[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Jun 26 00:27:02 UTC 2023
The branch, master has been updated
via ecff09d75df Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c
via b1006c773be s4:kdc: Use talloc_get_type_abort()
via ad1234d5ee8 s4:kdc: Create a temporary talloc context on which to allocate
via cf139d14218 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged
via d0d52262f78 s4:kdc: Flip sense of condition
via f49ebef0035 s4:kdc: Unify common code paths
via 6bb7aad1631 s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case
via 7485638e026 s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc()
via 6be1a397dac s4:kdc: Have samba_kdc_update_pac_blob() do less
via e6c44222409 s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters
via 8c107763980 s4:kdc: Log errors in samba_kdc_update_pac_blob()
via ea007ef7188 s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code
via baf03e3f114 s4:kdc: Add singular out path to samba_kdc_update_pac_blob()
via d2a6c69940c s4:kdc: Make krb5_principal parameters const
via f857967427f s4:kdc: Add helper function to determine whether a device is allowed to authenticate
via 071ad174d92 s4:kdc: Add helper function to determine whether authentication to a server is allowed
via af95ec0b3fb s4:kdc: Add functionality to log client and server authentication policies
via 26d7d1a5af1 s4:auth: Log authentication policies for NTLM authentication
via ad32cf0286c s4:auth: Add audit info parameters to check_password_recv()
via 66841384751 s4:auth: Set ‘authoritative’ even if there is an error
via ca9d27ae99d auth: Add functionality to log client and server policy information
via f9c55b84ef1 lib:audit_logging: Add function to return the JSON null object
via b11ad8b1376 python:tests: Fix typos
via 78186805314 netcmd: domain: Fix typo
via 7748e6857c4 tests/krb5: Test authentication policy audit logging
via b0d20ce56c2 tests/krb5: Test more authentication logging of TGT lifetimes
via a5770669e1a tests/krb5: Improve authentication policy creation
via 0cfa7f6cff9 netcmd: domain: add error handling to domain claims commands
via 76ca95db6bc netcmd: domain: add error handling to domain auth commands
via ca4e36d17a8 netcmd: domain: add model exceptions and error handling
via b00761da1d1 netcmd: domain: model stores ldb message for save
via d7b04685680 netcmd: domain: man page updates for auth silo and policy cli
via a9944ba860a netcmd: domain: silo member command tests
via 3a579eab8bb netcmd: domain: model field tests
via 83112842245 netcmd: domain: silo member add and remove does not write whole list
via 705e65c16e8 netcmd: domain: remove parse_guid and parse_text as they are no longer used
via daac480eb74 netcmd: domain: claims: base class is no longer required
via bb0ab7b2410 netcmd: domain: claims: move claim value type lookup by attribute to model
via 61ee26ade98 netcmd: domain: claims: make use of AttributeSchema and ClassSchema models
via 44aaba8a82d netcmd: domain: add models for ClassSchema and AttributeSchema
via 3ecea860aaf netcmd: auth silos: remove base class
via d070a605bb0 netcmd: domain: add test for silo if policy is a dn
via df5e6045fa1 netcmd: move get_policy method from base class to the model
via 2842ed824ae netcmd: move method print_json to command base class
via 15440c6d6bf netcmd: fix import sort/grouping as per python standard
via 3da5be0b8f8 netcmd: move ldb_connect method to base class
via d558b20ed10 netcmd: PEP257 fix incorrect docstring quotes
via b6fda29fc7a netcmd: domain: claims: use consistent naming for options
via b3fac344a35 netcmd: domain: claim commands use the model layer
via 40da71fe9cf netcmd: domain: fix claims constant name was wrong should be claim type CN
via 7e9d8072016 netcmd: domain: fix attributes created by test setUp method
via 9911a81cc21 netcmd: domain: claim: show err if assertIsNone fails
via 6056566a18d netcmd: domain: rename claim tests for consistency
via 35d04e2463f netcmd: domain: tests for auth silo command line tools
via 3df634e7527 netcmd: domain: add authentication silo commands
via 3a0160ae943 netcmd: add domain models and basic model layer
via d01cd64da23 netcmd: add custom json encoder for object type fields
via 1a5184e404d netcmd: add optparse validators and Range validator
from 9f5216912e0 vfs_gpfs: Move call to load GPFS library
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ecff09d75df52df8bd062e55e75d42d76e25d66e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 26 11:03:14 2023 +1200
Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c
Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const
declarations in the header, this brings them back in alignnment as
is Samba's normal practice.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224
commit b1006c773be1d28a15eeab37c7e49675d3a1dedd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 15:02:35 2023 +1200
s4:kdc: Use talloc_get_type_abort()
We subsequently dereference the result without performing a NULL check.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad1234d5ee80d157573681a0d60fc2a7a399c5ae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 15:00:29 2023 +1200
s4:kdc: Create a temporary talloc context on which to allocate
‘client->context’ is too long-lived to use for allocating short-term
data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cf139d14218ab1423949fbc952ae056943858dc8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 14:49:11 2023 +1200
