s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’

We’re going to extend this code, and so we will require functions from
the utility module.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/authn_policy.c b/auth/authn_policy.c
index 11dcf33e6e090b77d68cdc68d655e4b05da273ae..5929c0056775be5b60b4275371c3a2a1743c38e4 100644 (file)
--- a/auth/authn_policy.c
+++ b/auth/authn_policy.c
@@ -49,47 +49,6 @@ int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_clien
        return policy->tgt_lifetime_raw;
 }
 
-/* Authentication policies for NTLM clients. */
-
-/* Return whether an authentication policy enforces device restrictions. */
-static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
-{
-       if (policy == NULL) {
-               return false;
-       }
-
-       return policy->allowed_to_authenticate_from.data != NULL;
-}
-
-/* Check whether the client is allowed to authenticate using NTLM. */
-NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
-                                                   const char *device_account_name,
-                                                   const struct authn_ntlm_client_policy *client_policy)
-{
-       /*
-        * If NTLM authentication is disallowed and the policy enforces a device
-        * restriction, deny the authentication.
-        */
-
-       if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
-               return NT_STATUS_OK;
-       }
-
-       /*
-        * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
-        * applies to interactive logons too.
-        */
-       if (client_policy->allowed_ntlm_network_auth) {
-               return NT_STATUS_OK;
-       }
-
-       if (authn_policy_is_enforced(&client_policy->policy)) {
-               return NT_STATUS_ACCOUNT_RESTRICTION;
-       } else {
-               return NT_STATUS_OK;
-       }
-}
-
 /* Auditing information. */
 
 enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)

diff --git a/auth/authn_policy.h b/auth/authn_policy.h
index 757a3485d828aa12b5a1eb8b229ca7924575c42d..f2142feac92689e8bc2ebbee2cc39a5998c1f40e 100644 (file)
--- a/auth/authn_policy.h
+++ b/auth/authn_policy.h
@@ -35,15 +35,6 @@ bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client
 /* Get the raw TGT lifetime enforced by an authentication policy. */
 int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy);
 
-/* Authentication policies for NTLM clients. */
-
-struct authn_ntlm_client_policy;
-
-/* Check whether the client is allowed to authenticate using NTLM. */
-NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
-                                                   const char *device_account_name,
-                                                   const struct authn_ntlm_client_policy *client_policy);
-
 /* Auditing information. */
 
 struct authn_audit_info;

diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c
index bf14096e6c30b8ecdaa349c841d06a4500c449dc..2f6d53c3cc831d5ed2ccc35a4af8d12e2c6715ae 100644 (file)
--- a/source4/kdc/authn_policy_util.c
+++ b/source4/kdc/authn_policy_util.c
@@ -944,6 +944,45 @@ out:
        return ret;
 }
 
+/* Return whether an authentication policy enforces device restrictions. */
+static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
+{
+       if (policy == NULL) {
+               return false;
+       }
+
+       return policy->allowed_to_authenticate_from.data != NULL;
+}
+
+/* Check whether the client is allowed to authenticate using NTLM. */
+NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
+                                                   const char *device_account_name,
+                                                   const struct authn_ntlm_client_policy *client_policy)
+{
+       /*
+        * If NTLM authentication is disallowed and the policy enforces a device
+        * restriction, deny the authentication.
+        */
+
+       if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
+               return NT_STATUS_OK;
+       }
+
+       /*
+        * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
+        * applies to interactive logons too.
+        */
+       if (client_policy->allowed_ntlm_network_auth) {
+               return NT_STATUS_OK;
+       }
+
+       if (authn_policy_is_enforced(&client_policy->policy)) {
+               return NT_STATUS_ACCOUNT_RESTRICTION;
+       } else {
+               return NT_STATUS_OK;
+       }
+}
+
 /* Authentication policies for servers. */
 
 /*

diff --git a/source4/kdc/authn_policy_util.h b/source4/kdc/authn_policy_util.h
index f768b5e5f8fc67724f3a1f7171a360a7f3ac116a..969c2da7a0167e58b9b1d85b106c03809dd51c73 100644 (file)
--- a/source4/kdc/authn_policy_util.h
+++ b/source4/kdc/authn_policy_util.h
@@ -76,6 +76,8 @@ bool authn_policy_device_restrictions_present(const struct authn_kerberos_client
 
 /* Authentication policies for NTLM clients. */
 
+struct authn_ntlm_client_policy;
+
 /*
  * Get the applicable authentication policy for an account acting as an NTLM
  * client.
@@ -85,6 +87,11 @@ int authn_policy_ntlm_client(struct ldb_context *samdb,
                             const struct ldb_message *msg,
                             const struct authn_ntlm_client_policy **policy_out);
 
+/* Check whether the client is allowed to authenticate using NTLM. */
+NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
+                                                   const char *device_account_name,
+                                                   const struct authn_ntlm_client_policy *client_policy);
+
 /* Authentication policies for servers. */
 
 struct authn_server_policy;