From 44e601b5ad635ba29088fd4c747627dee8d62112 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 28 Jan 2006 12:15:24 +0000 Subject: r13206: This patch finally re-adds a -k option that works reasonably. From here we can add tests to Samba for kerberos, forcing it on and off. In the process, I also remove the dependency of credentials on GENSEC. This also picks up on the idea of bringing 'set_boolean' into general code from jpeach's cifsdd patch. Andrew Bartlett (This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228) --- source4/lib/cmdline/popt_credentials.c | 42 +++++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) (limited to 'source4/lib/cmdline') diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c index 49916d0ff3..d037cfd7c4 100644 --- a/source4/lib/cmdline/popt_credentials.c +++ b/source4/lib/cmdline/popt_credentials.c @@ -21,6 +21,7 @@ #include "includes.h" #include "lib/cmdline/popt_common.h" +#include "auth/gensec/gensec.h" /* Handle command line options: * -U,--user @@ -28,13 +29,16 @@ * -k,--use-kerberos * -N,--no-pass * -S,--signing - * -P --machine-pass + * -P --machine-pass + * --simple-bind-dn + * --password + * --use-security-mechanisms */ static BOOL dont_ask; -enum opt { OPT_SIMPLE_BIND_DN }; +enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_GENSEC_MECHS }; /* disable asking for a password @@ -73,11 +77,18 @@ static void popt_common_credentials_callback(poptContext con, if ((lp=strchr_m(arg,'%'))) { lp[0]='\0'; lp++; + /* Try to prevent this showing up in ps */ memset(lp,0,strlen(lp)); } } break; + case OPT_PASSWORD: + cli_credentials_set_password(cmdline_credentials, arg, CRED_SPECIFIED); + /* Try to prevent this showing up in ps */ + memset(arg,0,strlen(arg)); + break; + case 'A': cli_credentials_parse_file(cmdline_credentials, arg, CRED_SPECIFIED); break; @@ -89,9 +100,31 @@ static void popt_common_credentials_callback(poptContext con, case 'P': /* Later, after this is all over, get the machine account details from the secrets.ldb */ cli_credentials_set_machine_account_pending(cmdline_credentials); + break; + + case OPT_KERBEROS: + { + BOOL use_kerberos = True; + /* Force us to only use kerberos */ + if (arg) { + if (!set_boolean(arg, &use_kerberos)) { + fprintf(stderr, "Error parsing -k %s\n", arg); + exit(1); + break; + } + } - /* machine accounts only work with kerberos (fall though)*/ + cli_credentials_set_kerberos_state(cmdline_credentials, + use_kerberos + ? CRED_MUST_USE_KERBEROS + : CRED_DONT_USE_KERBEROS); break; + } + case OPT_GENSEC_MECHS: + /* Convert a list of strings into a list of available authentication standards */ + + break; + case OPT_SIMPLE_BIND_DN: cli_credentials_set_bind_dn(cmdline_credentials, arg); break; @@ -104,9 +137,12 @@ struct poptOption popt_common_credentials[] = { { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback }, { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" }, { "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" }, + { "password", 0, POPT_ARG_STRING, NULL, OPT_PASSWORD, "Password" }, { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" }, { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" }, { "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" }, { "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" }, + { "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos" }, + { "use-security-mechanisms", 0, POPT_ARG_STRING, NULL, OPT_GENSEC_MECHS, "Restricted list of authentication mechanisms available for use with this authentication"}, POPT_TABLEEND }; -- cgit