s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d0d52262f781b8acddc4f50e09e2daa1198b8a3e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 14:32:09 2023 +1200
s4:kdc: Flip sense of condition
A negative condition incurs more cognitive load.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f49ebef003587a89e7ce1698c53bc53243ff2d53
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 14:30:00 2023 +1200
s4:kdc: Unify common code paths
Perhaps view with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6bb7aad16316d3f55b9af30a69b2d6b27f34e262
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 14:04:43 2023 +1200
s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case
This will help to reduce code duplication and the number of branching
code paths.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7485638e0266a9a46c4ceb719a0a38abe5c8cd81
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 13:40:20 2023 +1200
s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc()
We may not always want this SID to be present. For example, to enforce
authentication policies as Windows does, we’ll want the client’s
security token without this SID.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6be1a397dacea1e31d9c1b24a07d3e91a715fc59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 13:13:58 2023 +1200
s4:kdc: Have samba_kdc_update_pac_blob() do less
Previously this function obtained the auth_user_info_dc structure, then
used it to update the PAC blob. Now it does only one thing: fetch the
auth_user_info_dc info and return it to the caller, who can then call
samba_get_logon_info_pac_blob().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e6c442224095352ff11fc936207022298a08d57d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 13:06:24 2023 +1200
s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8c10776398030c1bab32a195a3c7f5ee4c9623a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 13:04:17 2023 +1200
s4:kdc: Log errors in samba_kdc_update_pac_blob()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea007ef718889245e923efcd29ee3560ab744961
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 12:57:38 2023 +1200
s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code
This gives it more control over the final Kerberos error code, so that
we won’t always get ERR_GENERIC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit baf03e3f11442b94a3c4b3ecb93847d1d4bc50ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 12:53:07 2023 +1200
s4:kdc: Add singular out path to samba_kdc_update_pac_blob()
This ensures that we always clean up resources.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d2a6c69940cf28c2ea901cc0d8d8d317c32db986
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 12:17:50 2023 +1200
s4:kdc: Make krb5_principal parameters const
The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f857967427f78cce6ffda117e9afab572707286d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 11:22:28 2023 +1200
s4:kdc: Add helper function to determine whether a device is allowed to authenticate
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 071ad174d925f9114be7873f5dbf569080a4cf39
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 11:20:04 2023 +1200
s4:kdc: Add helper function to determine whether authentication to a server is allowed
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit af95ec0b3fb3fc6299b7123c8ea79f22b2ed39f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 11:01:04 2023 +1200
s4:kdc: Add functionality to log client and server authentication policies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26d7d1a5af105aa6f1bd54ef1f64c4a049487fae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 10:40:16 2023 +1200
s4:auth: Log authentication policies for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad32cf0286c212bd3644b5d6a1ba4344170eeabe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 10:21:59 2023 +1200
s4:auth: Add audit info parameters to check_password_recv()
These pointers can be set by implementing functions in order for them to
be logged in auth_check_password_recv().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 66841384751496ce3f4c4f06179b8814b3b34d98
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 10:26:25 2023 +1200
s4:auth: Set ‘authoritative’ even if there is an error
This is consistent with all the other functions that set
‘authoritative’.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ca9d27ae99d2a8b65ce60f49e84a498c8149ac60
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 17:07:05 2023 +1200
auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9c55b84ef1e02d50355921ede910f459a1d74ee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 15 13:30:45 2023 +1200
lib:audit_logging: Add function to return the JSON null object
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b11ad8b137619a73853f7d6dc5e749305149c677
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 13 10:34:39 2023 +1200
python:tests: Fix typos
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 78186805314f1fab9714017c80e175eb8dbd4573
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 25 14:50:16 2023 +1200
netcmd: domain: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7748e6857c4018fe20ee30c612b8723fb5cd6468
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 16:25:16 2023 +1200
tests/krb5: Test authentication policy audit logging
For each test, we check the authentication logs and ensure the messages
are as we expect.
