[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Jun 15 06:31:01 UTC 2023
The branch, master has been updated
via 32fdc764efb s4:auth: Remove unneeded ‘sam_ctx’ parameter
via 6c9c7c5b698 s4:auth: Enforce machine authentication policy for NTLM authentication
via 7a7dbdb7736 s4:auth: Enforce device restrictions for NTLM authentication
via 63fe9863572 s4:kdc: Log TGS-REQs in the Heimdal KDC
via ba2e54d5c5f tests/auth_log: Ensure tests continue to pass when new log types are added
via 7f771070535 tests/auth_log: Add support for new ‘KDC Authorization’ log type
via e2d925f5a57 auth: Add new ‘KDC Authorization’ log type
via 9325c14b7e1 lib:audit_logging: Add function to create JSON object containing auditing information
via 3f3c017a268 s4:kdc: Add function to perform an access check to a service
via 5bd6ce29def s4:kdc: Generate auditing infomation for NTLM device restrictions
via 6dce6318e4f s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’
via b5506d5ee38 s4:kdc: Add function to perform an authentication policy access check with a device
via f47631b3605 s4:kdc: Add getter functions for authn_audit_info
via a3063fb4f59 s4:kdc: Add functions to create structures of auditing information for authentication policies
via 9585bf9bb72 s4:kdc: Add helper functions to create optional int64 values
via b1429830699 s4:kdc: Add structure containing authentication policy auditing information
via a2ff8c4e434 s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds
via a1364c205ff s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw
via b3a85655825 auth: Move authn_policy code into auth subsystem
from 9b0a71bd308 tests/auth_log: Refactor waitForMessages() to use nextMessage()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 32fdc764efb5edbbaca9c1e5a6b5f896da411e52
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 12:31:03 2023 +1200
s4:auth: Remove unneeded ‘sam_ctx’ parameter
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jun 15 06:30:35 UTC 2023 on atb-devel-224
commit 6c9c7c5b698e4bc726cbe76629720f6e02ade7ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 16:43:47 2023 +1200
s4:auth: Enforce machine authentication policy for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7a7dbdb7736018018bb9459b79b95ae63d9e6e7d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 4 16:39:55 2023 +1200
s4:auth: Enforce device restrictions for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 63fe9863572357bf55c6446c90830fd2e6372b4b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 11:24:27 2023 +1200
s4:kdc: Log TGS-REQs in the Heimdal KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ba2e54d5c5fe22a3ba1481c890fc49bcdfa38781
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 14:33:37 2023 +1200
tests/auth_log: Ensure tests continue to pass when new log types are added
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f771070535bd12d5ad0644893607f5c47c615e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 16:35:26 2023 +1200
tests/auth_log: Add support for new ‘KDC Authorization’ log type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2d925f5a57a94c6e28372756f1bf15d9e4db628
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 11:18:45 2023 +1200
auth: Add new ‘KDC Authorization’ log type
This is similar, but not identical, to the existing ‘Authorization’
event. It will be used to log Kerberos TGS-REQs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9325c14b7e10d79a130f6633f6bfd59680f4b756
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 11:12:22 2023 +1200
lib:audit_logging: Add function to create JSON object containing auditing information
This can be included in logged authentications and authorizations.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f3c017a2686a823012c1d6f6c6639f40837b0d8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 11:03:00 2023 +1200
s4:kdc: Add function to perform an access check to a service
If the ‘server_audit_info_out’ parameter is non-NULL, auditing
information will be returned so that it might be logged.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5bd6ce29def85cbf2864a06447cc7daf9b2d1990
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 11:00:38 2023 +1200
s4:kdc: Generate auditing infomation for NTLM device restrictions
This will provide more detail to be logged.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6dce6318e4fa38e995248ff8fded021c51577c3d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:54:18 2023 +1200
s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’
We’re going to extend this code, and so we will require functions from
the utility module.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5506d5ee38dabbb26dfc889a8a222e632ddf99b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:46:55 2023 +1200
s4:kdc: Add function to perform an authentication policy access check with a device
If the ‘audit_info_out’ parameter is non-NULL, auditing information will
be returned so that it might be logged.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f47631b3605e806f3018efa6a64f5c9821475001
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:37:03 2023 +1200
s4:kdc: Add getter functions for authn_audit_info
These functions return various pieces of information about an audit
event that can go into audit logs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a3063fb4f59331f43dfb7d6930dbe0f8b383f6b7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:30:34 2023 +1200
s4:kdc: Add functions to create structures of auditing information for authentication policies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9585bf9bb723d58dd0fc07ae65de071cd189817f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:18:38 2023 +1200
s4:kdc: Add helper functions to create optional int64 values
These values will be used to represent TGT lifetimes, which might or
might not be present.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b1429830699fa457f26643e246b5fd07eab3a32d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:18:00 2023 +1200
s4:kdc: Add structure containing authentication policy auditing information
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a2ff8c4e434f8db414fdd2bba8c1c2908050c61c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:01:33 2023 +1200
s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a1364c205ffd1cfaaba8862a096be82b5d5c5f11
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 10:00:53 2023 +1200
s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw
This more clearly indicates that it is the raw TGT lifetime value
straight from the database.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b3a85655825fb6c6a1d668379c1ab004707dc56d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 14:59:10 2023 +1200
auth: Move authn_policy code into auth subsystem
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.
