From 2c6ecae4e62a5bb7acac2872450148fb4521cf3e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Oct 2005 04:04:52 +0000 Subject: r10982: Move credentials.h into auth/credentials, and add flags needed by previous patch. Andrew Bartlett (This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5) --- source4/auth/credentials/credentials.h | 81 ++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 source4/auth/credentials/credentials.h (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h new file mode 100644 index 0000000000..324b518462 --- /dev/null +++ b/source4/auth/credentials/credentials.h @@ -0,0 +1,81 @@ +/* + samba -- Unix SMB/CIFS implementation. + + Client credentials structure + + Copyright (C) Jelmer Vernooij 2004-2005 + Copyright (C) Andrew Bartlett 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +struct ccache_container; + +/* In order of priority */ +enum credentials_obtained { + CRED_UNINITIALISED = 0, /* We don't even have a guess yet */ + CRED_GUESS_ENV, /* Current value should be used, which was guessed */ + CRED_CALLBACK, /* Callback should be used to obtain value */ + CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */ + CRED_SPECIFIED /* Was explicitly specified on the command-line */ +}; + +#define CLI_CRED_NTLM2 0x01 +#define CLI_CRED_NTLMv2_AUTH 0x02 +#define CLI_CRED_LANMAN_AUTH 0x04 +#define CLI_CRED_NTLM_AUTH 0x08 + +struct cli_credentials { + /* Preferred methods, NULL means default */ + const char **preferred_methods; + + enum credentials_obtained workstation_obtained; + enum credentials_obtained username_obtained; + enum credentials_obtained password_obtained; + enum credentials_obtained domain_obtained; + enum credentials_obtained realm_obtained; + enum credentials_obtained ccache_obtained; + enum credentials_obtained principal_obtained; + + const char *workstation; + const char *username; + const char *password; + const char *domain; + const char *realm; + const char *principal; + + struct samr_Password *nt_hash; + + struct ccache_container *ccache; + + const char *(*workstation_cb) (struct cli_credentials *); + const char *(*password_cb) (struct cli_credentials *); + const char *(*username_cb) (struct cli_credentials *); + const char *(*domain_cb) (struct cli_credentials *); + const char *(*realm_cb) (struct cli_credentials *); + const char *(*principal_cb) (struct cli_credentials *); + + /* Private handle for the callback routines to use */ + void *priv_data; + + struct creds_CredentialState *netlogon_creds; + enum netr_SchannelType secure_channel_type; + int kvno; + + /* We are flagged to get machine account details from the + * secrets.ldb when we are asked for a username or password */ + + BOOL machine_account_pending; +}; -- cgit From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:47:55 +0000 Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5 authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b) --- source4/auth/credentials/credentials.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 324b518462..aa2a0d0ac2 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -48,10 +48,12 @@ struct cli_credentials { enum credentials_obtained realm_obtained; enum credentials_obtained ccache_obtained; enum credentials_obtained principal_obtained; + enum credentials_obtained keytab_obtained; const char *workstation; const char *username; const char *password; + const char *old_password; const char *domain; const char *realm; const char *principal; @@ -59,6 +61,7 @@ struct cli_credentials { struct samr_Password *nt_hash; struct ccache_container *ccache; + struct keytab_container *keytab; const char *(*workstation_cb) (struct cli_credentials *); const char *(*password_cb) (struct cli_credentials *); @@ -74,6 +77,8 @@ struct cli_credentials { enum netr_SchannelType secure_channel_type; int kvno; + struct smb_krb5_context *smb_krb5_context; + /* We are flagged to get machine account details from the * secrets.ldb when we are asked for a username or password */ -- cgit From b0c7c175b1c1ed45a31a710e4fbe18bbffdd6d38 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 10:28:16 +0000 Subject: r11220: Add the ability to handle the salt prinicpal as part of the credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5) --- source4/auth/credentials/credentials.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index aa2a0d0ac2..b43ddbbe89 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -57,6 +57,7 @@ struct cli_credentials { const char *domain; const char *realm; const char *principal; + const char *salt_principal; struct samr_Password *nt_hash; -- cgit From cfa2adf04017c9491d4cc6a69a0bbd4869061b6d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 00:23:38 +0000 Subject: r11401: A simple hack to have our central credentials system deny sending LM authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46) --- source4/auth/credentials/credentials.