We only test AS-REQs and TGS-REQs with the Heimdal KDC at the moment,
assuming that MIT doesn’t support logging for those cases.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b0d20ce56c2ed54122cb6614c9a36b7de5c8a779
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 11:40:57 2023 +1200
tests/krb5: Test more authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5770669e1a0f68fe2ebec4cdab22376a5d40825
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 14 16:14:42 2023 +1200
tests/krb5: Improve authentication policy creation
Don’t require passing in an ID to create an authentication policy.
Instead, have create_authn_policy() generate one for us.
We now return an actual AuthenticationPolicy object rather than just a
DN. This will give the tests more details to work with about the
policies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0cfa7f6cff978041665d8688567077a71fb32cc6
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Jun 23 12:52:58 2023 +1200
netcmd: domain: add error handling to domain claims commands
Similar to the auth commands commit prior to this.
Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 76ca95db6bce16d8b01a5f9b9be84e1061953060
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Jun 23 12:26:38 2023 +1200
netcmd: domain: add error handling to domain auth commands
Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ca4e36d17a8392c6228b791b41024cf1b1db0c93
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Fri Jun 23 12:24:24 2023 +1200
netcmd: domain: add model exceptions and error handling
* Only handle what we know, otherwise raise the existing LdbError
* Cutom messages added in the model layer so we don't have to do it in
the commands themselves
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit b00761da1d1777943f7ab4ef99dda0866f408053
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Mon Jun 19 13:23:33 2023 +1200
netcmd: domain: model stores ldb message for save
The message is stored in self._apply which also gets called by
self.refresh()
This is the better thing to do than fetching in save.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit d7b04685680a05137867575e85723409be5e3693
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Jun 8 15:03:16 2023 +1200
netcmd: domain: man page updates for auth silo and policy cli
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a9944ba860a785a19fdb7da9af6d5c763a05498f
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Jun 6 14:11:26 2023 +1200
netcmd: domain: silo member command tests
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3a579eab8bb1f0b27be85c73ca614cdc5f7443dc
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu May 25 12:32:13 2023 +1200
netcmd: domain: model field tests
Add tests for model fields to ensure they behave as expected when
calling from_db_value and to_db_value methods.
Add a base class for the tests themselves via a mixin as unittest
doesn't support abstract test case classes.
For each field, from_db_value and to_db_value must either be a list or
a property that returns a list.
The list contains input values and expected values, the expected value
can also be a callback for more complex comparison, this is used for
the possible claim values xml.
It is important that singular values and list values are tested, and
also None to ensure that fields properly get unset when a model is
saved.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 8311284224539710b89ae4557951f132620c8553
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed May 17 23:35:16 2023 +1200
netcmd: domain: silo member add and remove does not write whole list
Writing the whole list at once can lead to data loss if multiple
administrators are doing this at the same time.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 705e65c16e85da6117d224c7ec26adcdedce83b9
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed May 17 16:27:54 2023 +1200
netcmd: domain: remove parse_guid and parse_text as they are no longer used
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit daac480eb74de8cfc033fcc9eaf8f5d7577ccf09
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed May 17 11:13:33 2023 +1200
netcmd: domain: claims: base class is no longer required
base.py has been removed as this has all been moved to the model layer
as the auth commands ldb is now just a local variable
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit bb0ab7b24105a3339771193cf0676164bb3a6bab
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed May 17 10:56:02 2023 +1200
netcmd: domain: claims: move claim value type lookup by attribute to model
Also, there was no need for the cached property previously in the
command, as the command only calls this once.
Fetching all value types seems excessive now with the new model layer,
we just fetch the one we need and get a model object back.
Use the method lookup, it's consistent with the rest, and raise either
LookupError or ValueError.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 61ee26ade98514788eea8c7f3e2e576d657fe929
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed May 17 09:50:13 2023 +1200
netcmd: domain: claims: make use of AttributeSchema and ClassSchema models
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 44aaba8a82dccf4034635229395491c0859da375
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed May 17 09:46:45 2023 +1200
netcmd: domain: add models for ClassSchema and AttributeSchema
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3ecea860aaf8f0e7cac2100a605e915973481b3f
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 15:28:04 2023 +1200
netcmd: auth silos: remove base class
There is no point to the base class anymore.