We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_log.c | 189 +++++++++++
auth/authn_policy.c | 198 ++++++++++++
auth/authn_policy.h | 87 +++++
{source4/kdc => auth}/authn_policy_impl.h | 31 +-
auth/common_auth.h | 21 ++
auth/wscript_build | 4 +
lib/audit_logging/audit_logging.c | 132 ++++++++
lib/audit_logging/audit_logging.h | 3 +
lib/audit_logging/wscript_build | 5 +-
python/samba/tests/auth_log_base.py | 27 +-
selftest/knownfail_heimdal_kdc | 26 --
selftest/knownfail_mit_kdc | 26 --
source4/auth/ntlm/auth.c | 4 +-
source4/auth/ntlm/auth_sam.c | 165 +++++++++-
source4/auth/ntlm/wscript_build | 2 +-
source4/kdc/authn_policy.c | 85 -----
source4/kdc/authn_policy.h | 44 ---
source4/kdc/authn_policy_util.c | 509 +++++++++++++++++++++++++++++-
source4/kdc/authn_policy_util.h | 131 +++++++-
source4/kdc/db-glue.c | 22 +-
source4/kdc/hdb-samba4.c | 99 +++++-
source4/kdc/wscript_build | 6 -
22 files changed, 1601 insertions(+), 215 deletions(-)
create mode 100644 auth/authn_policy.c
create mode 100644 auth/authn_policy.h
rename {source4/kdc => auth}/authn_policy_impl.h (69%)
delete mode 100644 source4/kdc/authn_policy.c
delete mode 100644 source4/kdc/authn_policy.h
Changeset truncated at 500 lines:
diff --git a/auth/auth_log.c b/auth/auth_log.c
index c0506823008..019cbe114bf 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -25,6 +25,8 @@
#define AUTH_FAILURE_LEVEL 2
#define AUTH_SUCCESS_LEVEL 3
#define AUTHZ_SUCCESS_LEVEL 4
+#define KDC_AUTHZ_FAILURE_LEVEL 2
+#define KDC_AUTHZ_SUCCESS_LEVEL 3
/* 5 is used for both authentication and authorization */
#define AUTH_ANONYMOUS_LEVEL 5
@@ -32,6 +34,7 @@
#define AUTHZ_JSON_TYPE "Authorization"
#define AUTH_JSON_TYPE "Authentication"
+#define KDC_AUTHZ_JSON_TYPE "KDC Authorization"
/*
* JSON message version numbers
@@ -44,6 +47,8 @@
#define AUTH_MINOR 2
#define AUTHZ_MAJOR 1
#define AUTHZ_MINOR 1
+#define KDC_AUTHZ_MAJOR 1
+#define KDC_AUTHZ_MINOR 0
#include "includes.h"
#include "../lib/tsocket/tsocket.h"
@@ -461,6 +466,128 @@ failure:
DBG_ERR("Unable to log Authentication event JSON audit message\n");
}
+/*
+ * Log details of an authorization to a service, in a machine parsable json
+ * format
+ *
+ * IF removing or changing the format/meaning of a field please update the
+ * major version number KDC_AUTHZ_MAJOR
+ *
+ * IF adding a new field please update the minor version number KDC_AUTHZ_MINOR
+ *
+ * To process the resulting log lines from the command line use jq to
+ * parse the json.
