s4:auth: Log authentication policies for NTLM authentication

author Joseph Sutton <josephsutton@catalyst.net.nz>

Thu, 15 Jun 2023 22:40:16 +0000 (10:40 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Sun, 25 Jun 2023 23:29:32 +0000 (23:29 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Thu, 15 Jun 2023 22:40:16 +0000 (10:40 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Sun, 25 Jun 2023 23:29:32 +0000 (23:29 +0000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index 2e9544e1776275c522ac234cf1ae0191e48298df..7e30c83bd4697b1f729df8ee1878fdb75f23b62b 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -169,63 +169,3 @@
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_not_allowed_rbcd_to_self.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_bad_pwd_allowed_from_user_deny.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_denied_no_fast.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_allow_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_allow_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_deny_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_allow_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_allow_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_allow_user_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_allow_user_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_user_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_user_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_no_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_not_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_no_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_not_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_allow_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_allow_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_allow_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_allow_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_asserted_identity.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_authenticated_users.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_claims_valid.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_compounded_auth.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_domain_local_group.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_group_member.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_group_not_a_member.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_ntlm_authn.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_deny_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_derived_class_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_no_owner.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_no_owner_unenforced.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_allow_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_deny_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_derived_class_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_bad_pwd_client_and_server_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_bad_pwd_client_policy.ad_dc
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20

index d39cfb3483a83d42eba64d1ed1a3c2640b34b5a9..d0ff07100d7fee19d2bbe8422775a7c4ccb0f0cd 100644 (file)
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -72,63 +72,3 @@
  #
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_allow_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_allow_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_deny_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_ntlm_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_allow_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_allow_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_allow_user_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_allow_user_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_user_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_deny_user_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_interactive_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_no_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_allow_service_not_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_no_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_deny_service_not_allowed_from_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samlogon_network_user_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_allow_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_allow_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_allow_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_no_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_not_allowed_from.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_allow_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_deny_no_device_restrictions.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_asserted_identity.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_authenticated_users.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_claims_valid.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_compounded_auth.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_domain_local_group.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_group_member.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_group_not_a_member.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_ntlm_authn.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_deny_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_derived_class_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_no_owner.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_no_owner_unenforced.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_allow_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_deny_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_derived_class_allow.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_bad_pwd_client_and_server_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_bad_pwd_client_policy.ad_dc
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c

index 60b301b104f8674a596b65c5ffabe008c3e0a8a8..74cdcc50c29be995c4027c8ce3ab3c3e6ce3c41e 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -730,7 +730,8 @@ static NTSTATUS authsam_check_netlogon_trust(TALLOC_CTX *mem_ctx,
                                              struct ldb_context *sam_ctx,
                                              struct loadparm_context *lp_ctx,
                                              const struct auth_usersupplied_info *user_info,
-                                            const struct auth_user_info_dc *user_info_dc)
+                                            const struct auth_user_info_dc *user_info_dc,
+                                            struct authn_audit_info **server_audit_info_out)
  {
         TALLOC_CTX *tmp_ctx = NULL;
  
@@ -809,6 +810,7 @@ static NTSTATUS authsam_check_netlogon_trust(TALLOC_CTX *mem_ctx,
         }
  
         if (authn_server_policy != NULL) {
+               struct authn_audit_info *server_audit_info = NULL;
                 NTSTATUS status;
  
                 /*
@@ -821,7 +823,10 @@ static NTSTATUS authsam_check_netlogon_trust(TALLOC_CTX *mem_ctx,
                                                               AUTHN_POLICY_AUTH_TYPE_NTLM,
                                                               user_info_dc,
                                                               authn_server_policy,
-                                                             NULL /* server_audit_info_out */);
+                                                             &server_audit_info);
+               if (server_audit_info != NULL) {
+                       *server_audit_info_out = talloc_move(mem_ctx, &server_audit_info);
+               }
                 if (!NT_STATUS_IS_OK(status)) {
                         talloc_free(tmp_ctx);
                         return status;
@@ -838,6 +843,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
                                      const struct auth_usersupplied_info *user_info,
                                      const struct auth_user_info_dc *user_info_dc,
                                      DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key,
+                                    struct authn_audit_info **client_audit_info_out,
+                                    struct authn_audit_info **server_audit_info_out,
                                      bool *authoritative)
  {
         NTSTATUS nt_status;
@@ -885,8 +892,13 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
  