And since the model layer has dramatically simplified the code in the
commands, ldb can just be a local variable.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit d070a605bb0bbcb0ee49ed44192588151b104d9c
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Jun 6 16:26:37 2023 +1200
netcmd: domain: add test for silo if policy is a dn
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit df5e6045fa1c0ee2225fc76d7ff83dee57c2576e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 15:12:14 2023 +1200
netcmd: move get_policy method from base class to the model
There isn't much left of the base class, the next thing is to remove
it.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 2842ed824ae41aa96673bcbebd309b90813d1ef2
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 14:35:41 2023 +1200
netcmd: move method print_json to command base class
This is used in quite a few commands, move to base class.
This ensures the correct encoder class and settings are always used,
and they are only defined in one place.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 15440c6d6bfd23cd4756511ec3abb891f3d7f8a3
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 14:24:27 2023 +1200
netcmd: fix import sort/grouping as per python standard
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3da5be0b8f8ddbac05d58871f08448c3c4dc27b8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 13:54:59 2023 +1200
netcmd: move ldb_connect method to base class
This method is needed by just about every command and moving it here
is another step towards elinimanting the base classes in domain/auth
and domain/claim.
The base classes are almost empty now, since introducing the model
layer. The next step is to get rid of these base classes completely.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit d558b20ed10a1d7f07fcc861e0db5635998ba455
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 13:39:12 2023 +1200
netcmd: PEP257 fix incorrect docstring quotes
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit b6fda29fc7a4d34606522759bc1bf77d3a77d90e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:56:09 2023 +1200
netcmd: domain: claims: use consistent naming for options
The name of the option should be the same as the attribute name.
You can still tell where it's being used (display_name), especially
now with the model layer:
ClaimType.get(ldb, display_name=name)
The silo commands tend to use the `cn` field, while the claims
commands use the `displayName` field, but the option is always called
`name` for consistency.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit b3fac344a35dc9a66c434ee610c0cee2815d8500
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:52:04 2023 +1200
netcmd: domain: claim commands use the model layer
This makes it consistent with the auth silo code, both should now make
use of the models.
Claims commands are now using the model layer with one exception and
that is the get_attribute_from_schema and get_class_from_schema
methods in the base class.
These will be made into models in another commit.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 40da71fe9cf8832361bab6cfd31ba2f163478722
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu May 25 14:43:19 2023 +1200
netcmd: domain: fix claims constant name was wrong should be claim type CN
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 7e9d807201637b1ac898f44ef3220f2feb5ac51d
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:33:50 2023 +1200
netcmd: domain: fix attributes created by test setUp method
Discovered this while converting the claims cli commands to use the
models, some tests failed.
The reason for this was that they relied on the attributes in the list
ATTRIBUTES to exist.
However, then we have to also prefix the attributes we create in the
test_claim_type_create test.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 9911a81cc21c928825ade11723977a139b80432b
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:30:40 2023 +1200
netcmd: domain: claim: show err if assertIsNone fails
Other tests do this too, this is very useful if things fail
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 6056566a18d819bf4eebe66a256515a75ae38ce6
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:27:41 2023 +1200
netcmd: domain: rename claim tests for consistency
The domain_auth tests are also prefixed with domain, it matches the
cli command "samba-tool domain claim".
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 35d04e2463f05ee0067b288774dd6238f12935ed
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:22:25 2023 +1200
netcmd: domain: tests for auth silo command line tools
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3df634e7527c2e0f9c71d62afc7a48300b7bd388
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:15:06 2023 +1200
netcmd: domain: add authentication silo commands
Authentication policies:
* samba-tool domain auth policy list
* samba-tool domain auth policy view
* samba-tool domain auth policy create
* samba-tool domain auth policy modify
* samba-tool domain auth policy delete
Authentication silos:
* samba-tool domain auth silo list
* samba-tool domain auth silo view
* samba-tool domain auth silo create
* samba-tool domain auth silo modify
* samba-tool domain auth silo delete
Authentication silo members:
* samba-tool domain auth silo member list
* samba-tool domain auth silo member add
* samba-tool domain auth silo member remove
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3a0160ae94301c9931ee25eb7a87cf77cd588f33
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:09:39 2023 +1200
netcmd: add domain models and basic model layer
The ORM is somewhat inspired by Django, but it has some key
differences that make it work better with the Ldb database.