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index b43ddbbe89..b85337bd18 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -84,4 +84,7 @@ struct cli_credentials { * secrets.ldb when we are asked for a username or password */ BOOL machine_account_pending; + + /* Is this a machine account? */ + BOOL machine_account; }; -- cgit From 3b2a6997b43dcfe37adf67c84e564a4fbff5b108 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Nov 2005 00:31:22 +0000 Subject: r11452: Update Heimdal to current lorikeet, including removing the ccache side of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448) --- source4/auth/credentials/credentials.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index b85337bd18..3e84db52a5 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -47,6 +47,7 @@ struct cli_credentials { enum credentials_obtained domain_obtained; enum credentials_obtained realm_obtained; enum credentials_obtained ccache_obtained; + enum credentials_obtained gss_creds_obtained; enum credentials_obtained principal_obtained; enum credentials_obtained keytab_obtained; @@ -62,6 +63,7 @@ struct cli_credentials { struct samr_Password *nt_hash; struct ccache_container *ccache; + struct gssapi_creds_container *gssapi_creds; struct keytab_container *keytab; const char *(*workstation_cb) (struct cli_credentials *); -- cgit From 9c6b7f2d62e134a4bc15efc04e05be25e4a53dc7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Dec 2005 05:20:39 +0000 Subject: r11995: A big kerberos-related update. This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d) --- source4/auth/credentials/credentials.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 3e84db52a5..81773aa70a 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -47,9 +47,10 @@ struct cli_credentials { enum credentials_obtained domain_obtained; enum credentials_obtained realm_obtained; enum credentials_obtained ccache_obtained; - enum credentials_obtained gss_creds_obtained; + enum credentials_obtained client_gss_creds_obtained; enum credentials_obtained principal_obtained; enum credentials_obtained keytab_obtained; + enum credentials_obtained server_gss_creds_obtained; const char *workstation; const char *username; @@ -63,8 +64,9 @@ struct cli_credentials { struct samr_Password *nt_hash; struct ccache_container *ccache; - struct gssapi_creds_container *gssapi_creds; + struct gssapi_creds_container *client_gss_creds; struct keytab_container *keytab; + struct gssapi_creds_container *server_gss_creds; const char *(*workstation_cb) (struct cli_credentials *); const char *(*password_cb) (struct cli_credentials *); -- cgit From 61bd60957418b872688dc22ec41f7a7ec4f267b2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 Dec 2005 03:20:40 +0000 Subject: r12060: Work towards allowing the credentials system to allow/deny certain GENSEC mechansims. This will allow a machine join to an NT4 domain to avoid even trying kerberos, or a sensitive operation to require it. Andrew Bartlett (This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244) --- source4/auth/credentials/credentials.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 81773aa70a..ec6f1aa619 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -91,4 +91,7 @@ struct cli_credentials { /* Is this a machine account? */ BOOL machine_account; + + /* A list of valid GENSEC mechanisms for use on this account */ + struct gensec_security_ops **gensec_list; }; -- cgit From 89260f978e948a86c62d2ac192297a7f41caa05e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 5 Dec 2005 06:55:20 +0000 Subject: r12065: fix compiler warning metze (This used to be commit c60bac5baa572a597ce6e1c2e3639be4c7daeefc) --- source4/auth/credentials/credentials.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index ec6f1aa619..027cf4469d 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -93,5 +93,5 @@ struct cli_credentials { BOOL machine_account; /* A list of valid GENSEC mechanisms for use on this account */ - struct gensec_security_ops **gensec_list; + const struct gensec_security_ops **gensec_list; }; -- cgit From 97b54b007e0f8a44074fa570b06b7ff9d4f2489b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 18 Dec 2005 05:01:15 +0000 Subject: r12310: Link simple bind support in our internal LDAP libs to LDB and the command line processing system. This is a little ugly at the moment, but works. What I cannot manage to get to work is the extraction and propogation of command line credentials into the js interface to ldb. Andrew Bartlett (This used to be commit f34ede763e7f80507d06224d114cf6b5ac7c8f7d) --- source4/auth/credentials/credentials.