s4:kdc: Generate auditing infomation for NTLM device restrictions

This will provide more detail to be logged.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c
index 2f6d53c3cc831d5ed2ccc35a4af8d12e2c6715ae..ba33ea1d5d450f8d28ccdd2ba1804c68c3d2c5fa 100644 (file)
--- a/source4/kdc/authn_policy_util.c
+++ b/source4/kdc/authn_policy_util.c
@@ -955,32 +955,70 @@ static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntl
 }
 
 /* Check whether the client is allowed to authenticate using NTLM. */
-NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
-                                                   const char *device_account_name,
-                                                   const struct authn_ntlm_client_policy *client_policy)
+NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx,
+                                                   const struct authn_ntlm_client_policy *client_policy,
+                                                   struct authn_audit_info **client_audit_info_out)
 {
+       NTSTATUS status;
+       NTSTATUS status2;
+
+       if (client_audit_info_out != NULL) {
+               *client_audit_info_out = NULL;
+       }
+
+       if (client_policy == NULL) {
+               return NT_STATUS_OK;
+       }
+
        /*
+        * Access control restrictions cannot be applied to NTLM.
+        *
         * If NTLM authentication is disallowed and the policy enforces a device
         * restriction, deny the authentication.
         */
 
        if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
-               return NT_STATUS_OK;
+               return authn_policy_audit_info(mem_ctx,
+                                              &client_policy->policy,
+                                              authn_int64_none() /* tgt_lifetime_raw */,
+                                              NULL /* client_info */,
+                                              AUTHN_AUDIT_EVENT_OK,
+                                              AUTHN_AUDIT_REASON_NONE,
+                                              NT_STATUS_OK,
+                                              client_audit_info_out);
        }
 
        /*
-        * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
-        * applies to interactive logons too.
+        * (Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
+        * applies to interactive logons too.)
         */
        if (client_policy->allowed_ntlm_network_auth) {
-               return NT_STATUS_OK;
+               return authn_policy_audit_info(mem_ctx,
+                                              &client_policy->policy,
+                                              authn_int64_none() /* tgt_lifetime_raw */,
+                                              NULL /* client_info */,
+                                              AUTHN_AUDIT_EVENT_OK,
+                                              AUTHN_AUDIT_REASON_NONE,
+                                              NT_STATUS_OK,
+                                              client_audit_info_out);
+       }
+
+       status = NT_STATUS_ACCOUNT_RESTRICTION;
+       status2 = authn_policy_audit_info(mem_ctx,
+                                         &client_policy->policy,
+                                         authn_int64_none() /* tgt_lifetime_raw */,
+                                         NULL /* client_info */,
+                                         AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION,
+                                         AUTHN_AUDIT_REASON_NONE,
+                                         status,
+                                         client_audit_info_out);
+       if (!NT_STATUS_IS_OK(status2)) {
+               status = status2;
+       } else if (!authn_policy_is_enforced(&client_policy->policy)) {
+               status = NT_STATUS_OK;
        }
 
-       if (authn_policy_is_enforced(&client_policy->policy)) {
-               return NT_STATUS_ACCOUNT_RESTRICTION;
-       } else {
-               return NT_STATUS_OK;
-       }
+       return status;
 }
 
 /* Authentication policies for servers. */

diff --git a/source4/kdc/authn_policy_util.h b/source4/kdc/authn_policy_util.h
index 969c2da7a0167e58b9b1d85b106c03809dd51c73..e39bcf3b160322676f89c3cb43d4d0207f8a235b 100644 (file)
--- a/source4/kdc/authn_policy_util.h
+++ b/source4/kdc/authn_policy_util.h
@@ -88,9 +88,9 @@ int authn_policy_ntlm_client(struct ldb_context *samdb,
                             const struct authn_ntlm_client_policy **policy_out);
 
 /* Check whether the client is allowed to authenticate using NTLM. */
-NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
-                                                   const char *device_account_name,
-                                                   const struct authn_ntlm_client_policy *client_policy);
+NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx,
+                                                   const struct authn_ntlm_client_policy *client_policy,
+                                                   struct authn_audit_info **client_audit_info_out);
 
 /* Authentication policies for servers. */