A field can be a singular value or a list, so a BooleanField can
either be True, or [True, False, True], or None.
The only thing that many=True does is say that the field "prefers" to
be a list, but really any field can be a list. For example when
creating a new object, it initialises the field as an empty list
rather than None if many=True.
When saving an object, if it is an update operation, only write the
fields that have actually changed.
When updating an object, any fields that are unset (set to None, or an
empty list) will be treated as a REMOVE operation.
Note that silo members should not be saved this way, writing the whole
list can lead to data loss if multiple admins are saving the silo at
the same time. Silo members will need to be handled differently, just
removing one member but not writing the whole list.
Unlike Django, there is no .objects class, instead there are a bunch
of static methods for querying:
* Model.get
* Model.query
* Model.create
* Model.get_or_create
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit d01cd64da23bb092c63ef7a2ff57d83c6b4e76e8
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 12:00:56 2023 +1200
netcmd: add custom json encoder for object type fields
The custom JSONEncoder class is also capable of encoding Dn objects to
str, and any object that has a __json__ method.
The __json__ method is not an official dunder method, but this has
been used by other frameworks too (like Pyramid).
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 1a5184e404d602e389b96535e792fc77314f1fd4
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue May 16 11:47:45 2023 +1200
netcmd: add optparse validators and Range validator
Add the ability to the add validators to optparse Option fields.
The Option class was already subclassed in `netcmd/__init__.py` so
adding some functionality to this was relatively easy.
Added the ability to add Validator classes to a field so that this can
be used for anything else in the future, but for now there is a Range
validator required by upcoming auto silo commands.
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_log.c | 98 +-
auth/common_auth.h | 10 +-
auth/gensec/gensec.c | 4 +-
docs-xml/manpages/samba-tool.8.xml | 625 +++++
lib/audit_logging/audit_logging.c | 17 +
lib/audit_logging/audit_logging.h | 1 +
python/samba/netcmd/__init__.py | 59 +-
python/samba/netcmd/domain/__init__.py | 2 +
.../netcmd/domain/{claim => auth}/__init__.py | 14 +-
python/samba/netcmd/domain/auth/policy.py | 413 +++
python/samba/netcmd/domain/auth/silo.py | 419 +++
python/samba/netcmd/domain/auth/silo_member.py | 224 ++
python/samba/netcmd/domain/claim/base.py | 181 --
python/samba/netcmd/domain/claim/claim_type.py | 293 +-
python/samba/netcmd/domain/claim/value_type.py | 63 +-
python/samba/netcmd/domain/common.py | 16 +-
.../netcmd/domain/{claim => models}/__init__.py | 22 +-
python/samba/netcmd/domain/models/auth_policy.py | 98 +
python/samba/netcmd/domain/models/auth_silo.py | 98 +
python/samba/netcmd/domain/models/claim_type.py | 58 +
.../{claim/__init__.py => models/exceptions.py} | 37 +-
python/samba/netcmd/domain/models/fields.py | 431 +++
python/samba/netcmd/domain/models/model.py | 440 +++
python/samba/netcmd/domain/models/schema.py | 124 +
python/samba/netcmd/domain/models/user.py | 54 +
python/samba/netcmd/domain/models/value_type.py | 93 +
python/samba/netcmd/encoders.py | 49 +
python/samba/netcmd/validators.py | 77 +
python/samba/tests/krb5/authn_policy_tests.py | 2906 +++++++++++++++-----
python/samba/tests/krb5/claims_tests.py | 9 +-
python/samba/tests/krb5/kdc_base_test.py | 31 +-
python/samba/tests/safe_tarfile.py | 4 +-
python/samba/tests/samba_tool/domain_auth_base.py | 216 ++
.../samba/tests/samba_tool/domain_auth_policy.py | 607 ++++