         nt_status = authn_policy_ntlm_apply_device_restriction(mem_ctx,
                                                                authn_client_policy,
-                                                              NULL /* client_audit_info_out */);
+                                                              client_audit_info_out);
         if (!NT_STATUS_IS_OK(nt_status)) {
+               /*
+                * As we didn’t get far enough to check the server policy, only
+                * the client policy will be referenced in the authentication
+                * log message.
+                */
                 TALLOC_FREE(tmp_ctx);
                 return nt_status;
         }
@@ -905,7 +917,8 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
                                                  auth_context->sam_ctx,
                                                  auth_context->lp_ctx,
                                                  user_info,
-                                                user_info_dc);
+                                                user_info_dc,
+                                                server_audit_info_out);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 TALLOC_FREE(tmp_ctx);
                 return nt_status;
@@ -958,6 +971,8 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
                                                  TALLOC_CTX *mem_ctx,
                                                  const struct auth_usersupplied_info *user_info, 
                                                  struct auth_user_info_dc **user_info_dc,
+                                                struct authn_audit_info **client_audit_info_out,
+                                                struct authn_audit_info **server_audit_info_out,
                                                  bool *authoritative)
  {
         NTSTATUS nt_status;
@@ -969,6 +984,8 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
         TALLOC_CTX *tmp_ctx;
         const char *p = NULL;
         struct auth_user_info_dc *reparented = NULL;
+       struct authn_audit_info *client_audit_info = NULL;
+       struct authn_audit_info *server_audit_info = NULL;
  
         if (ctx->auth_ctx->sam_ctx == NULL) {
                 DEBUG(0, ("No SAM available, cannot log in users\n"));
@@ -1086,7 +1103,15 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
                                          *user_info_dc,
                                          &user_sess_key,
                                          &lm_sess_key,
+                                        &client_audit_info,
+                                        &server_audit_info,
                                          authoritative);
+       if (client_audit_info != NULL) {
+               *client_audit_info_out = talloc_move(mem_ctx, &client_audit_info);
+       }
+       if (server_audit_info != NULL) {
+               *server_audit_info_out = talloc_move(mem_ctx, &server_audit_info);
+       }
         if (!NT_STATUS_IS_OK(nt_status)) {
                 talloc_free(tmp_ctx);
                 return nt_status;
@@ -1112,7 +1137,10 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
                 }
         }
  
-       /* Release our handle to *user_info_dc. */
+       /*
+        * Release our handle to *user_info_dc. {client,server}_audit_info_out,
+        * if non-NULL, becomes the new parent.
+        */
         reparented = talloc_reparent(tmp_ctx, mem_ctx, *user_info_dc);
         if (reparented == NULL) {
                 talloc_free(tmp_ctx);
@@ -1126,6 +1154,8 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
  
  struct authsam_check_password_state {
         struct auth_user_info_dc *user_info_dc;
+       struct authn_audit_info *client_audit_info;
+       struct authn_audit_info *server_audit_info;
         bool authoritative;
  };
  
@@ -1156,6 +1186,8 @@ static struct tevent_req *authsam_check_password_send(
                 state,
                 user_info,
                 &state->user_info_dc,
+               &state->client_audit_info,
+               &state->server_audit_info,
                 &state->authoritative);
         if (tevent_req_nterror(req, status)) {
                 return tevent_req_post(req, ev);
@@ -1179,15 +1211,20 @@ static NTSTATUS authsam_check_password_recv(
  
         *authoritative = state->authoritative;
  
-       *client_audit_info = NULL;
+       *client_audit_info = talloc_reparent(state, mem_ctx, state->client_audit_info);
+       state->client_audit_info = NULL;
  
-       *server_audit_info = NULL;
+       *server_audit_info = talloc_reparent(state, mem_ctx, state->server_audit_info);
+       state->server_audit_info = NULL;
  
         if (tevent_req_is_nterror(req, &status)) {
                 tevent_req_received(req);
                 return status;
         }
-       /* Release our handle to state->user_info_dc. */
+       /*
+        * Release our handle to state->user_info_dc.
+        * {client,server}_audit_info, if non-NULL, becomes the new parent.
+        */
         *interim_info = talloc_reparent(state, mem_ctx, state->user_info_dc);
         state->user_info_dc = NULL;
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Thu, 15 Jun 2023 22:40:16 +0000 (10:40 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Sun, 25 Jun 2023 23:29:32 +0000 (23:29 +0000)
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history
selftest/knownfail_mit_kdc_1_20		patch \| blob \| blame \| history
source4/auth/ntlm/auth_sam.c		patch \| blob \| blame \| history