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 027cf4469d..c8a95e2b51 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -61,6 +61,8 @@ struct cli_credentials { const char *principal; const char *salt_principal; + const char *bind_dn; + struct samr_Password *nt_hash; struct ccache_container *ccache; -- cgit From 2cd5ca7d25f12aa9198bf8c2deb6aea282f573ee Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Dec 2005 15:38:36 +0000 Subject: r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2) --- source4/auth/credentials/credentials.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index c8a95e2b51..8402676acd 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -97,3 +97,5 @@ struct cli_credentials { /* A list of valid GENSEC mechanisms for use on this account */ const struct gensec_security_ops **gensec_list; }; + +#include "auth/credentials/credentials_proto.h" -- cgit From 44e601b5ad635ba29088fd4c747627dee8d62112 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 28 Jan 2006 12:15:24 +0000 Subject: r13206: This patch finally re-adds a -k option that works reasonably. From here we can add tests to Samba for kerberos, forcing it on and off. In the process, I also remove the dependency of credentials on GENSEC. This also picks up on the idea of bringing 'set_boolean' into general code from jpeach's cifsdd patch. Andrew Bartlett (This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228) --- source4/auth/credentials/credentials.h | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 8402676acd..eb4e5c96d0 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -32,15 +32,19 @@ enum credentials_obtained { CRED_SPECIFIED /* Was explicitly specified on the command-line */ }; +enum credentials_use_kerberos { + CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */ + CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */ + CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */ +}; + #define CLI_CRED_NTLM2 0x01 #define CLI_CRED_NTLMv2_AUTH 0x02 #define CLI_CRED_LANMAN_AUTH 0x04 #define CLI_CRED_NTLM_AUTH 0x08 +#define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */ struct cli_credentials { - /* Preferred methods, NULL means default */ - const char **preferred_methods; - enum credentials_obtained workstation_obtained; enum credentials_obtained username_obtained; enum credentials_obtained password_obtained; @@ -94,8 +98,8 @@ struct cli_credentials { /* Is this a machine account? */ BOOL machine_account; - /* A list of valid GENSEC mechanisms for use on this account */ - const struct gensec_security_ops **gensec_list; + /* Should we be trying to use kerberos? */ + enum credentials_use_kerberos use_kerberos; }; #include "auth/credentials/credentials_proto.h" -- cgit From 3f16241a1d3243447d0244ebac05b447aec94df8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 01:29:56 +0000 Subject: r14363: Remove credentials.h from the global includes. (This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563) --- source4/auth/credentials/credentials.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index eb4e5c96d0..58d393f762 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -20,6 +20,8 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ +#ifndef __CREDENTIALS_H__ +#define __CREDENTIALS_H__ struct ccache_container; @@ -103,3 +105,5 @@ struct cli_credentials { }; #include "auth/credentials/credentials_proto.h" + +#endif /* __CREDENTIALS_H__ */ -- cgit From 83d8fd3dcfb326354173b585905c4438405d2a74 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 17:51:04 +0000 Subject: r14484: Install more headers (This used to be commit 430c6516d383bfd7f27287394bf8eef9f174b3e6) --- source4/auth/credentials/credentials.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 58d393f762..2e9d77ccae 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -23,6 +23,8 @@ #ifndef __CREDENTIALS_H__ #define __CREDENTIALS_H__ +#include "librpc/gen_ndr/misc.h" + struct ccache_container; /* In order of priority */ -- cgit From 557c98bd5f4e5268d4793d51037f59ef3482fe8c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 3 May 2006 14:15:31 +0000 Subject: r15414: Support retrying different username/password combinations (This used to be commit 5de894fb8bac8efa5bff004dbfc2e8b386d4003b) --- source4/auth/credentials/credentials.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 2e9d77ccae..c0fec45b6f 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -3,7 +3,7 @@ Client credentials structure - Copyright (C) Jelmer Vernooij 2004-2005 + Copyright (C) Jelmer Vernooij 2004-2006 Copyright (C) Andrew Bartlett 2005 This program is free software; you can redistribute it and/or modify @@ -33,6 +33,7 @@ enum credentials_obtained { CRED_GUESS_ENV, /* Current value should be used, which was guessed */ CRED_CALLBACK, /* Callback should be used to obtain value */ CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */ + CRED_CALLBACK_RESULT, /* Value was obtained from a callback */ CRED_SPECIFIED /* Was explicitly specified on the command-line */ }; @@ -104,6 +105,9 @@ struct cli_credentials { /* Should we be trying to use kerberos? */ enum credentials_use_kerberos use_kerberos; + + /* Number of retries left before bailing out */ + int tries; }; #include "auth/credentials/credentials_proto.h" -- cgit From 086c9cc5f4a9145ee93060db2eebb3badc325e44 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 3 May 2006 20:56:14 +0000 Subject: r15422: Fix issues with functions being called recursively in the credentials callback code. (This used to be commit edf0701e877592695bd69124e528338c27f24efd) --- source4/auth/credentials/credentials.