diff options
Diffstat (limited to '')
| -rw-r--r-- | lib/cmdline/cmdline.c | 1415 |
1 files changed, 1415 insertions, 0 deletions
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c new file mode 100644 index 0000000..db96214 --- /dev/null +++ b/lib/cmdline/cmdline.c @@ -0,0 +1,1415 @@ +/* + * Copyright (c) 2020 Andreas Schneider <asn@samba.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "lib/param/param.h" +#include "dynconfig/dynconfig.h" +#include "auth/gensec/gensec.h" +#include "libcli/smb/smb_util.h" +#include "cmdline_private.h" +#include "lib/util/util_process.h" + +#include <samba/version.h> + +static TALLOC_CTX *cmdline_mem_ctx; +static struct loadparm_context *cmdline_lp_ctx; +static struct cli_credentials *cmdline_creds; +static samba_cmdline_load_config cmdline_load_config_fn; +static struct samba_cmdline_daemon_cfg cmdline_daemon_cfg; + +static NTSTATUS (*cli_credentials_set_machine_account_fn)( + struct cli_credentials *cred, + struct loadparm_context *lp_ctx) = + cli_credentials_set_machine_account; + +/* PRIVATE */ +bool samba_cmdline_set_talloc_ctx(TALLOC_CTX *mem_ctx) +{ + if (cmdline_mem_ctx != NULL) { + return false; + } + + cmdline_mem_ctx = mem_ctx; + return true; +} + +TALLOC_CTX *samba_cmdline_get_talloc_ctx(void) +{ + return cmdline_mem_ctx; +} + +static void _samba_cmdline_talloc_log(const char *message) +{ + D_ERR("%s", message); +} + +bool samba_cmdline_init_common(TALLOC_CTX *mem_ctx) +{ + bool ok; + + ok = samba_cmdline_set_talloc_ctx(mem_ctx); + if (!ok) { + return false; + } + + cmdline_daemon_cfg = (struct samba_cmdline_daemon_cfg) { + .fork = true, + }; + + fault_setup(); + + /* + * Log to stderr by default. + * This can be changed to stdout using the option: --debug-stdout + */ + setup_logging(getprogname(), DEBUG_DEFAULT_STDERR); + + talloc_set_log_fn(_samba_cmdline_talloc_log); + talloc_set_abort_fn(smb_panic); + + return true; +} + +bool samba_cmdline_set_load_config_fn(samba_cmdline_load_config fn) +{ + cmdline_load_config_fn = fn; + return true; +} + +/* PUBLIC */ +bool samba_cmdline_set_lp_ctx(struct loadparm_context *lp_ctx) +{ + if (lp_ctx == NULL) { + return false; + } + cmdline_lp_ctx = lp_ctx; + + return true; +} + +struct loadparm_context *samba_cmdline_get_lp_ctx(void) +{ + return cmdline_lp_ctx; +} + +bool samba_cmdline_set_creds(struct cli_credentials *creds) +{ + if (creds == NULL) { + return false; + } + + TALLOC_FREE(cmdline_creds); + cmdline_creds = creds; + + return true; +} + +struct cli_credentials *samba_cmdline_get_creds(void) +{ + return cmdline_creds; +} + +struct samba_cmdline_daemon_cfg *samba_cmdline_get_daemon_cfg(void) +{ + return &cmdline_daemon_cfg; +} + +void samba_cmdline_set_machine_account_fn( + NTSTATUS (*fn) (struct cli_credentials *cred, + struct loadparm_context *lp_ctx)) +{ + cli_credentials_set_machine_account_fn = fn; +} + +bool samba_cmdline_burn(int argc, char *argv[]) +{ + bool burnt = false; + bool found = false; + bool is_user = false; + char *p = NULL; + int i; + size_t ulen = 0; + + for (i = 0; i < argc; i++) { + p = argv[i]; + if (p == NULL) { + return false; + } + + /* + * Take care that this list must be in longest-match + * first order + */ + if (strncmp(p, "-U", 2) == 0) { + ulen = 2; + found = true; + is_user = true; + } else if (strncmp(p, "--user", 6) == 0) { + ulen = 6; + found = true; + is_user = true; + } else if (strncmp(p, "--password2", 11) == 0) { + ulen = 11; + found = true; + } else if (strncmp(p, "--password", 10) == 0) { + ulen = 10; + found = true; + } else if (strncmp(p, "--newpassword", 13) == 0) { + ulen = 13; + found = true; + } + + if (found) { + char *q = NULL; + + if (strlen(p) == ulen) { + continue; + } + + if (is_user) { + q = strchr_m(p, '%'); + if (q != NULL) { + p = q; + } + } else { + p += ulen; + } + + memset_s(p, strlen(p), '\0', strlen(p)); + found = false; + is_user = false; + burnt = true; + } + } + return burnt; +} + +static bool is_popt_table_end(const struct poptOption *o) +{ + if (o->longName == NULL && + o->shortName == 0 && + o->argInfo == 0 && + o->arg == NULL && + o->val == 0 && + o->descrip == NULL && + o->argDescrip == NULL) { + return true; + } + + return false; +} + +static void find_duplicates(const struct poptOption *needle, + const struct poptOption *haystack, + size_t *count) +{ + for(; + !is_popt_table_end(haystack); + haystack++) { + switch (haystack->argInfo) { + case POPT_ARG_INCLUDE_TABLE: + if (haystack->arg != NULL) { + find_duplicates(needle, haystack->arg, count); + } + + break; + default: + if (needle->shortName != 0 && + needle->shortName == haystack->shortName) { + (*count)++; + break; + } + + if (needle->longName != NULL && + haystack->longName != NULL && + strequal(needle->longName, haystack->longName)) { + (*count)++; + break; + } + break; + } + + if (*count > 1) { + return; + } + } +} + +static bool cmdline_sanity_checker(const struct poptOption *current_opts, + const struct poptOption *full_opts) +{ + const struct poptOption *o = current_opts; + + for(; + !is_popt_table_end(o); + o++) { + bool ok; + + switch (o->argInfo) { + case POPT_ARG_INCLUDE_TABLE: + if (o->arg != NULL) { + ok = cmdline_sanity_checker(o->arg, full_opts); + if (!ok) { + return false; + } + } + + break; + default: + if (o->longName != NULL || o->shortName != 0) { + size_t count = 0; + + find_duplicates(o, full_opts, &count); + if (count > 1) { + DBG_ERR("Duplicate option '--%s|-%c' " + "detected!\n", + o->longName, + o->shortName != 0 ? + o->shortName : + '-'); + return false; + } + } + + break; + } + } + + return true; +} + +bool samba_cmdline_sanity_check(const struct poptOption *opts) +{ + return cmdline_sanity_checker(opts, opts); +} + +poptContext samba_popt_get_context(const char * name, + int argc, const char ** argv, + const struct poptOption * options, + unsigned int flags) +{ +#ifdef DEVELOPER + bool ok; + + ok = samba_cmdline_sanity_check(options); + if (!ok) { + return NULL; + } +#endif + process_save_binary_name(name); + return poptGetContext(name, argc, argv, options, flags); +} + +/********************************************************** + * COMMON SAMBA POPT + **********************************************************/ + +static bool log_to_file; + +static bool set_logfile(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *log_basename, + const char *process_name, + bool from_cmdline) +{ + bool ok = false; + char *new_logfile = talloc_asprintf(mem_ctx, + "%s/log.%s", + log_basename, + process_name); + if (new_logfile == NULL) { + return false; + } + + if (from_cmdline) { + ok = lpcfg_set_cmdline(lp_ctx, + "log file", + new_logfile); + } else { + ok = lpcfg_do_global_parameter(lp_ctx, + "log file", + new_logfile); + } + if (!ok) { + fprintf(stderr, + "Failed to set log to %s\n", + new_logfile); + TALLOC_FREE(new_logfile); + return false; + } + debug_set_logfile(new_logfile); + TALLOC_FREE(new_logfile); + + return true; +} + +static void popt_samba_callback(poptContext popt_ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, const void *data) +{ + TALLOC_CTX *mem_ctx = samba_cmdline_get_talloc_ctx(); + struct loadparm_context *lp_ctx = samba_cmdline_get_lp_ctx(); + const char *pname = NULL; + bool ok; + + /* Find out basename of current program */ + pname = getprogname(); + + if (reason == POPT_CALLBACK_REASON_PRE) { + if (lp_ctx == NULL) { + fprintf(stderr, + "Command line parsing not initialized!