred->domain_obtained = CRED_SPECIFIED; cli_credentials_invalidate_ccache(cred, cred->domain_obtained); } @@ -418,7 +418,7 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred) } -BOOL cli_credentials_set_domain(struct cli_credentials *cred, +bool cli_credentials_set_domain(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -429,22 +429,22 @@ BOOL cli_credentials_set_domain(struct cli_credentials *cred, cred->domain = strupper_talloc(cred, val); cred->domain_obtained = obtained; cli_credentials_invalidate_ccache(cred, cred->domain_obtained); - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_domain_callback(struct cli_credentials *cred, +bool cli_credentials_set_domain_callback(struct cli_credentials *cred, const char *(*domain_cb) (struct cli_credentials *)) { if (cred->domain_obtained < CRED_CALLBACK) { cred->domain_cb = domain_cb; cred->domain_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } /** @@ -461,9 +461,9 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred) if (cred->realm_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = True; + cred->callback_running = true; cred->realm = cred->realm_cb(cred); - cred->callback_running = False; + cred->callback_running = false; cred->realm_obtained = CRED_SPECIFIED; cli_credentials_invalidate_ccache(cred, cred->realm_obtained); } @@ -475,7 +475,7 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred) * Set the realm for this credentials context, and force it to * uppercase for the sainity of our local kerberos libraries */ -BOOL cli_credentials_set_realm(struct cli_credentials *cred, +bool cli_credentials_set_realm(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -483,22 +483,22 @@ BOOL cli_credentials_set_realm(struct cli_credentials *cred, cred->realm = strupper_talloc(cred, val); cred->realm_obtained = obtained; cli_credentials_invalidate_ccache(cred, cred->realm_obtained); - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_realm_callback(struct cli_credentials *cred, +bool cli_credentials_set_realm_callback(struct cli_credentials *cred, const char *(*realm_cb) (struct cli_credentials *)) { if (cred->realm_obtained < CRED_CALLBACK) { cred->realm_cb = realm_cb; cred->realm_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } /** @@ -512,38 +512,38 @@ const char *cli_credentials_get_workstation(struct cli_credentials *cred) { if (cred->workstation_obtained == CRED_CALLBACK && !cred->callback_running) { - cred->callback_running = True; + cred->callback_running = true; cred->workstation = cred->workstation_cb(cred); - cred->callback_running = False; + cred->callback_running = false; cred->workstation_obtained = CRED_SPECIFIED; } return cred->workstation; } -BOOL cli_credentials_set_workstation(struct cli_credentials *cred, +bool cli_credentials_set_workstation(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->workstation_obtained) { cred->workstation = talloc_strdup(cred, val); cred->workstation_obtained = obtained; - return True; + return true; } - return False; + return false; } -BOOL cli_credentials_set_workstation_callback(struct cli_credentials *cred, +bool cli_credentials_set_workstation_callback(struct cli_credentials *cred, const char *(*workstation_cb) (struct cli_credentials *)) { if (cred->workstation_obtained < CRED_CALLBACK) { cred->workstation_cb = workstation_cb; cred->workstation_obtained = CRED_CALLBACK; - return True; + return true; } - return False; + return false; } /** @@ -722,10 +722,10 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) /** * Describe a credentials context as anonymous or authenticated - * @retval True if anonymous, False if a username is specified + * @retval true if anonymous, false if a username is specified */ -BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) +bool cli_credentials_is_anonymous(struct cli_credentials *cred) { const char *username; @@ -739,10 +739,10 @@ BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) * here - anonymous is "", not NULL, which is 'never specified, * never guessed', ie programmer bug */ if (!username[0]) { - return True; + return true; } - return False; + return false; } /** @@ -753,10 +753,10 @@ BOOL cli_credentials_is_anonymous(struct cli_credentials *cred) * * @retval whether the credentials struct is finished */ -BOOL cli_credentials_wrong_password(struct cli_credentials *cred) +bool cli_credentials_wrong_password(struct cli_credentials *cred) { if (cred->password_obtained != CRED_CALLBACK_RESULT) { - return False; + return false; } cred->password_obtained = CRED_CALLBACK; -- cgit From 991ee1aff092187bcfdd0ee1d9eb15361f73d5f7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 29 Nov 2007 16:01:16 +0100 Subject: r26205: Pass loadparm_context to secrets_db_connect() rather than using global context. (This used to be commit 5718b6cfee86ddfc9cf405c98c68ba848df4d9d7) --- source4/auth/credentials/credentials.