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index c0fec45b6f..5e739b4278 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -108,6 +108,9 @@ struct cli_credentials { /* Number of retries left before bailing out */ int tries; + + /* Whether any callback is currently running */ + BOOL callback_running; }; #include "auth/credentials/credentials_proto.h" -- cgit From 38a472c994b5c4a02632bf55a044dfc12cf694fd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 12 Dec 2006 21:47:56 +0000 Subject: r20135: attach default gensec features to the cli_credentials structure, so make it possible to force encryption or signing. metze (This used to be commit a91dc4a02a46370c52f59cbd4dea9580fa6efafa) --- source4/auth/credentials/credentials.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 5e739b4278..e5dd5f66fc 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -106,6 +106,9 @@ struct cli_credentials { /* Should we be trying to use kerberos? */ enum credentials_use_kerberos use_kerberos; + /* gensec features which should be used for connections */ + uint32_t gensec_features; + /* Number of retries left before bailing out */ int tries; -- cgit From a8d0f5df6266aeacdb20326094c0401618ab62e8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 5 Feb 2007 14:20:35 +0000 Subject: r21142: fix compiler warnings metze (This used to be commit 1f8a037ac4f592d29f7d66e1f924efe1c5d8c2b0) --- source4/auth/credentials/credentials.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index e5dd5f66fc..b71539c2eb 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -116,6 +116,7 @@ struct cli_credentials { BOOL callback_running; }; +struct ldb_context; #include "auth/credentials/credentials_proto.h" #endif /* __CREDENTIALS_H__ */ -- cgit From 847102c6ca17f7b7d665863b8caa1d85baef46ad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 7 Mar 2007 04:20:10 +0000 Subject: r21736: Fix the smbclient test to do something more interesting with the last few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa) --- source4/auth/credentials/credentials.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index b71539c2eb..ce63a55bb3 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -30,8 +30,8 @@ struct ccache_container; /* In order of priority */ enum credentials_obtained { CRED_UNINITIALISED = 0, /* We don't even have a guess yet */ - CRED_GUESS_ENV, /* Current value should be used, which was guessed */ CRED_CALLBACK, /* Callback should be used to obtain value */ + CRED_GUESS_ENV, /* Current value should be used, which was guessed */ CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */ CRED_CALLBACK_RESULT, /* Value was obtained from a callback */ CRED_SPECIFIED /* Was explicitly specified on the command-line */ -- cgit From c42219d7352bd2e7a6413f7ae1cd0fd5cded1d95 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 17 May 2007 08:47:04 +0000 Subject: r22969: fix some more places where we could end up with more than one event context. We now have an event context on the torture_context, and we can also get one from the cli_credentials structure (This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17) --- source4/auth/credentials/credentials.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index ce63a55bb3..e20c6015e9 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -114,6 +114,9 @@ struct cli_credentials { /* Whether any callback is currently running */ BOOL callback_running; + + /* an event context for anyone wanting to use the credentials */ + struct event_context *ev; }; struct ldb_context; -- cgit From c83c39909ed4979d455f94c9b842b542fb38e76b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 May 2007 05:21:59 +0000 Subject: r23063: Make sure to invalidate the ccache when we set a username/password/realm/etc from the command line. Also make sure it can't 'come back' from a later call to cli_credentials_guess(), buy setting a threshold. This should fix the issues with the build farm... Andrew Bartlett (This used to be commit 3b1dfb9306beb9f40d85d38cf6786ef161ec63f1) --- source4/auth/credentials/credentials.