The branch, master has been updated
via 4549862 gensec: trim header includes back to what is actually
required
via 534355f auth/credentials Declare remaining functions are public
interfaces and put into credentials.h
via fe02752 auth: move gensec_start.c to the top level
via 561d834 auth: move credentials layer to the top level
via 1255383 s4-s3-upgrade: Allow import (just without a uid mapping)
where getpwnam fails
via c9bb497 lib/param Avoid dyn_ defines that are not provided by the
autoconf build
via 1e5af9e lib/param Use strcasecmp_m rather than strcasecmp as this
is banned in the s3 includes.h
via 8f2741b lib/param Use talloc_strdup rather than strdup as strdup
is banned in the s3 includes.h
via 1b81af0 lib/param Avoid the name string_set as this is already
used in the s3 param code
via 15c97a8 lib/param Avoid the use of the name service_ok() which is
used in the s3 param code
via d0ecd1a lib/param: Remove unused #include of lib/socket/socket.h
via 26de383 libcli/smb Move CSC_POLICY_* definition to smb_constants.h
via b21b012 lib/param move source4 param code to the top level
from 6bed577 pac: Fix wrong memory allocation check
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 454986298aa5696b0b029e2feba0109617aaf968
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:28:15 2011 +1100
gensec: trim header includes back to what is actually required
Autobuild-User: Andrew Bartlett<abart...@samba.org>
Autobuild-Date: Tue Oct 11 06:13:08 CEST 2011 on sn-devel-104
commit 534355fecf5a14a36ec5a3d643bcf2140df2da4e
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:27:44 2011 +1100
auth/credentials Declare remaining functions are public interfaces and put
into credentials.h
This is in preperation for this file being used by s3, and recognises that
these are all
reasonable, public interfaces but were not declared as such in the past.
Andrew Bartlett
commit fe02752ed6493efb7af28faa3d64d9fd7895d6f1
Author: Andrew Bartlett<abart...@samba.org>
Date: Fri Oct 7 17:24:12 2011 +1100
auth: move gensec_start.c to the top level
This does not change who uses gensec for now, but makes it possible to
write new gensec modules outside source4/
Andrew Bartlett
commit 561d834123a2a8a96954f7cca556f8838ab38b72
Author: Andrew Bartlett<abart...@samba.org>
Date: Fri Oct 7 17:20:33 2011 +1100
auth: move credentials layer to the top level
This will allow gensec_start.c to move to the top level. This does not
change
what code uses the cli_credentials code, but allows the gensec code to be
more broadly.
Andrew Bartlett
commit 1255383140a9b3fbd957c1f7ce47e89c17cc4eda
Author: Andrew Bartlett<abart...@samba.org>
Date: Mon Oct 10 13:09:30 2011 +1100
s4-s3-upgrade: Allow import (just without a uid mapping) where getpwnam
fails
This allows the tests to pass on systems without a jelmer user :-)
Andrew Bartlett
commit c9bb497f3f7fae8aa6ec4a4a45a2ac4047b640a5
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:25:11 2011 +1100
lib/param Avoid dyn_ defines that are not provided by the autoconf build
The autoconf build will never use these parameters or load the
smb.conf with these defaults, so the defaults are not important.
Andrew Bartlett
commit 1e5af9ecd0567e0afbe29ee3d69d4537628a3d63
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:24:32 2011 +1100
lib/param Use strcasecmp_m rather than strcasecmp as this is banned in the
s3 includes.h
commit 8f2741ba1ad0a300c6c044c363d2278573b1a4ca
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:23:45 2011 +1100
lib/param Use talloc_strdup rather than strdup as strdup is banned in the
s3 includes.h
commit 1b81af0d56014275a4aece81325fdfe4b3cd699b
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:23:05 2011 +1100
lib/param Avoid the name string_set as this is already used in the s3
param code
commit 15c97a8ab36bda23ed08aacfd318b5717c53b20f
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:22:11 2011 +1100
lib/param Avoid the use of the name service_ok() which is used in the s3
param code
commit d0ecd1a59f2c577a75ee38c8b54d7b0fb82bdc7c
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:17:45 2011 +1100
lib/param: Remove unused #include of lib/socket/socket.h
commit 26de383c428a513a4aaceb2460ea6d20a088e2d4
Author: Andrew Bartlett<abart...@samba.org>
Date: Sun Oct 9 23:16:55 2011 +1100
libcli/smb Move CSC_POLICY_* definition to smb_constants.h
This removes the duplicate definition between smb.h and
lib/param/loadparm.c
which in turn allows this file to be compiled with the s3 includes.h
Andrew Bartlett
commit b21b012756dbb9e7022280b34d7103a5dcbea6d6
Author: Andrew Bartlett<abart...@samba.org>
Date: Thu Oct 6 19:34:50 2011 +1100
lib/param move source4 param code to the top level
This is done so that the lpcfg_ functions are available across the whole
build, either with the struct loadparm_context loaded from an smb.conf
directly
or as a wrapper around the source3 param code.