\n"); + exit(1); + } + ok = set_logfile(mem_ctx, + lp_ctx, + get_dyn_LOGFILEBASE(), + pname, + false); + if (!ok) { + fprintf(stderr, + "Failed to set log file for %s\n", + pname); + exit(1); + } + return; + } + + if (reason == POPT_CALLBACK_REASON_POST) { + ok = cmdline_load_config_fn(); + if (!ok) { + fprintf(stderr, + "%s - Failed to load config file!\n", + getprogname()); + exit(1); + } + + if (log_to_file) { + const struct loadparm_substitution *lp_sub = + lpcfg_noop_substitution(); + char *logfile = NULL; + + logfile = lpcfg_logfile(lp_ctx, lp_sub, mem_ctx); + if (logfile == NULL) { + fprintf(stderr, + "Failed to setup logging to file!"); + exit(1); + } + debug_set_logfile(logfile); + setup_logging(logfile, DEBUG_FILE); + TALLOC_FREE(logfile); + } + + return; + } + + switch(opt->val) { + case OPT_LEAK_REPORT: + talloc_enable_leak_report(); + break; + case OPT_LEAK_REPORT_FULL: + talloc_enable_leak_report_full(); + break; + case OPT_OPTION: + if (arg != NULL) { + ok = lpcfg_set_option(lp_ctx, arg); + if (!ok) { + fprintf(stderr, "Error setting option '%s'\n", arg); + exit(1); + } + } + break; + case 'd': + if (arg != NULL) { + ok = lpcfg_set_cmdline(lp_ctx, "log level", arg); + if (!ok) { + fprintf(stderr, + "Failed to set debug level to: %s\n", + arg); + exit(1); + } + } + break; + case OPT_DEBUG_STDOUT: + setup_logging(pname, DEBUG_STDOUT); + break; + case OPT_CONFIGFILE: + if (arg != NULL) { + set_dyn_CONFIGFILE(arg); + } + break; + case 'l': + if (arg != NULL) { + ok = set_logfile(mem_ctx, lp_ctx, arg, pname, true); + if (!ok) { + fprintf(stderr, + "Failed to set log file for %s\n", + arg); + exit(1); + } + log_to_file = true; + + set_dyn_LOGFILEBASE(arg); + } + break; + } +} + +static struct poptOption popt_common_debug[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, + .arg = (void *)popt_samba_callback, + }, + { + .longName = "debuglevel", + .shortName = 'd', + .argInfo = POPT_ARG_STRING, + .val = 'd', + .descrip = "Set debug level", + .argDescrip = "DEBUGLEVEL", + }, + { + .longName = "debug-stdout", + .argInfo = POPT_ARG_NONE, + .val = OPT_DEBUG_STDOUT, + .descrip = "Send debug output to standard output", + }, + POPT_TABLEEND +}; + +static struct poptOption popt_common_option[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, + .arg = (void *)popt_samba_callback, + }, + { + .longName = "option", + .argInfo = POPT_ARG_STRING, + .val = OPT_OPTION, + .descrip = "Set smb.conf option from command line", + .argDescrip = "name=value", + }, + POPT_TABLEEND +}; + +static struct poptOption popt_common_config[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, + .arg = (void *)popt_samba_callback, + }, + { + .longName = "configfile", + .argInfo = POPT_ARG_STRING, + .val = OPT_CONFIGFILE, + .descrip = "Use alternative configuration file", + .argDescrip = "CONFIGFILE", + }, + POPT_TABLEEND +}; + +static struct poptOption popt_common_samba[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, + .arg = (void *)popt_samba_callback, + }, + { + .longName = "debuglevel", + .shortName = 'd', + .argInfo = POPT_ARG_STRING, + .val = 'd', + .descrip = "Set debug level", + .argDescrip = "DEBUGLEVEL", + }, + { + .longName = "debug-stdout", + .argInfo = POPT_ARG_NONE, + .val = OPT_DEBUG_STDOUT, + .descrip = "Send debug output to standard output", + }, + { + .longName = "configfile", + .shortName = 's', + .argInfo = POPT_ARG_STRING, + .val = OPT_CONFIGFILE, + .descrip = "Use alternative configuration file", + .argDescrip = "CONFIGFILE", + }, + { + .longName = "option", + .argInfo = POPT_ARG_STRING, + .val = OPT_OPTION, + .descrip = "Set smb.conf option from command line", + .argDescrip = "name=value", + }, + { + .longName = "log-basename", + .shortName = 'l', + .argInfo = POPT_ARG_STRING, + .val = 'l', + .descrip = "Basename for log/debug files", + .argDescrip = "LOGFILEBASE", + }, + { + .longName = "leak-report", + .argInfo = POPT_ARG_NONE, + .val = OPT_LEAK_REPORT, + .descrip = "enable talloc leak reporting on exit", + }, + { + .longName = "leak-report-full", + .argInfo = POPT_ARG_NONE, + .val = OPT_LEAK_REPORT_FULL, + .descrip = "enable full talloc leak reporting on exit", + }, + POPT_TABLEEND +}; + +static struct poptOption popt_common_samba_ldb[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, + .arg = (void *)popt_samba_callback, + }, + { + .longName = "debuglevel", + .shortName = 'd', + .argInfo = POPT_ARG_STRING, + .val = 'd', + .descrip = "Set debug level", + .argDescrip = "DEBUGLEVEL", + }, + { + .longName = "debug-stdout", + .argInfo = POPT_ARG_NONE, + .val = OPT_DEBUG_STDOUT, + .descrip = "Send debug output to standard output", + }, + { + .longName = "configfile", + .argInfo = POPT_ARG_STRING, + .val = OPT_CONFIGFILE, + .descrip = "Use alternative configuration file", + .argDescrip = "CONFIGFILE", + }, + { + .longName = "option", + .argInfo = POPT_ARG_STRING, + .val = OPT_OPTION, + .descrip = "Set smb.conf option from command line", + .argDescrip = "name=value", + }, + { + .longName = "log-basename", + .shortName = 'l', + .argInfo = POPT_ARG_STRING, + .val = 'l', + .descrip = "Basename for log/debug files", + .argDescrip = "LOGFILEBASE", + }, + { + .longName = "leak-report", + .argInfo = POPT_ARG_NONE, + .val = OPT_LEAK_REPORT, + .descrip = "enable talloc leak reporting on exit", + }, + { + .longName = "leak-report-full", + .argInfo = POPT_ARG_NONE, + .val = OPT_LEAK_REPORT_FULL, + .descrip = "enable full talloc leak reporting on exit", + }, + POPT_TABLEEND +}; + +/********************************************************** + * CONNECTION POPT + **********************************************************/ + +static void popt_connection_callback(poptContext popt_ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, + const void *data) +{ + struct loadparm_context *lp_ctx = cmdline_lp_ctx; + + if (reason == POPT_CALLBACK_REASON_PRE) { + if (lp_ctx == NULL) { + fprintf(stderr, + "Command line parsing not initialized!\n"); + exit(1); + } + return; + } + + switch(opt->val) { + case 'O': + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "socket options", arg); + } + break; + case 'R': + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "name resolve order", arg); + } + break; + case 'm': + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "client max protocol", arg); + } + break; + case OPT_NETBIOS_SCOPE: + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "netbios scope", arg); + } + break; + case 'n': + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "netbios name", arg); + } + break; + case 'W': + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "workgroup", arg); + } + break; + case 'r': + if (arg != NULL) { + lpcfg_set_cmdline(lp_ctx, "realm", arg); + } + break; + } +} + +static struct poptOption popt_common_connection[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE, + .arg = (void *)popt_connection_callback, + }, + { + .longName = "name-resolve", + .shortName = 'R', + .argInfo = POPT_ARG_STRING, + .val = 'R', + .descrip = "Use these name resolution services only", + .argDescrip = "NAME-RESOLVE-ORDER", + }, + { + .longName = "socket-options", + .shortName = 'O', + .argInfo = POPT_ARG_STRING, + .val = 'O', + .descrip = "socket options to use", + .argDescrip = "SOCKETOPTIONS", + }, + { + .longName = "max-protocol", + .shortName = 'm', + .argInfo = POPT_ARG_STRING, + .val = 'm', + .descrip = "Set max protocol level", + .argDescrip = "MAXPROTOCOL", + }, + { + .longName = "netbiosname", + .shortName = 'n', + .argInfo = POPT_ARG_STRING, + .val = 'n', + .descrip = "Primary netbios name", + .argDescrip = "NETBIOSNAME", + }, + { + .longName = "netbios-scope", + .argInfo = POPT_ARG_STRING, + .val = OPT_NETBIOS_SCOPE, + .descrip = "Use this Netbios scope", + .argDescrip = "SCOPE", + }, + { + .longName = "workgroup", + .shortName = 'W', + .argInfo = POPT_ARG_STRING, + .val = 'W', + .descrip = "Set the workgroup name", + .argDescrip = "WORKGROUP", + }, + { + .longName = "realm", + .argInfo = POPT_ARG_STRING, + .val = 'r', + .descrip = "Set the realm name", + .argDescrip = "REALM", + }, + POPT_TABLEEND +}; + +/********************************************************** + * CREDENTIALS POPT + **********************************************************/ + +static bool skip_password_callback; +static bool machine_account_pending; + +static void popt_common_credentials_callback(poptContext popt_ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, + const void *data) +{ + struct loadparm_context *lp_ctx = samba_cmdline_get_lp_ctx(); + struct cli_credentials *creds = samba_cmdline_get_creds(); + bool ok; + + if (reason == POPT_CALLBACK_REASON_PRE) { + if (creds == NULL) { + fprintf(stderr, + "Command line parsing not initialized!\n"); + exit(1); + } + return; + } + + if (reason == POPT_CALLBACK_REASON_POST) { + const char *username = NULL; + enum credentials_obtained username_obtained = + CRED_UNINITIALISED; + enum credentials_obtained password_obtained = + CRED_UNINITIALISED; + + /* + * This calls cli_credentials_set_conf() to get the defaults + * form smb.conf and set the winbind separator. + * + * Just warn that we can't read the smb.conf. There might not be + * one available or we want to ignore it. + */ + ok = cli_credentials_guess(creds, lp_ctx); + if (!ok) { + fprintf(stderr, + "Unable to read defaults from smb.conf\n"); + } + + (void)cli_credentials_get_password_and_obtained(creds, + &password_obtained); + if (!skip_password_callback && + password_obtained < CRED_CALLBACK) { + ok = cli_credentials_set_cmdline_callbacks(creds); + if (!ok) { + fprintf(stderr, + "Failed to set cmdline password " + "callback\n"); + exit(1); + } + } + + if (machine_account_pending) { + NTSTATUS status; + + status = cli_credentials_set_machine_account_fn( + creds, lp_ctx); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, + "Failed to set machine account: %s\n", + nt_errstr(status)); + exit(1); + } + } + + /* + * When we set the username during the handling of the options + * passed to the binary we haven't loaded the config yet. This + * means that we didn't take the 'winbind separator' into + * account. + * + * The username might contain the domain name and thus it + * hasn't been correctly parsed yet. If we have a username we + * need to set it again to run the string parser for the + * username correctly. + */ + username = + cli_credentials_get_username_and_obtained( + creds, &username_obtained); + if (username_obtained == CRED_SPECIFIED && + username != NULL && username[0] != '\0') { + cli_credentials_parse_string(creds, + username, + CRED_SPECIFIED); + } + + return; + } + + switch(opt->val) { + case 'U': + if (arg != NULL) { + cli_credentials_parse_string(creds, + arg, + CRED_SPECIFIED); + } + break; + case OPT_PASSWORD: + if (arg != NULL) { + ok = cli_credentials_set_password(creds, + arg, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set password!\n"); + exit(1); + } + + skip_password_callback = true; + } + break; + case OPT_NT_HASH: + cli_credentials_set_password_will_be_nt_hash(creds, true); + break; + case 'A': + if (arg != NULL) { + ok = cli_credentials_parse_file(creds, + arg, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set parse authentication file!