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index e20c6015e9..2715e03c1c 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -61,6 +61,13 @@ struct cli_credentials { enum credentials_obtained keytab_obtained; enum credentials_obtained server_gss_creds_obtained; + /* Threshold values (essentially a MAX() over a number of the + * above) for the ccache and GSS credentials, to ensure we + * regenerate/pick correctly */ + + enum credentials_obtained ccache_threshold; + enum credentials_obtained client_gss_creds_threshold; + const char *workstation; const char *username; const char *password; -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/auth/credentials/credentials.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 2715e03c1c..ca034a8504 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #ifndef __CREDENTIALS_H__ #define __CREDENTIALS_H__ -- cgit From 61ffa08f4c95e29d301de9fbabd6e71c2dbc1056 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 27 Aug 2007 18:10:19 +0000 Subject: r24712: No longer expose the 'BOOL' data type in any interfaces. (This used to be commit 1ce32673d960c8b05b6c1b1b99e1976a402417ae) --- source4/auth/credentials/credentials.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index ca034a8504..1cecb97055 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -104,10 +104,10 @@ struct cli_credentials { /* We are flagged to get machine account details from the * secrets.ldb when we are asked for a username or password */ - BOOL machine_account_pending; + bool machine_account_pending; /* Is this a machine account? */ - BOOL machine_account; + bool machine_account; /* Should we be trying to use kerberos? */ enum credentials_use_kerberos use_kerberos; @@ -119,7 +119,7 @@ struct cli_credentials { int tries; /* Whether any callback is currently running */ - BOOL callback_running; + bool callback_running; /* an event context for anyone wanting to use the credentials */ struct event_context *ev; -- cgit From ffbb7e40604b9cffeb0c226279b929497b03a964 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 16 Sep 2007 19:14:46 +0000 Subject: r25193: Update headers to easy use by external apps. (This used to be commit 20b70fbb7af6b6759c3b8c8aa56e10944b32bfdf) --- source4/auth/credentials/credentials.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 1cecb97055..0fd9ce46be 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -22,6 +22,7 @@ #ifndef __CREDENTIALS_H__ #define __CREDENTIALS_H__ +#include "util/data_blob.h" #include "librpc/gen_ndr/misc.h" struct ccache_container; -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/auth/credentials/credentials.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 0fd9ce46be..7ea37e40d1 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -127,6 +127,7 @@ struct cli_credentials { }; struct ldb_context; +struct loadparm_context; #include "auth/credentials/credentials_proto.h" #endif /* __CREDENTIALS_H__ */ -- cgit From a2cea02584256e2cf59da5420e8e080e70c66939 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:17 +0100 Subject: r26430: require explicit specification of loadparm context. (This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6) --- source4/auth/credentials/credentials.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 7ea37e40d1..e00acf727a 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -104,8 +104,8 @@ struct cli_credentials { /* We are flagged to get machine account details from the * secrets.ldb when we are asked for a username or password */ - bool machine_account_pending; + struct loadparm_context *machine_account_pending_lp_ctx; /* Is this a machine account? */ bool machine_account; -- cgit From be999912671de052af909bb88f13c956f12b30e1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 17 Dec 2007 04:56:54 +0100 Subject: r26484: Don't rely on removed header. (This used to be commit 6ca2b350858c0747449671234d54584635512705) --- source4/auth/credentials/credentials.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index e00acf727a..a3da5c6054 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -128,6 +128,7 @@ struct cli_credentials { struct ldb_context; struct loadparm_context; +#include "auth/credentials/credentials_krb5.h" #include "auth/credentials/credentials_proto.h" #endif /* __CREDENTIALS_H__ */ -- cgit From 87e6d7eab1fa81df51c48a7f9272a07f26ede463 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Mar 2008 15:22:52 +1100 Subject: Don't require users of credentials.h to have krb5.h and gssapi.h Rather than require users of Samba4's headers to have krb5-devel installed (presumably in their system paths), don't expose the minor functions which require this by default. Andrew Bartlett (This used to be commit f14737e4d2040d2f401a3b20c5e78d0d793cfc3a) --- source4/auth/credentials/credentials.