This is not the final, merged loadparm, but simply one step to make
it easier to solve other problems while we make our slow progress
on this difficult problem.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 1001 ++++++
auth/credentials/credentials.h | 337 ++
.../auth => auth}/credentials/credentials_krb5.c | 0
.../auth => auth}/credentials/credentials_krb5.h | 0
.../auth => auth}/credentials/credentials_ntlm.c | 0
.../credentials/credentials_secrets.c | 0
{source4/auth => auth}/credentials/pycredentials.c | 0
{source4/auth => auth}/credentials/pycredentials.h | 0
.../credentials/samba-credentials.pc.in | 0
{source4/auth => auth}/credentials/tests/bind.py | 0
{source4/auth => auth}/credentials/tests/simple.c | 0
{source4/auth => auth}/credentials/wscript_build | 0
{source4/auth => auth}/gensec/gensec.pc.in | 0
auth/gensec/gensec_start.c | 913 +++++
auth/gensec/wscript_build | 14 +-
auth/wscript_build | 1 +
{source4 => lib}/param/generic.c | 0
lib/param/loadparm.c | 3770 ++++++++++++++++++++
{source4 => lib}/param/param.h | 0
{source4 => lib}/param/samba-hostconfig.pc.in | 0
lib/param/util.c | 266 ++
lib/param/wscript_build | 24 +
libcli/smb/smb_constants.h | 12 +
nsswitch/libwbclient/tests/wbclient.c | 2 +-
{source4/script => script}/mks3param.pl | 0
source3/auth/auth_samba4.c | 2 +-
source3/include/smb.h | 6 -
source3/modules/vfs_dfs_samba4.c | 2 +-
source3/param/loadparm_ctx.c | 2 +-
source3/passdb/pdb_samba4.c | 2 +-
source3/wscript_build | 2 +-
source4/auth/credentials/credentials.c | 1002 ------
source4/auth/credentials/credentials.h | 300 --
source4/auth/gensec/cyrus_sasl.c | 1 +
source4/auth/gensec/gensec_start.c | 948 -----
source4/auth/gensec/gensec_util.c | 59 +
source4/auth/gensec/schannel.c | 1 +
source4/auth/gensec/wscript_build | 13 +-
source4/auth/ntlm/wscript_build | 2 +-
source4/auth/ntlmssp/ntlmssp.c | 1 +
source4/auth/wscript_build | 1 -
source4/libcli/raw/libcliraw.h | 2 +-
source4/libcli/raw/signing.h | 4 -
source4/libcli/wscript_build | 2 +-
source4/librpc/wscript_build | 2 +-
source4/ntvfs/wscript_build | 4 +-
source4/param/loadparm.c | 3747 +-------------------
source4/param/util.c | 266 --
source4/param/wscript_build | 26 +-
source4/scripting/python/samba/upgrade.py | 2 +-
source4/selftest/tests.py | 2 +-
source4/torture/libnetapi/libnetapi.c | 2 +-
source4/torture/local/wscript_build | 2 +-
source4/wscript_build | 4 +-
54 files changed, 6422 insertions(+), 6327 deletions(-)
create mode 100644 auth/credentials/credentials.c
create mode 100644 auth/credentials/credentials.h
rename {source4/auth => auth}/credentials/credentials_krb5.c (100%)
rename {source4/auth => auth}/credentials/credentials_krb5.h (100%)
rename {source4/auth => auth}/credentials/credentials_ntlm.c (100%)
rename {source4/auth => auth}/credentials/credentials_secrets.c (100%)
rename {source4/auth => auth}/credentials/pycredentials.c (100%)
rename {source4/auth => auth}/credentials/pycredentials.h (100%)
rename {source4/auth => auth}/credentials/samba-credentials.pc.in (100%)
rename {source4/auth => auth}/credentials/tests/bind.py (100%)
rename {source4/auth => auth}/credentials/tests/simple.c (100%)
rename {source4/auth => auth}/credentials/wscript_build (100%)
rename {source4/auth => auth}/gensec/gensec.pc.in (100%)
create mode 100644 auth/gensec/gensec_start.c
rename {source4 => lib}/param/generic.c (100%)
create mode 100644 lib/param/loadparm.c
rename {source4 => lib}/param/param.h (100%)
rename {source4 => lib}/param/samba-hostconfig.pc.in (100%)
create mode 100644 lib/param/util.c
rename {source4/script => script}/mks3param.pl (100%)
delete mode 100644 source4/auth/credentials/credentials.c
delete mode 100644 source4/auth/credentials/credentials.h
delete mode 100644 source4/auth/gensec/gensec_start.c
create mode 100644 source4/auth/gensec/gensec_util.c
delete mode 100644 source4/param/util.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
new file mode 100644
index 0000000..ee60220
--- /dev/null
+++ b/auth/credentials/credentials.c
@@ -0,0 +1,1001 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ User credentials handling
+
+ Copyright (C) Jelmer Vernooij 2005
+ Copyright (C) Tim Potter 2001