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index d6c0bbc0ba..8510a1f711 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -229,7 +229,6 @@ bool cli_credentials_set_principal(struct cli_credentials *cred, /* Set a callback to get the principal. This could be a popup dialog, * a terminal prompt or similar. */ - bool cli_credentials_set_principal_callback(struct cli_credentials *cred, const char *(*principal_cb) (struct cli_credentials *)) { -- cgit From 0184e5ef2d4ebd19e1617ca8daaf2102b8e5a9f0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 23:32:59 +0100 Subject: r26269: Fix a couple more references to global_loadparm. (This used to be commit 1cb849dfba21b9b5d00b20ba8201f0e142bfeb07) --- source4/auth/credentials/credentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 8510a1f711..0c5f5b0f3b 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -77,7 +77,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) * Create a new anonymous credential * @param mem_ctx TALLOC_CTX parent for credentials structure */ -struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) +struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) { struct cli_credentials *anon_credentials; -- cgit From 5b357ca8774d97e85153151552bc052cfaf26c1b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 23:33:09 +0100 Subject: r26270: Require specifying the loadparm_context or NULL to cli_credentials_guess(). (This used to be commit e52710d6794a25ba697f8c26b43784226964f9cb) --- source4/auth/credentials/credentials.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 0c5f5b0f3b..1889731781 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -635,11 +635,14 @@ void cli_credentials_set_conf(struct cli_credentials *cred, * * @param cred Credentials structure to fill in */ -void cli_credentials_guess(struct cli_credentials *cred) +void cli_credentials_guess(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { char *p; - cli_credentials_set_conf(cred, global_loadparm); + if (lp_ctx != NULL) { + cli_credentials_set_conf(cred, global_loadparm); + } if (getenv("LOGNAME")) { cli_credentials_set_username(cred, getenv("LOGNAME"), CRED_GUESS_ENV); -- cgit From fc2f06d31b6b52c5cbd83f34a34e5107649a5134 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 4 Dec 2007 00:12:03 +0100 Subject: r26274: Some syntax fixes, remove more global_loadparm instances. (This used to be commit 3809113d86dbd35b906356a05bb481a1e2bfe4b7) --- source4/auth/credentials/credentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 1889731781..f4530f4b3c 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -641,7 +641,7 @@ void cli_credentials_guess(struct cli_credentials *cred, char *p; if (lp_ctx != NULL) { - cli_credentials_set_conf(cred, global_loadparm); + cli_credentials_set_conf(cred, lp_ctx); } if (getenv("LOGNAME")) { -- cgit From f055893ca571fbeac3675c02344c7cc53106bea1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 18:41:55 +0100 Subject: r26382: Remove more uses of global_loadparm. (This used to be commit 6d4c59853481855c232e7cf97264a391f40af2b5) --- source4/auth/credentials/credentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index f4530f4b3c..089af8f0f5 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -82,7 +82,6 @@ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) struct cli_credentials *anon_credentials; anon_credentials = cli_credentials_init(mem_ctx); - cli_credentials_set_conf(anon_credentials, global_loadparm); cli_credentials_set_anonymous(anon_credentials); return anon_credentials; @@ -720,6 +719,7 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) cli_credentials_set_username(cred, "", CRED_SPECIFIED); cli_credentials_set_domain(cred, "", CRED_SPECIFIED); cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED); } /** -- cgit From 3da665e9ac324320fed68a21163fffdf4bd3df89 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 18:42:07 +0100 Subject: r26385: Integrate gensec-socket into gensec. (This used to be commit 78bb444b4b73df9a84f8702814f9b30b32ffd885) --- source4/auth/credentials/credentials.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 089af8f0f5..e7f2280bc9 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -720,6 +720,7 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) cli_credentials_set_domain(cred, "", CRED_SPECIFIED); cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED); + cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED); } /** -- cgit From a2cea02584256e2cf59da5420e8e080e70c66939 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:17 +0100 Subject: r26430: require explicit specification of loadparm context. (This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6) --- source4/auth/credentials/credentials.