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index a3da5c6054..1b205c61ce 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -128,7 +128,10 @@ struct cli_credentials { struct ldb_context; struct loadparm_context; -#include "auth/credentials/credentials_krb5.h" +struct ccache_container; + +struct gssapi_creds_container; + #include "auth/credentials/credentials_proto.h" #endif /* __CREDENTIALS_H__ */ -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/auth/credentials/credentials.h | 113 ++++++++++++++++++++++++++++++++- 1 file changed, 112 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 1b205c61ce..afcb300638 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -132,6 +132,117 @@ struct ccache_container; struct gssapi_creds_container; -#include "auth/credentials/credentials_proto.h" +const char *cli_credentials_get_workstation(struct cli_credentials *cred); +bool cli_credentials_set_workstation(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_is_anonymous(struct cli_credentials *cred); +struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx); +void cli_credentials_set_anonymous(struct cli_credentials *cred); +bool cli_credentials_wrong_password(struct cli_credentials *cred); +const char *cli_credentials_get_password(struct cli_credentials *cred); +void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + const char **username, + const char **domain); +NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, + int *flags, + DATA_BLOB challenge, DATA_BLOB target_info, + DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, + DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key); +const char *cli_credentials_get_realm(struct cli_credentials *cred); +const char *cli_credentials_get_username(struct cli_credentials *cred); +int cli_credentials_get_krb5_context(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct smb_krb5_context **smb_krb5_context); +int cli_credentials_get_ccache(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct ccache_container **ccc); +int cli_credentials_get_keytab(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct keytab_container **_ktc); +const char *cli_credentials_get_domain(struct cli_credentials *cred); +struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); +void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +void cli_credentials_set_conf(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); +int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc); +int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc); +void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev); +void cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos use_kerberos); +struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred); +bool cli_credentials_set_domain(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +bool cli_credentials_set_username(struct cli_credentials *cred, + const char *val, enum credentials_obtained obtained); +bool cli_credentials_set_password(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx); +void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained); +const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx); +bool cli_credentials_set_realm(struct cli_credentials *cred, + const char *val, + enum credentials_obtained obtained); +void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, + enum netr_SchannelType secure_channel_type); +void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, + struct creds_CredentialState *netlogon_creds); +NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, + struct smb_krb5_context *smb_krb5_context); +NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *serviceprincipal); +NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +bool cli_credentials_authentication_requested(struct cli_credentials *cred); +void cli_credentials_guess(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +bool cli_credentials_set_bind_dn(struct cli_credentials *cred, + const char *bind_dn); +const char *cli_credentials_get_bind_dn(struct cli_credentials *cred); +bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained); +const char *cli_credentials_get_unparsed_name(struct cli_credentials *credentials, TALLOC_CTX *mem_ctx); +bool cli_credentials_set_password_callback(struct cli_credentials *cred, + const char *(*password_cb) (struct cli_credentials *)); +enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_credentials *cred); +void cli_credentials_set_kvno(struct cli_credentials *cred, + int kvno); +bool cli_credentials_set_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash, + enum credentials_obtained obtained); +int cli_credentials_set_keytab_name(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *keytab_name, + enum credentials_obtained obtained); +int cli_credentials_update_keytab(struct cli_credentials *cred, + struct loadparm_context *lp_ctx); +void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); +uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); +int cli_credentials_set_ccache(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + const char *name, + enum credentials_obtained obtained); +bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained); +bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, + int