+ Copyright (C) Andrew Bartlett<abart...@samba.org> 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see<http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+#include "auth/credentials/credentials.h"
+#include "libcli/auth/libcli_auth.h"
+#include "tevent.h"
+#include "param/param.h"
+#include "system/filesys.h"
+
+/**
+ * Create a new credentials structure
+ * @param mem_ctx TALLOC_CTX parent for credentials structure
+ */
+_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
+{
+ struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
+ if (cred == NULL) {
+ return cred;
+ }
+
+ cred->workstation_obtained = CRED_UNINITIALISED;
+ cred->username_obtained = CRED_UNINITIALISED;
+ cred->password_obtained = CRED_UNINITIALISED;
+ cred->domain_obtained = CRED_UNINITIALISED;
+ cred->realm_obtained = CRED_UNINITIALISED;
+ cred->ccache_obtained = CRED_UNINITIALISED;
+ cred->client_gss_creds_obtained = CRED_UNINITIALISED;
+ cred->principal_obtained = CRED_UNINITIALISED;
+ cred->keytab_obtained = CRED_UNINITIALISED;
+ cred->server_gss_creds_obtained = CRED_UNINITIALISED;
+
+ cred->ccache_threshold = CRED_UNINITIALISED;
+ cred->client_gss_creds_threshold = CRED_UNINITIALISED;
+
+ cred->workstation = NULL;
+ cred->username = NULL;
+ cred->password = NULL;
+ cred->old_password = NULL;
+ cred->domain = NULL;
+ cred->realm = NULL;
+ cred->principal = NULL;
+ cred->salt_principal = NULL;
+ cred->impersonate_principal = NULL;
+ cred->self_service = NULL;
+ cred->target_service = NULL;
+
+ cred->bind_dn = NULL;
+
+ cred->nt_hash = NULL;
+
+ cred->lm_response.data = NULL;
+ cred->lm_response.length = 0;
+ cred->nt_response.data = NULL;
+ cred->nt_response.length = 0;
+
+ cred->ccache = NULL;
+ cred->client_gss_creds = NULL;
+ cred->keytab = NULL;
+ cred->server_gss_creds = NULL;
+
+ cred->workstation_cb = NULL;
+ cred->password_cb = NULL;
+ cred->username_cb = NULL;
+ cred->domain_cb = NULL;
+ cred->realm_cb = NULL;
+ cred->principal_cb = NULL;
+
+ cred->priv_data = NULL;
+
+ cred->netlogon_creds = NULL;
+ cred->secure_channel_type = SEC_CHAN_NULL;
+
+ cred->kvno = 0;
+
+ cred->password_last_changed_time = 0;
+
+ cred->smb_krb5_context = NULL;
+
+ cred->machine_account_pending = false;
+ cred->machine_account_pending_lp_ctx = NULL;
+
+ cred->machine_account = false;
+
+ cred->tries = 3;
+
+ cred->callback_running = false;
+
+ cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
+ cli_credentials_set_gensec_features(cred, 0);
+ cli_credentials_set_krb_forwardable(cred, CRED_AUTO_KRB_FORWARDABLE);
+
+ return cred;
+}
+
+/**
+ * Create a new anonymous credential
+ * @param mem_ctx TALLOC_CTX parent for credentials structure
+ */
+_PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
+{
+ struct cli_credentials *anon_credentials;
+
+ anon_credentials = cli_credentials_init(mem_ctx);
+ cli_credentials_set_anonymous(anon_credentials);
+
+ return anon_credentials;
+}
+
+_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+ enum credentials_use_kerberos
use_kerberos)
+{
+ creds->use_kerberos = use_kerberos;
+}
+
+_PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials
*creds,
+ enum
credentials_krb_forwardable krb_forwardable)
+{
+ creds->krb_forwardable = krb_forwardable;
+}
+
+_PUBLIC_ enum credentials_use_kerberos
cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+{
+ return creds->use_kerberos;
+}
+
+_PUBLIC_ enum credentials_krb_forwardable
cli_credentials_get_krb_forwardable(struct cli_credentials *creds)
+{
+ return creds->krb_forwardable;
+}
+
+_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials
*creds, uint32_t gensec_features)
+{
+ creds->gensec_features = gensec_features;
+}
+
+_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials
*creds)
+{
+ return creds->gensec_features;
+}
+
+
+/**
+ * Obtain the username for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+_PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
+{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
+ }
+
+ if (cred->username_obtained == CRED_CALLBACK&&
+ !cred->callback_running) {
+ cred->callback_running = true;
+ cred->username = cred->username_cb(cred);
+ cred->callback_running = false;