\n"); + exit(1); + } + skip_password_callback = true; + } + break; + case 'N': + ok = cli_credentials_set_password(creds, + NULL, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set password!\n"); + exit(1); + } + skip_password_callback = true; + break; + case 'P': + /* + * Later, after this is all over, get the machine account + * details from the secrets.(l|t)db. + */ + machine_account_pending = true; + break; + case OPT_SIMPLE_BIND_DN: + if (arg != NULL) { + ok = cli_credentials_set_bind_dn(creds, arg); + if (!ok) { + fprintf(stderr, + "Failed to set bind DN!\n"); + exit(1); + } + } + break; + case OPT_USE_KERBEROS: { + int32_t use_kerberos = INT_MIN; + if (arg == NULL) { + fprintf(stderr, + "Failed to parse " + "--use-kerberos=desired|required|off: " + "Missing argument\n"); + exit(1); + } + + use_kerberos = lpcfg_parse_enum_vals("client use kerberos", + arg); + if (use_kerberos == INT_MIN) { + fprintf(stderr, + "Failed to parse " + "--use-kerberos=desired|required|off: " + "Invalid argument\n"); + exit(1); + } + + ok = cli_credentials_set_kerberos_state(creds, + use_kerberos, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set Kerberos state to %s!\n", arg); + exit(1); + } + break; + } + case OPT_USE_KERBEROS_CCACHE: { + const char *error_string = NULL; + int rc; + + if (arg == NULL) { + fprintf(stderr, + "Failed to parse --use-krb5-ccache=CCACHE: " + "Missing argument\n"); + exit(1); + } + + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set Kerberos state to %s!\n", arg); + exit(1); + } + + rc = cli_credentials_set_ccache(creds, + lp_ctx, + arg, + CRED_SPECIFIED, + &error_string); + if (rc != 0) { + fprintf(stderr, + "Error reading krb5 credentials cache: '%s'" + " - %s\n", + arg, + error_string); + exit(1); + } + + skip_password_callback = true; + break; + } + case OPT_USE_WINBIND_CCACHE: + { + uint32_t gensec_features; + + gensec_features = cli_credentials_get_gensec_features(creds); + gensec_features |= GENSEC_FEATURE_NTLM_CCACHE; + + ok = cli_credentials_set_gensec_features(creds, + gensec_features, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set gensec feature!\n"); + exit(1); + } + + skip_password_callback = true; + break; + } + case OPT_CLIENT_PROTECTION: { + uint32_t gensec_features; + enum smb_signing_setting signing_state = + SMB_SIGNING_OFF; + enum smb_encryption_setting encryption_state = + SMB_ENCRYPTION_OFF; + + if (arg == NULL) { + fprintf(stderr, + "Failed to parse " + "--client-protection=sign|encrypt|off: " + "Missing argument\n"); + exit(1); + } + + gensec_features = + cli_credentials_get_gensec_features( + creds); + + if (strequal(arg, "off")) { + gensec_features &= + ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL); + + signing_state = SMB_SIGNING_OFF; + encryption_state = SMB_ENCRYPTION_OFF; + } else if (strequal(arg, "sign")) { + gensec_features |= GENSEC_FEATURE_SIGN; + + signing_state = SMB_SIGNING_REQUIRED; + encryption_state = SMB_ENCRYPTION_OFF; + } else if (strequal(arg, "encrypt")) { + gensec_features |= GENSEC_FEATURE_SEAL; + + signing_state = SMB_SIGNING_REQUIRED; + encryption_state = SMB_ENCRYPTION_REQUIRED; + } else { + fprintf(stderr, + "Failed to parse --client-protection\n"); + exit(1); + } + + ok = cli_credentials_set_gensec_features(creds, + gensec_features, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set gensec feature!\n"); + exit(1); + } + + ok = cli_credentials_set_smb_signing(creds, + signing_state, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set smb signing!\n"); + exit(1); + } + + ok = cli_credentials_set_smb_encryption(creds, + encryption_state, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set smb encryption!