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index e7f2280bc9..6d5c1210c9 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -118,7 +118,8 @@ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) const char *cli_credentials_get_username(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } if (cred->username_obtained == CRED_CALLBACK && @@ -186,7 +187,8 @@ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } if (cred->principal_obtained == CRED_CALLBACK && @@ -276,7 +278,8 @@ bool cli_credentials_authentication_requested(struct cli_credentials *cred) const char *cli_credentials_get_password(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } if (cred->password_obtained == CRED_CALLBACK && @@ -331,7 +334,8 @@ bool cli_credentials_set_password_callback(struct cli_credentials *cred, const char *cli_credentials_get_old_password(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } return cred->old_password; @@ -400,7 +404,8 @@ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const char *cli_credentials_get_domain(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } if (cred->domain_obtained == CRED_CALLBACK && @@ -454,7 +459,8 @@ bool cli_credentials_set_domain_callback(struct cli_credentials *cred, const char *cli_credentials_get_realm(struct cli_credentials *cred) { if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } if (cred->realm_obtained == CRED_CALLBACK && @@ -669,7 +675,7 @@ void cli_credentials_guess(struct cli_credentials *cred, } if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { - cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE); + cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE); } } @@ -733,7 +739,8 @@ bool cli_credentials_is_anonymous(struct cli_credentials *cred) const char *username; if (cred->machine_account_pending) { - cli_credentials_set_machine_account(cred); + cli_credentials_set_machine_account(cred, + cred->machine_account_pending_lp_ctx); } username = cli_credentials_get_username(cred); -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/auth/credentials/credentials.c | 70 +++++++++++++++++----------------- 1 file changed, 35 insertions(+), 35 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 6d5c1210c9..89dddc9e05 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -33,7 +33,7 @@ * Create a new credentials structure * @param mem_ctx TALLOC_CTX parent for credentials structure */ -struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) +_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) { struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials); if (!cred) { @@ -77,7 +77,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) * Create a new anonymous credential * @param mem_ctx TALLOC_CTX parent for credentials structure */ -struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) +_PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) { struct cli_credentials *anon_credentials; @@ -87,23 +87,23 @@ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) return anon_credentials; } -void cli_credentials_set_kerberos_state(struct cli_credentials *creds, +_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds, enum credentials_use_kerberos use_kerberos) { creds->use_kerberos = use_kerberos; } -enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) +_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) { return creds->use_kerberos; } -void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features) +_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features) { creds->gensec_features = gensec_features; } -uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) +_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) { return creds->gensec_features; } @@ -115,7 +115,7 @@ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_username(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, @@ -134,7 +134,7 @@ const char *cli_credentials_get_username(struct cli_credentials *cred) return cred->username; } -bool cli_credentials_set_username(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { if (obtained >= cred->username_obtained) { @@ -159,7 +159,7 @@ bool cli_credentials_set_username_callback(struct cli_credentials *cred, return false; } -bool cli_credentials_set_bind_dn(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred, const char *bind_dn) { cred->bind_dn = talloc_strdup(cred, bind_dn); @@ -172,7 +172,7 @@ bool cli_credentials_set_bind_dn(struct cli_credentials *cred, * @retval The username set on this context. * @note Return value will be NULL if not specified explictly */ -const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) { return cred->bind_dn; } @@ -184,7 +184,7 @@ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred) * @retval The username set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) +_PUBLIC_ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, @@ -246,7 +246,7 @@ bool cli_credentials_set_principal_callback(struct cli_credentials *cred, * function to determine if authentication has been explicitly * requested */ -bool cli_credentials_authentication_requested(struct cli_credentials *cred) +_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) { if (cred->bind_dn) { return true; @@ -275,7 +275,7 @@ bool cli_credentials_authentication_requested(struct cli_credentials *cred) * @param cred credentials