+ cred->username_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred,
cred->username_obtained);
+ }
+
+ return cred->username;
+}
+
+_PUBLIC_ bool cli_credentials_set_username(struct cli_credentials *cred,
+ const char *val, enum credentials_obtained
obtained)
+{
+ if (obtained>= cred->username_obtained) {
+ cred->username = talloc_strdup(cred, val);
+ cred->username_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred,
cred->username_obtained);
+ return true;
+ }
+
+ return false;
+}
+
+_PUBLIC_ bool cli_credentials_set_username_callback(struct cli_credentials
*cred,
+ const char *(*username_cb) (struct
cli_credentials *))
+{
+ if (cred->username_obtained< CRED_CALLBACK) {
+ cred->username_cb = username_cb;
+ cred->username_obtained = CRED_CALLBACK;
+ return true;
+ }
+
+ return false;
+}
+
+_PUBLIC_ bool cli_credentials_set_bind_dn(struct cli_credentials *cred,
+ const char *bind_dn)
+{
+ cred->bind_dn = talloc_strdup(cred, bind_dn);
+ return true;
+}
+
+/**
+ * Obtain the BIND DN for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will be NULL if not specified explictly
+ */
+_PUBLIC_ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
+{
+ return cred->bind_dn;
+}
+
+
+/**
+ * Obtain the client principal for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+_PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct
cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
+{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
+ }
+
+ if (cred->principal_obtained == CRED_CALLBACK&&
+ !cred->callback_running) {
+ cred->callback_running = true;
+ cred->principal = cred->principal_cb(cred);
+ cred->callback_running = false;
+ cred->principal_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred,
cred->principal_obtained);
+ }
+
+ if (cred->principal_obtained< cred->username_obtained
+ || cred->principal_obtained< MAX(cred->domain_obtained,
cred->realm_obtained)) {
+ if (cred->domain_obtained> cred->realm_obtained) {
+ *obtained = MIN(cred->domain_obtained,
cred->username_obtained);
+ return talloc_asprintf(mem_ctx, "%s@%s",
+
cli_credentials_get_username(cred),
+
cli_credentials_get_domain(cred));
+ } else {
+ *obtained = MIN(cred->domain_obtained,
cred->username_obtained);
+ return talloc_asprintf(mem_ctx, "%s@%s",
+
cli_credentials_get_username(cred),
+ cli_credentials_get_realm(cred));
+ }
+ }
+ *obtained = cred->principal_obtained;
+ return talloc_reference(mem_ctx, cred->principal);
+}
+
+/**
+ * Obtain the client principal for this credentials context.
+ * @param cred credentials context
+ * @retval The username set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+_PUBLIC_ const char *cli_credentials_get_principal(struct cli_credentials
*cred, TALLOC_CTX *mem_ctx)
+{
+ enum credentials_obtained obtained;
+ return cli_credentials_get_principal_and_obtained(cred,
mem_ctx,&obtained);
+}
+
+_PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained)
+{
+ if (obtained>= cred->principal_obtained) {
+ cred->principal = talloc_strdup(cred, val);
+ cred->principal_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred,
cred->principal_obtained);
+ return true;
+ }
+
+ return false;
+}
+
+/* Set a callback to get the principal. This could be a popup dialog,
+ * a terminal prompt or similar. */
+_PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials
*cred,
+ const char *(*principal_cb) (struct
cli_credentials *))
+{
+ if (cred->principal_obtained< CRED_CALLBACK) {
+ cred->principal_cb = principal_cb;
+ cred->principal_obtained = CRED_CALLBACK;
+ return true;
+ }
+
+ return false;
+}
+
+/* Some of our tools are 'anonymous by default'. This is a single
+ * function to determine if authentication has been explicitly
+ * requested */
+
+_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials
*cred)
+{
+ if (cred->bind_dn) {
+ return true;
+ }
+
+ if (cli_credentials_is_anonymous(cred)){
+ return false;
+ }
+
+ if (cred->principal_obtained>= CRED_SPECIFIED) {
+ return true;
+ }
+ if (cred->username_obtained>= CRED_SPECIFIED) {
+ return true;
+ }
+
+ if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS)
{
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * Obtain the password for this credentials context.