fd, enum credentials_obtained obtained); +void cli_credentials_invalidate_ccache(struct cli_credentials *cred, + enum credentials_obtained obtained); +void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal); +enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); +NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct ldb_context *ldb, + const char *base, + const char *filter); + int cli_credentials_get_kvno(struct cli_credentials *cred); #endif /* __CREDENTIALS_H__ */ -- cgit From 1efbd5fbf6b0f606ed29a763e2adfa6f99c6beac Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 01:03:18 +0200 Subject: Remove event context tracking from the credentials struct. (This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e) --- source4/auth/credentials/credentials.h | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index afcb300638..2514b5b1ce 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -26,6 +26,7 @@ #include "librpc/gen_ndr/misc.h" struct ccache_container; +struct event_context; /* In order of priority */ enum credentials_obtained { @@ -121,9 +122,6 @@ struct cli_credentials { /* Whether any callback is currently running */ bool callback_running; - - /* an event context for anyone wanting to use the credentials */ - struct event_context *ev; }; struct ldb_context; @@ -152,12 +150,15 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ const char *cli_credentials_get_realm(struct cli_credentials *cred); const char *cli_credentials_get_username(struct cli_credentials *cred); int cli_credentials_get_krb5_context(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context); int cli_credentials_get_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ccache_container **ccc); int cli_credentials_get_keytab(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct keytab_container **_ktc); const char *cli_credentials_get_domain(struct cli_credentials *cred); @@ -168,15 +169,15 @@ void cli_credentials_set_conf(struct cli_credentials *cred, struct loadparm_context *lp_ctx); const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc); int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc); -void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev); void cli_credentials_set_kerberos_state(struct cli_credentials *creds, enum credentials_use_kerberos use_kerberos); -struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred); bool cli_credentials_set_domain(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained); @@ -199,6 +200,7 @@ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, struct smb_krb5_context *smb_krb5_context); NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *serviceprincipal); NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, @@ -220,14 +222,17 @@ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained); int cli_credentials_set_keytab_name(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained); int cli_credentials_update_keytab(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx); void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); int cli_credentials_set_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *name, enum credentials_obtained obtained); @@ -239,6 +244,7 @@ void cli_credentials_invalidate_ccache(struct cli_credentials *cred, void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal); enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, -- cgit From fe7d46067133131189faf7aebae62fa9c48626d9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 May 2008 12:58:15 +1000 Subject: Allow an NTLM response to be specified into the auth subsystem. This allows it to be proxied for NTLM pass-though authentication (aka security=server and associated man-in-the-middle attacks). Andrew Bartlett (This used to be commit 6ffabb38d03ad90d8731ab3e0eb692438db967ee) --- source4/auth/credentials/credentials.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source4/auth/credentials/credentials.h') diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 2514b5b1ce..79c50ae5af 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -80,8 +80,13 @@ struct cli_credentials { const char *bind_dn; + /* Allows authentication from a keytab or similar */ struct samr_Password *nt_hash; + /* Allows NTLM pass-though authentication */ + DATA_BLOB lm_response; + DATA_BLOB nt_response; + struct ccache_container *ccache; struct gssapi_creds_container *client_gss_creds; struct keytab_container *keytab; @@ -221,6 +226,10 @@ void cli_credentials_set_kvno(struct cli_credentials *cred, bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained); +bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + enum credentials_obtained obtained); int cli_credentials_set_keytab_name(struct cli_credentials *cred, struct event_context *event_ctx, struct loadparm_context *lp_ctx, -- cgit