python/samba/tests/samba_tool/domain_auth_silo.py | 567 ++++
.../tests/samba_tool/{claim.py => domain_claim.py} | 78 +-
python/samba/tests/samba_tool/domain_models.py | 332 +++
selftest/knownfail.d/claims-client-tool | 2 +-
selftest/knownfail.d/silo-client-tool | 2 +
selftest/knownfail_heimdal_kdc | 55 +
source3/auth/auth.c | 8 +-
source3/auth/auth_generic.c | 4 +-
source3/rpc_server/rpc_server.c | 4 +-
source3/winbindd/winbindd_pam.c | 4 +-
source4/auth/auth.h | 2 +
source4/auth/ntlm/auth.c | 18 +-
source4/auth/ntlm/auth_anonymous.c | 5 +
source4/auth/ntlm/auth_developer.c | 7 +-
source4/auth/ntlm/auth_sam.c | 55 +-
source4/auth/ntlm/auth_simple.c | 8 +-
source4/auth/ntlm/auth_winbind.c | 4 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 4 +-
source4/kdc/hdb-samba4.c | 116 +-
source4/kdc/kdc-glue.h | 8 +
source4/kdc/mit_samba.c | 8 +-
source4/kdc/pac-glue.c | 506 +++-
source4/kdc/pac-glue.h | 33 +-
source4/kdc/wdc-samba4.c | 38 +-
source4/kdc/wscript_build | 4 +-
source4/ldap_server/ldap_backend.c | 4 +-
source4/rpc_server/dcerpc_server.c | 4 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 +-
source4/rpc_server/samr/samr_password.c | 4 +-
source4/selftest/tests.py | 9 +-
source4/smb_server/smb/sesssetup.c | 4 +-
65 files changed, 8282 insertions(+), 1412 deletions(-)
copy python/samba/netcmd/domain/{claim => auth}/__init__.py (73%)
create mode 100644 python/samba/netcmd/domain/auth/policy.py
create mode 100644 python/samba/netcmd/domain/auth/silo.py
create mode 100644 python/samba/netcmd/domain/auth/silo_member.py
delete mode 100644 python/samba/netcmd/domain/claim/base.py
copy python/samba/netcmd/domain/{claim => models}/__init__.py (67%)
create mode 100644 python/samba/netcmd/domain/models/auth_policy.py
create mode 100644 python/samba/netcmd/domain/models/auth_silo.py
create mode 100644 python/samba/netcmd/domain/models/claim_type.py
copy python/samba/netcmd/domain/{claim/__init__.py => models/exceptions.py} (66%)
create mode 100644 python/samba/netcmd/domain/models/fields.py
create mode 100644 python/samba/netcmd/domain/models/model.py
create mode 100644 python/samba/netcmd/domain/models/schema.py
create mode 100644 python/samba/netcmd/domain/models/user.py
create mode 100644 python/samba/netcmd/domain/models/value_type.py
create mode 100644 python/samba/netcmd/encoders.py
create mode 100644 python/samba/netcmd/validators.py
create mode 100644 python/samba/tests/samba_tool/domain_auth_base.py
create mode 100644 python/samba/tests/samba_tool/domain_auth_policy.py
create mode 100644 python/samba/tests/samba_tool/domain_auth_silo.py
rename python/samba/tests/samba_tool/{claim.py => domain_claim.py} (92%)
create mode 100644 python/samba/tests/samba_tool/domain_models.py
create mode 100644 selftest/knownfail.d/silo-client-tool
Changeset truncated at 500 lines:
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 019cbe114bf..9a110fd0b48 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -44,9 +44,9 @@
* increment the major version.
*/
#define AUTH_MAJOR 1
-#define AUTH_MINOR 2
+#define AUTH_MINOR 3
#define AUTHZ_MAJOR 1
-#define AUTHZ_MINOR 1
+#define AUTHZ_MINOR 2
#define KDC_AUTHZ_MAJOR 1
#define KDC_AUTHZ_MINOR 0
@@ -149,11 +149,15 @@ static void log_authentication_event_json(
const char *domain_name,
const char *account_name,
struct dom_sid *sid,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info,
enum event_id_type event_id,
int debug_level)
{
struct json_object wrapper = json_empty_object;
struct json_object authentication = json_empty_object;
+ struct json_object client_policy = json_null_object();
+ struct json_object server_policy = json_null_object();
char logon_id[19];
int rc = 0;
const char *clientDomain = ui->orig_client.domain_name ?