+ * @param cred credentials context
+ * @retval If set, the cleartext password, otherwise NULL
+ */
+_PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
+{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred,
+
cred->machine_account_pending_lp_ctx);
+ }
+
+ if (cred->password_obtained == CRED_CALLBACK&&
+ !cred->callback_running) {
+ cred->callback_running = true;
+ cred->password = cred->password_cb(cred);
+ cred->callback_running = false;
+ cred->password_obtained = CRED_CALLBACK_RESULT;
+ cli_credentials_invalidate_ccache(cred,
cred->password_obtained);
+ }
+
+ return cred->password;
+}
+
+/* Set a password on the credentials context, including an indication
+ * of 'how' the password was obtained */
+
+_PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained)
+{
+ if (obtained>= cred->password_obtained) {
+ cred->password = talloc_strdup(cred, val);
+ cred->password_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred,
cred->password_obtained);
+
+ cred->nt_hash = NULL;
+ cred->lm_response = data_blob(NULL, 0);
+ cred->nt_response = data_blob(NULL, 0);
+ return true;
+ }
+
+ return false;
+}
+
+_PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials
*cred,
+ const char *(*password_cb) (struct
cli_credentials *))
+{
+ if (cred->password_obtained< CRED_CALLBACK) {
+ cred->password_cb = password_cb;
+ cred->password_obtained = CRED_CALLBACK;
+ cli_credentials_invalidate_ccache(cred,
cred->password_obtained);
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * Obtain the 'old' password for this credentials context (used for join
accounts).
+ * @param cred credentials context
+ * @retval If set, the cleartext password, otherwise NULL
+ */
+_PUBLIC_ const char *cli_credentials_get_old_password(struct cli_credentials
*cred)
+{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred,
+
cred->machine_account_pending_lp_ctx);
+ }
+
+ return cred->old_password;
+}
+
+_PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained)
+{
+ cred->old_password = talloc_strdup(cred, val);
+ return true;
+}
+
+/**
+ * Obtain the password, in the form MD4(unicode(password)) for this
credentials context.
+ *
+ * Sometimes we only have this much of the password, while the rest of
+ * the time this call avoids calling E_md4hash themselves.
+ *
+ * @param cred credentials context
+ * @retval If set, the cleartext password, otherwise NULL
+ */
+_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct
cli_credentials *cred,
+ TALLOC_CTX *mem_ctx)
+{
+ const char *password = cli_credentials_get_password(cred);
+
+ if (password) {
+ struct samr_Password *nt_hash = talloc(mem_ctx, struct
samr_Password);
+ if (!nt_hash) {
+ return NULL;
+ }
+
+ E_md4hash(password, nt_hash->hash);
+
+ return nt_hash;
+ } else {
+ return cred->nt_hash;
+ }
+}
+
+/**
+ * Obtain the 'short' or 'NetBIOS' domain for this credentials context.
+ * @param cred credentials context
+ * @retval The domain set on this context.
+ * @note Return value will never be NULL except by programmer error.
+ */
+_PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
+{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred,
+
cred->machine_account_pending_lp_ctx);
+ }
+
+ if (cred->domain_obtained == CRED_CALLBACK&&
+ !cred->callback_running) {
+ cred->callback_running = true;
+ cred->domain = cred->domain_cb(cred);
+ cred->callback_running = false;
+ cred->domain_obtained = CRED_SPECIFIED;
+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+ }
+
+ return cred->domain;
+}
+
+
+_PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained)
+{
+ if (obtained>= cred->domain_obtained) {
+ /* it is important that the domain be in upper case,
+ * particularly for the sensitive NTLMv2
+ * calculations */
+ cred->domain = strupper_talloc(cred, val);
+ cred->domain_obtained = obtained;
+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+ return true;
+ }
+
+ return false;
+}
+
+bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
+ const char *(*domain_cb) (struct
cli_credentials *))