+ *
+ * grep "^ {" log_file |\
+ * jq -rc '"\(.timestamp)\t
+ * \(."KDC Authorization".domain)\t
+ * \(."KDC Authorization".account)\t
+ * \(."KDC Authorization".remoteAddress)"'
+ *
+ */
+static void log_authz_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ const char *service_description,
+ const char *auth_type,
+ const char *domain_name,
+ const char *account_name,
+ const struct dom_sid *sid,
+ const char *logon_server,
+ const struct timeval authtime,
+ NTSTATUS status,
+ int debug_level)
+{
+ struct json_object wrapper = json_empty_object;
+ struct json_object authorization = json_empty_object;
+ int rc = 0;
+
+ authorization = json_new_object();
+ if (json_is_invalid(&authorization)) {
+ goto failure;
+ }
+ rc = json_add_version(&authorization, KDC_AUTHZ_MAJOR, KDC_AUTHZ_MINOR);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authorization, "status", nt_errstr(status));
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_address(&authorization, "localAddress", local);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_address(&authorization, "remoteAddress", remote);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authorization, "serviceDescription", service_description);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authorization, "authType", auth_type);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authorization, "domain", domain_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authorization, "account", account_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_sid(&authorization, "sid", sid);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authorization, "logonServer", logon_server);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_time(&authorization, "authTime", authtime);
+ if (rc != 0) {
+ goto failure;
+ }
+
+ wrapper = json_new_object();
+ if (json_is_invalid(&wrapper)) {
+ goto failure;
+ }
+ rc = json_add_timestamp(&wrapper);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&wrapper, "type", KDC_AUTHZ_JSON_TYPE);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_object(&wrapper, KDC_AUTHZ_JSON_TYPE, &authorization);
+ if (rc != 0) {
+ goto failure;
+ }
+
+ log_json(msg_ctx,
+ lp_ctx,
+ &wrapper,
+ DBGC_AUTH_AUDIT_JSON,
+ debug_level);
+ json_free(&wrapper);
+ return;
+failure:
+ /*
+ * On a failure authorization will not have been added to wrapper so it
+ * needs to be freed to avoid a leak.
+ */
+ json_free(&authorization);
+ json_free(&wrapper);
+ DBG_ERR("Unable to log KDC Authorization event JSON audit message\n");
+}
+
#else
static void log_no_json(struct imessaging_context *msg_ctx,
@@ -512,6 +639,24 @@ static void log_successful_authz_event_json(
log_no_json(msg_ctx, lp_ctx);
}
+static void log_authz_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ const char *service_description,
+ const char *auth_type,
+ const char *domain_name,
+ const char *account_name,
+ const struct dom_sid *sid,
+ const char *logon_server,
+ const struct timeval authtime,
+ NTSTATUS status,
+ int debug_level)
+{
+ log_no_json(msg_ctx, lp_ctx);
+}
+
#endif
/*
@@ -802,3 +947,47 @@ void log_successful_authz_event(
debug_level);
}
}
+
+/*
+ * Log details of an authorization to a service.
+ *
+ * NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the
+ * authorization events over the message bus.
+ */
+void log_authz_event(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ const char *service_description,
+ const char *auth_type,
+ const char *domain_name,
+ const char *account_name,
+ const struct dom_sid *sid,
+ const char *logon_server,
+ const struct timeval authtime,
+ NTSTATUS status)
+{
+ /* set the log level */
+ int debug_level = KDC_AUTHZ_FAILURE_LEVEL;
+
+ if (NT_STATUS_IS_OK(status)) {
+ debug_level = KDC_AUTHZ_SUCCESS_LEVEL;
+ }
+
+ if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
+ (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
+ log_authz_event_json(msg_ctx, lp_ctx,
+ remote,
+ local,
+ service_description,
+ auth_type,
+ domain_name,
+ account_name,
+ sid,
+ logon_server,
+ authtime,
+ status,
+ debug_level);
+ }
+}
diff --git a/auth/authn_policy.c b/auth/authn_policy.c
new file mode 100644
index 00000000000..5929c005677
--- /dev/null
+++ b/auth/authn_policy.c
@@ -0,0 +1,198 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba Active Directory authentication policy functions
+
+ Copyright (C) Catalyst.Net Ltd 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "lib/replace/replace.h"
+#include "auth/authn_policy.h"
+#include "auth/authn_policy_impl.h"
+
+bool authn_policy_is_enforced(const struct authn_policy *policy)
+{
+ return policy->enforced;
+}
+
+/* Authentication policies for Kerberos clients. */
+
+/* Is an authentication policy enforced? */
+bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy)
+{
+ return authn_policy_is_enforced(&policy->policy);
+}
+
+/* Get the raw TGT lifetime enforced by an authentication policy. */
+int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
+{
+ if (policy == NULL) {
+ return 0;
+ }
+
+ if (!authn_policy_is_enforced(&policy->policy)) {
+ return 0;
+ }
+
+ return policy->tgt_lifetime_raw;
+}
+
+/* Auditing information. */
+
+enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
+{
+ bool is_enforced;
+
+ if (audit_info->event == AUTHN_AUDIT_EVENT_OK) {
+ /* We didn’t get an error. */
+ return AUTH_EVT_ID_NONE;
+ }
+
+ if (audit_info->policy == NULL) {
+ /*
+ * We got an error, but there’s no policy, so it must have
+ * stemmed from something else.