\n"); + exit(1); + } + break; + } + } /* switch */ +} + +static struct poptOption popt_common_credentials[] = { + { + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, + .arg = (void *)popt_common_credentials_callback, + }, + { + .longName = "user", + .shortName = 'U', + .argInfo = POPT_ARG_STRING, + .val = 'U', + .descrip = "Set the network username", + .argDescrip = "[DOMAIN/]USERNAME[%PASSWORD]", + }, + { + .longName = "no-pass", + .shortName = 'N', + .argInfo = POPT_ARG_NONE, + .val = 'N', + .descrip = "Don't ask for a password", + }, + { + .longName = "password", + .argInfo = POPT_ARG_STRING, + .val = OPT_PASSWORD, + .descrip = "Password", + }, + { + .longName = "pw-nt-hash", + .argInfo = POPT_ARG_NONE, + .val = OPT_NT_HASH, + .descrip = "The supplied password is the NT hash", + }, + { + .longName = "authentication-file", + .shortName = 'A', + .argInfo = POPT_ARG_STRING, + .val = 'A', + .descrip = "Get the credentials from a file", + .argDescrip = "FILE", + }, + { + .longName = "machine-pass", + .shortName = 'P', + .argInfo = POPT_ARG_NONE, + .val = 'P', + .descrip = "Use stored machine account password", + }, + { + .longName = "simple-bind-dn", + .argInfo = POPT_ARG_STRING, + .val = OPT_SIMPLE_BIND_DN, + .descrip = "DN to use for a simple bind", + .argDescrip = "DN", + }, + { + .longName = "use-kerberos", + .argInfo = POPT_ARG_STRING, + .val = OPT_USE_KERBEROS, + .descrip = "Use Kerberos authentication", + .argDescrip = "desired|required|off", + }, + { + .longName = "use-krb5-ccache", + .argInfo = POPT_ARG_STRING, + .val = OPT_USE_KERBEROS_CCACHE, + .descrip = "Credentials cache location for Kerberos", + .argDescrip = "CCACHE", + }, + { + .longName = "use-winbind-ccache", + .argInfo = POPT_ARG_NONE, + .val = OPT_USE_WINBIND_CCACHE, + .descrip = "Use the winbind ccache for authentication", + }, + { + .longName = "client-protection", + .argInfo = POPT_ARG_STRING, + .val = OPT_CLIENT_PROTECTION, + .descrip = "Configure used protection for client connections", + .argDescrip = "sign|encrypt|off", + }, + POPT_TABLEEND +}; + +/********************************************************** + * VERSION POPT + **********************************************************/ + +static void popt_version_callback(poptContext ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, + const void *data) +{ + switch(opt->val) { + case 'V': + printf("Version %s\n", SAMBA_VERSION_STRING); + exit(0); + } +} + +static struct poptOption popt_common_version[] = { + { + .argInfo = POPT_ARG_CALLBACK, + .arg = (void *)popt_version_callback, + }, + { + .longName = "version", + .shortName = 'V', + .argInfo = POPT_ARG_NONE, + .val = 'V', + .descrip = "Print version", + }, + POPT_TABLEEND +}; + +/********************************************************** + * DAEMON POPT + **********************************************************/ + +static void popt_daemon_callback(poptContext ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, + const void *data) +{ + switch(opt->val) { + case OPT_DAEMON: + cmdline_daemon_cfg.daemon = true; + break; + case OPT_INTERACTIVE: + cmdline_daemon_cfg.interactive = true; + cmdline_daemon_cfg.fork = false; + break; + case OPT_FORK: + cmdline_daemon_cfg.fork = false; + break; + case OPT_NO_PROCESS_GROUP: + cmdline_daemon_cfg.no_process_group = true; + break; + } +} + +static struct poptOption popt_common_daemon[] = { + { + .argInfo = POPT_ARG_CALLBACK, + .arg = (void *)popt_daemon_callback + }, + { + .longName = "daemon", + .shortName = 'D', + .argInfo = POPT_ARG_NONE, + .arg = NULL, + .val = OPT_DAEMON, + .descrip = "Become a daemon (default)" , + }, + { + .longName = "interactive", + .shortName = 'i', + .argInfo = POPT_ARG_NONE, + .arg = NULL, + .val = OPT_INTERACTIVE, + .descrip = "Run interactive (not a daemon) and log to