@@ -285,6 +289,30 @@ static void log_authentication_event_json(
goto failure;
}
+ if (client_audit_info != NULL) {
+ client_policy = json_from_audit_info(client_audit_info);
+ if (json_is_invalid(&client_policy)) {
+ goto failure;
+ }
+ }
+
+ rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy);
+ if (rc != 0) {
+ goto failure;
+ }
+
+ if (server_audit_info != NULL) {
+ server_policy = json_from_audit_info(server_audit_info);
+ if (json_is_invalid(&server_policy)) {
+ goto failure;
+ }
+ }
+
+ rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy);
+ if (rc != 0) {
+ goto failure;
+ }
+
wrapper = json_new_object();
if (json_is_invalid(&wrapper)) {
goto failure;
@@ -327,6 +355,8 @@ static void log_authentication_event_json(
json_free(&wrapper);
return;
failure:
+ json_free(&server_policy);
+ json_free(&client_policy);
/*
* On a failure authentication will not have been added to wrapper so it
* needs to be freed to avoid a leak.
@@ -365,10 +395,14 @@ static void log_successful_authz_event_json(
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info,
int debug_level)
{
struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object;
+ struct json_object client_policy = json_null_object();
+ struct json_object server_policy = json_null_object();
int rc = 0;
authorization = json_new_object();
@@ -431,6 +465,30 @@ static void log_successful_authz_event_json(
goto failure;
}
+ if (client_audit_info != NULL) {
+ client_policy = json_from_audit_info(client_audit_info);
+ if (json_is_invalid(&client_policy)) {
+ goto failure;
+ }
+ }
+
+ rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy);
+ if (rc != 0) {
+ goto failure;
+ }
+
+ if (server_audit_info != NULL) {
+ server_policy = json_from_audit_info(server_audit_info);
+ if (json_is_invalid(&server_policy)) {
+ goto failure;
+ }
+ }
+
+ rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
+ if (rc != 0) {
+ goto failure;
+ }
+
wrapper = json_new_object();
if (json_is_invalid(&wrapper)) {
goto failure;
@@ -456,6 +514,8 @@ static void log_successful_authz_event_json(
json_free(&wrapper);
return;
failure:
+ json_free(&server_policy);
+ json_free(&client_policy);
/*
* On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak.
@@ -490,6 +550,7 @@ static void log_authz_event_json(
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
+ const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
@@ -502,6 +563,7 @@ static void log_authz_event_json(
{
struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object;
+ struct json_object server_policy = json_null_object();
int rc = 0;
authorization = json_new_object();
@@ -554,6 +616,18 @@ static void log_authz_event_json(
goto failure;
}
+ if (server_audit_info != NULL) {
+ server_policy = json_from_audit_info(server_audit_info);
+ if (json_is_invalid(&server_policy)) {
+ goto failure;
+ }
+ }
+
+ rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
+ if (rc != 0) {
+ goto failure;
+ }
+
wrapper = json_new_object();
if (json_is_invalid(&wrapper)) {
goto failure;
@@ -579,6 +653,7 @@ static void log_authz_event_json(
json_free(&wrapper);
return;
failure:
+ json_free(&server_policy);
/*
* On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak.
@@ -619,6 +694,8 @@ static void log_authentication_event_json(
const char *domain_name,
const char *account_name,
struct dom_sid *sid,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info,
enum event_id_type event_id,
int debug_level)
{
@@ -634,6 +711,8 @@ static void log_successful_authz_event_json(
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
@@ -644,6 +723,7 @@ static void log_authz_event_json(
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
+ const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
@@ -813,7 +893,9 @@ void log_authentication_event(
NTSTATUS status,
const char *domain_name,
const char *account_name,
- struct dom_sid *sid)
+ struct dom_sid *sid,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info)
{
/* set the log level */
int debug_level = AUTH_FAILURE_LEVEL;
@@ -845,6 +927,8 @@ void log_authentication_event(
domain_name,
account_name,
sid,
+ client_audit_info,
+ server_audit_info,
event_id,
debug_level);
}
@@ -918,7 +1002,9 @@ void log_successful_authz_event(
const char *service_description,
const char *auth_type,
const char *transport_protection,
- struct auth_session_info *session_info)
+ struct auth_session_info *session_info,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info)
{
int debug_level = AUTHZ_SUCCESS_LEVEL;
@@ -944,6 +1030,8 @@ void log_successful_authz_event(
auth_type,
transport_protection,
session_info,
+ client_audit_info,
+ server_audit_info,
debug_level);
}
}
@@ -959,6 +1047,7 @@ void log_authz_event(
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
+ const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
@@ -980,6 +1069,7 @@ void log_authz_event(
log_authz_event_json(msg_ctx, lp_ctx,
remote,
local,
+ server_audit_info,
service_description,
auth_type,
domain_name,
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 3880b857058..24b7b14f51a 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -177,6 +177,7 @@ struct auth4_context {
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
+struct authn_audit_info;
void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct timeval *start_time,
@@ -184,7 +185,9 @@ void log_authentication_event(struct imessaging_context *msg_ctx,
NTSTATUS status,
const char *domain_name,
const char *account_name,
- struct dom_sid *sid);
+ struct dom_sid *sid,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info);
/*
* Log details of a successful authorization to a service.