+ */
+ return AUTH_EVT_ID_NONE;
+ }
+
+ is_enforced = authn_policy_is_enforced(audit_info->policy);
+
+ switch (audit_info->event) {
+ case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
+ if (is_enforced) {
+ return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION;
+ }
+
+ return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT;
+
+ case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
+ if (is_enforced) {
+ return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION;
+ }
+
+ return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT;
+
+ case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
+ if (is_enforced) {
+ return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION;
+ }
+
+ /* No relevant event ID. */
+ break;
+
+ case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
+ case AUTHN_AUDIT_EVENT_OTHER_ERROR:
+ default:
+ /* No relevant event ID. */
+ break;
+ }
+
+ return AUTH_EVT_ID_NONE;
+}
+
+const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info)
+{
+ if (audit_info->policy == NULL) {
+ return NULL;
+ }
+
+ return audit_info->policy->silo_name;
+}
+
+const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info)
+{
+ if (audit_info->policy == NULL) {
+ return NULL;
+ }
+
+ return audit_info->policy->policy_name;
+}
+
+const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info)
+{
+ if (audit_info->policy == NULL) {
+ return NULL;
+ }
+
+ return &audit_info->policy->enforced;
+}
+
+const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info)
+{
+ return audit_info->client_info;
+}
+
+const char *authn_audit_info_event(const struct authn_audit_info *audit_info)
+{
+ switch (audit_info->event) {
+ case AUTHN_AUDIT_EVENT_OK:
+ return "OK";
+ case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION:
+ return "KERBEROS_DEVICE_RESTRICTION";
+ case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION:
+ return "KERBEROS_SERVER_RESTRICTION";
+ case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION:
+ return "NTLM_DEVICE_RESTRICTION";
+ case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION:
+ return "NTLM_SERVER_RESTRICTION";
+ case AUTHN_AUDIT_EVENT_OTHER_ERROR:
+ default:
+ return "OTHER_ERROR";
+ }
+}
+
+const char *authn_audit_info_reason(const struct authn_audit_info *audit_info)
+{
+ switch (audit_info->reason) {
+ case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID:
+ return "DESCRIPTOR_INVALID";
+ case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER:
+ return "DESCRIPTOR_NO_OWNER";
+ case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE:
+ return "SECURITY_TOKEN_FAILURE";
+ case AUTHN_AUDIT_REASON_ACCESS_DENIED:
+ return "ACCESS_DENIED";
+ case AUTHN_AUDIT_REASON_FAST_REQUIRED:
+ return "FAST_REQUIRED";
+ case AUTHN_AUDIT_REASON_NONE:
+ default:
+ return NULL;
+ }
+}
+
+NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info)
+{
+ return audit_info->policy_status;
+}
+
+const char *authn_audit_info_location(const struct authn_audit_info *audit_info)
+{
+ return audit_info->location;
+}
+
+struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info)
+{
+ int64_t lifetime;
+
+ if (!audit_info->tgt_lifetime_raw.is_present) {
+ return authn_int64_none();
+ }
+
+ lifetime = audit_info->tgt_lifetime_raw.val;
+ lifetime /= INT64_C(1000) * 1000 * 10 * 60;
+
+ return authn_int64_some(lifetime);
+}
diff --git a/auth/authn_policy.h b/auth/authn_policy.h
new file mode 100644
index 00000000000..f2142feac92
--- /dev/null
+++ b/auth/authn_policy.h
@@ -0,0 +1,87 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba Active Directory authentication policy functions
+
+ Copyright (C) Catalyst.Net Ltd 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef KDC_AUTHN_POLICY_H
+#define KDC_AUTHN_POLICY_H
+
+#include "lib/replace/replace.h"
+#include "libcli/util/ntstatus.h"
+#include "librpc/gen_ndr/windows_event_ids.h"
+
+/* Authentication policies for Kerberos clients. */
+
+struct authn_kerberos_client_policy;
+
+/* Is an authentication policy enforced? */
+bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy);
+
+/* Get the raw TGT lifetime enforced by an authentication policy. */
+int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy);
+
+/* Auditing information. */
+
+struct authn_audit_info;
+
+/* This enum should be kept in sync with authn_audit_info_event(). */
+enum authn_audit_event {
+ AUTHN_AUDIT_EVENT_OK = 0,
+ AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION,
+ AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION,
+ AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION,
+ AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION,
+ AUTHN_AUDIT_EVENT_OTHER_ERROR,
+};
+
+/* This enum should be kept in sync with authn_audit_info_reason(). */
+enum authn_audit_reason {
+ AUTHN_AUDIT_REASON_NONE = 0,
+ AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID,
+ AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER,
+ AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE,
+ AUTHN_AUDIT_REASON_ACCESS_DENIED,
--
Samba Shared Repository
More information about the samba-cvs
mailing list