stdout", + }, + { + .longName = "foreground", + .shortName = 'F', + .argInfo = POPT_ARG_NONE, + .arg = NULL, + .val = OPT_FORK, + .descrip = "Run daemon in foreground (for daemontools, etc.)", + }, + { + .longName = "no-process-group", + .shortName = '\0', + .argInfo = POPT_ARG_NONE, + .arg = NULL, + .val = OPT_NO_PROCESS_GROUP, + .descrip = "Don't create a new process group" , + }, + POPT_TABLEEND +}; + +/********************************************************** + * LEGACY S3 POPT + **********************************************************/ + +static void popt_legacy_s3_callback(poptContext ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, + const void *data) +{ + struct cli_credentials *creds = samba_cmdline_get_creds(); + bool ok; + + switch(opt->val) { + case 'k': + fprintf(stderr, + "WARNING: The option -k|--kerberos is deprecated!\n"); + + ok = cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set Kerberos state to %s!\n", arg); + exit(1); + } + + skip_password_callback = true; + break; + } +} + +/* We allow '-k yes' too. */ +static struct poptOption popt_legacy_s3[] = { + { + .argInfo = POPT_ARG_CALLBACK, + .arg = (void *)popt_legacy_s3_callback, + }, + { + .longName = "kerberos", + .shortName = 'k', + .argInfo = POPT_ARG_NONE, + .val = 'k', + .descrip = "DEPRECATED: Migrate to --use-kerberos", + }, + POPT_TABLEEND +}; + +/********************************************************** + * LEGACY S4 POPT + **********************************************************/ + +static void popt_legacy_s4_callback(poptContext ctx, + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, + const void *data) +{ + struct cli_credentials *creds = samba_cmdline_get_creds(); + bool ok; + + switch(opt->val) { + case 'k': { + enum credentials_use_kerberos use_kerberos = + CRED_USE_KERBEROS_REQUIRED; + + fprintf(stderr, + "WARNING: The option -k|--kerberos is deprecated!\n"); + + if (arg != NULL) { + if (strcasecmp_m(arg, "yes") == 0) { + use_kerberos = CRED_USE_KERBEROS_REQUIRED; + } else if (strcasecmp_m(arg, "no") == 0) { + use_kerberos = CRED_USE_KERBEROS_DISABLED; + } else { + fprintf(stderr, + "Error parsing -k %s. Should be " + "-k [yes|no]\n", + arg); + exit(1); + } + } + + ok = cli_credentials_set_kerberos_state(creds, + use_kerberos, + CRED_SPECIFIED); + if (!ok) { + fprintf(stderr, + "Failed to set Kerberos state to %s!\n", arg); + exit(1); + } + + break; + } + } +} + +static struct poptOption popt_legacy_s4[] = { + { + .argInfo = POPT_ARG_CALLBACK, + .arg = (void *)popt_legacy_s4_callback, + }, + { + .longName = "kerberos", + .shortName = 'k', + .argInfo = POPT_ARG_STRING, + .val = 'k', + .descrip = "DEPRECATED: Migrate to --use-kerberos", + }, + POPT_TABLEEND +}; + +struct poptOption *samba_cmdline_get_popt(enum smb_cmdline_popt_options opt) +{ + switch (opt) { + case SAMBA_CMDLINE_POPT_OPT_DEBUG_ONLY: + return popt_common_debug; + break; + case SAMBA_CMDLINE_POPT_OPT_OPTION_ONLY: + return popt_common_option; + break; + case SAMBA_CMDLINE_POPT_OPT_CONFIG_ONLY: + return popt_common_config; + break; + case SAMBA_CMDLINE_POPT_OPT_SAMBA: + return popt_common_samba; + break; + case SAMBA_CMDLINE_POPT_OPT_CONNECTION: + return popt_common_connection; + break; + case SAMBA_CMDLINE_POPT_OPT_CREDENTIALS: + return popt_common_credentials; + break; + case SAMBA_CMDLINE_POPT_OPT_VERSION: + return popt_common_version; + break; + case SAMBA_CMDLINE_POPT_OPT_DAEMON: + return popt_common_daemon; + break; + case SAMBA_CMDLINE_POPT_OPT_SAMBA_LDB: + return popt_common_samba_ldb; + break; + case SAMBA_CMDLINE_POPT_OPT_LEGACY_S3: + return popt_legacy_s3; + break; + case SAMBA_CMDLINE_POPT_OPT_LEGACY_S4: + return popt_legacy_s4; + break; + } + + /* Never reached */ + return NULL; +} |