@@ -206,7 +209,9 @@ void log_successful_authz_event(struct imessaging_context *msg_ctx,
const char *service_description,
const char *auth_type,
const char *transport_protection,
- struct auth_session_info *session_info);
+ struct auth_session_info *session_info,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info);
/*
* Log details of an authorization to a service.
@@ -219,6 +224,7 @@ void log_authz_event(
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
+ const struct authn_audit_info *server_audit_info,
const char *service_description,
const char *auth_type,
const char *domain_name,
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 3641d4ba65e..26b5865bff5 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -242,7 +242,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
service_description,
final_auth_type,
transport_protection,
- session_info);
+ session_info,
+ NULL /* client_audit_info */,
+ NULL /* server_audit_info */);
}
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 910d9093771..567342b2709 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -599,6 +599,631 @@
<para>Restore the domain's DB from a backup-file.</para>
</refsect3>
+<refsect3>
+ <title>domain auth policy list</title>
+ <para>List authentication policies on the domain.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--json</term>
+ <listitem><para>
+ View authentication policies as JSON instead of a list.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy view</title>
+ <para>View an authentication policy on the domain.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of the authentication policy to view (required).
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy create</title>
+ <para>Create authentication policies on the domain.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of the authentication policy (required).
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--description</term>
+ <listitem><para>
+ Optional description for the authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--protect</term>
+ <listitem>
+ <para>
+ Protect authentication policy from accidental deletion.
+ </para>
+ <para>
+ Cannot be used together with --unprotect.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--unprotect</term>
+ <listitem>
+ <para>
+ Unprotect authentication policy from accidental deletion.
+ </para>
+ <para>
+ Cannot be used together with --protect.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--audit</term>
+ <listitem>
+ <para>
+ Only audit authentication policy.
+ </para>
+ <para>
+ Cannot be used together with --enforce.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--enforce</term>
+ <listitem>
+ <para>
+ Enforce authentication policy.
+ </para>
+ <para>
+ Cannot be used together with --audit.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--strong-ntlm-policy</term>
+ <listitem>
+ <para>
+ Strong NTLM Policy (Disabled, Optional, Required).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--user-tgt-lifetime</term>
+ <listitem>
+ <para>
+ Ticket-Granting-Ticket lifetime for user accounts.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--user-allow-ntlm-auth</term>
+ <listitem>
+ <para>
+ Allow NTLM network authentication when user
+ is restricted to selected devices.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--service-tgt-lifetime</term>
+ <listitem>
+ <para>
+ Ticket-Granting-Ticket lifetime for service accounts.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--service-allow-ntlm-auth</term>
+ <listitem>
+ <para>
+ Allow NTLM network authentication when service
+ is restricted to selected devices.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--computer-tgt-lifetime</term>
+ <listitem>
+ <para>
+ Ticket-Granting-Ticket lifetime for computer accounts.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>domain auth policy modify</title>
+ <para>Modify authentication policies on the domain.</para>
+ <variablelist>
+ <varlistentry>
+ <term>-H, --URL</term>
+ <listitem><para>
+ LDB URL for database or target server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--name</term>
+ <listitem><para>
+ Name of the authentication policy (required).
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--description</term>
+ <listitem><para>
+ Optional description for the authentication policy.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>--protect</term>
+ <listitem>
+ <para>
--
Samba Shared Repository
More information about the samba-cvs
mailing list