context * @retval If set, the cleartext password, otherwise NULL */ -const char *cli_credentials_get_password(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, @@ -297,7 +297,7 @@ const char *cli_credentials_get_password(struct cli_credentials *cred) /* Set a password on the credentials context, including an indication * of 'how' the password was obtained */ -bool cli_credentials_set_password(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -313,7 +313,7 @@ bool cli_credentials_set_password(struct cli_credentials *cred, return false; } -bool cli_credentials_set_password_callback(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred, const char *(*password_cb) (struct cli_credentials *)) { if (cred->password_obtained < CRED_CALLBACK) { @@ -358,7 +358,7 @@ bool cli_credentials_set_old_password(struct cli_credentials *cred, * @param cred credentials context * @retval If set, the cleartext password, otherwise NULL */ -const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, +_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { const char *password = cli_credentials_get_password(cred); @@ -377,7 +377,7 @@ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials * } } -bool cli_credentials_set_nt_hash(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained) { @@ -401,7 +401,7 @@ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, * @retval The domain set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_domain(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, @@ -421,7 +421,7 @@ const char *cli_credentials_get_domain(struct cli_credentials *cred) } -bool cli_credentials_set_domain(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -456,7 +456,7 @@ bool cli_credentials_set_domain_callback(struct cli_credentials *cred, * @retval The realm set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_realm(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred) { if (cred->machine_account_pending) { cli_credentials_set_machine_account(cred, @@ -479,7 +479,7 @@ const char *cli_credentials_get_realm(struct cli_credentials *cred) * Set the realm for this credentials context, and force it to * uppercase for the sainity of our local kerberos libraries */ -bool cli_credentials_set_realm(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_realm(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -512,7 +512,7 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred, * @retval The workstation name set on this context. * @note Return value will never be NULL except by programmer error. */ -const char *cli_credentials_get_workstation(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cred) { if (cred->workstation_obtained == CRED_CALLBACK && !cred->callback_running) { @@ -525,7 +525,7 @@ const char *cli_credentials_get_workstation(struct cli_credentials *cred) return cred->workstation; } -bool cli_credentials_set_workstation(struct cli_credentials *cred, +_PUBLIC_ bool cli_credentials_set_workstation(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained) { @@ -560,7 +560,7 @@ bool cli_credentials_set_workstation_callback(struct cli_credentials *cred, * @param obtained This enum describes how 'specified' this password is */ -void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained) +_PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained) { char *uname, *p; @@ -597,7 +597,7 @@ void cli_credentials_parse_string(struct cli_credentials *credentials, const cha * @param mem_ctx The memory context to place the result on */ -const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx) +_PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx) { const char *bind_dn = cli_credentials_get_bind_dn(credentials); const char *domain; @@ -625,7 +625,7 @@ const char *cli_credentials_get_unparsed_name(struct cli_credentials *credential * * @param cred Credentials structure to fill in */ -void cli_credentials_set_conf(struct cli_credentials *cred, +_PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { cli_credentials_set_username(cred, "", CRED_UNINITIALISED); @@ -640,7 +640,7 @@ void cli_credentials_set_conf(struct cli_credentials *cred, * * @param cred Credentials structure to fill in */ -void cli_credentials_guess(struct cli_credentials *cred, +_PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { char *p; @@ -683,7 +683,7 @@ void cli_credentials_guess(struct cli_credentials *cred, * Attach NETLOGON credentials for use with SCHANNEL */ -void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, +_PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, struct creds_CredentialState *netlogon_creds) { cred->netlogon_creds = talloc_reference(cred, netlogon_creds); @@ -702,7 +702,7 @@ struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_cred * Set NETLOGON secure channel type */ -void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, +_PUBLIC_ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, enum netr_SchannelType secure_channel_type) { cred->secure_channel_type = secure_channel_type; @@ -712,7 +712,7 @@ void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, * Return NETLOGON secure chanel type */ -enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred) +_PUBLIC_ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred) { return cred->secure_channel_type; } @@ -720,7 +720,7 @@ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_creden /** * Fill in a credentials structure as the anonymous user */ -void cli_credentials_set_anonymous(struct cli_credentials *cred) +_PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred) { cli_credentials_set_username(cred, "", CRED_SPECIFIED); cli_credentials_set_domain(cred, "", CRED_SPECIFIED); @@ -734,7 +734,7 @@ void cli_credentials_set_anonymous(struct cli_credentials *cred) * @retval true if anonymous, false if a username is specified */ -bool cli_credentials_is_anonymous(struct cli_credentials *cred) +_PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred) { const char *username; @@ -763,7 +763,7 @@ bool cli_credentials_is_anonymous(struct cli_credentials *cred) * * @retval whether the credentials struct is finished */ -bool cli_credentials_wrong_password(struct cli_credentials *cred) +_PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred) { if (cred->password_obtained != CRED_CALLBACK_RESULT) { return false; @@ -779,7 +779,7 @@ bool cli_credentials_wrong_password(struct cli_credentials *cred) /* set the common event context for this set of credentials */ -void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev) +_PUBLIC_ void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev) { cred->ev = ev; } @@ -787,7 +787,7 @@ void cli_credentials_set_event_context(struct cli_credentials *cred, struct even /* set the common event context for this set of credentials */ -struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred) +_PUBLIC_ struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred) { if (cred->ev == NULL) { cred->ev = event_context_find(cred); -- cgit From 1efbd5fbf6b0f606ed29a763e2adfa6f99c6beac Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 01:03:18 +0200 Subject: Remove event context tracking from the credentials struct. (This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e) --- source4/auth/credentials/credentials.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 89dddc9e05..bfed451689 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -65,7 +65,6 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->tries = 3; cred->callback_running = false; - cred->ev = NULL; cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); cli_credentials_set_gensec_features(cred, 0); @@ -675,7 +674,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, } if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { - cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE); + cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE); } } @@ -775,22 +774,3 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred) return (cred->tries > 0); } - -/* - set the common event context for this set of credentials - */ -_PUBLIC_ void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev) -{ - cred->ev = ev; -} - -/* - set the common event context for this set of credentials - */ -_PUBLIC_ struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred) -{ - if (cred->ev == NULL) { - cred->ev = event_context_find(cred); - } - return cred->ev; -} -- cgit From fe7d46067133131189faf7aebae62fa9c48626d9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 May 2008 12:58:15 +1000 Subject: Allow an NTLM response to be specified into the auth subsystem. This allows it to be proxied for NTLM pass-though authentication (aka security=server and associated man-in-the-middle attacks). Andrew Bartlett (This used to be commit 6ffabb38d03ad90d8731ab3e0eb692438db967ee) --- source4/auth/credentials/credentials.c | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) (limited to 'source4/auth/credentials/credentials.c') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index bfed451689..adabe49cb4 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -306,6 +306,8 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, cli_credentials_invalidate_ccache(cred, cred->password_obtained); cred->nt_hash = NULL; + cred->lm_response = data_blob(NULL, 0); + cred->nt_response = data_blob(NULL, 0); return true; } @@ -376,24 +378,6 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred } } -_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, - const struct samr_Password *nt_hash, - enum credentials_obtained obtained) -{ - if (obtained >= cred->password_obtained) { - cli_credentials_set_password(cred, NULL, obtained); - if (nt_hash) { - cred->nt_hash = talloc(cred, struct samr_Password); - *cred->nt_hash = *nt_hash; - } else { - cred->nt_hash = NULL; - } - return true; - } - - return false; -} - /** * Obtain the 'short' or 'NetBIOS' domain for this credentials context. * @param cred credentials context -- cgit