From: Joseph Sutton Date: Wed, 14 Jun 2023 23:00:38 +0000 (+1200) Subject: s4:kdc: Generate auditing infomation for NTLM device restrictions X-Git-Tag: talloc-2.4.1~364 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bd6ce29def85cbf2864a06447cc7daf9b2d1990;p=thirdparty%2Fsamba.git s4:kdc: Generate auditing infomation for NTLM device restrictions This will provide more detail to be logged. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c index 2f6d53c3cc8..ba33ea1d5d4 100644 --- a/source4/kdc/authn_policy_util.c +++ b/source4/kdc/authn_policy_util.c @@ -955,32 +955,70 @@ static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntl } /* Check whether the client is allowed to authenticate using NTLM. */ -NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, - const char *device_account_name, - const struct authn_ntlm_client_policy *client_policy) +NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx, + const struct authn_ntlm_client_policy *client_policy, + struct authn_audit_info **client_audit_info_out) { + NTSTATUS status; + NTSTATUS status2; + + if (client_audit_info_out != NULL) { + *client_audit_info_out = NULL; + } + + if (client_policy == NULL) { + return NT_STATUS_OK; + } + /* + * Access control restrictions cannot be applied to NTLM. + * * If NTLM authentication is disallowed and the policy enforces a device * restriction, deny the authentication. */ if (!authn_policy_ntlm_device_restrictions_present(client_policy)) { - return NT_STATUS_OK; + return authn_policy_audit_info(mem_ctx, + &client_policy->policy, + authn_int64_none() /* tgt_lifetime_raw */, + NULL /* client_info */, + AUTHN_AUDIT_EVENT_OK, + AUTHN_AUDIT_REASON_NONE, + NT_STATUS_OK, + client_audit_info_out); } /* - * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication - * applies to interactive logons too. + * (Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication + * applies to interactive logons too.) */ if (client_policy->allowed_ntlm_network_auth) { - return NT_STATUS_OK; + return authn_policy_audit_info(mem_ctx, + &client_policy->policy, + authn_int64_none() /* tgt_lifetime_raw */, + NULL /* client_info */, + AUTHN_AUDIT_EVENT_OK, + AUTHN_AUDIT_REASON_NONE, + NT_STATUS_OK, + client_audit_info_out); + } + + status = NT_STATUS_ACCOUNT_RESTRICTION; + status2 = authn_policy_audit_info(mem_ctx, + &client_policy->policy, + authn_int64_none() /* tgt_lifetime_raw */, + NULL /* client_info */, + AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION, + AUTHN_AUDIT_REASON_NONE, + status, + client_audit_info_out); + if (!NT_STATUS_IS_OK(status2)) { + status = status2; + } else if (!authn_policy_is_enforced(&client_policy->policy)) { + status = NT_STATUS_OK; } - if (authn_policy_is_enforced(&client_policy->policy)) { - return NT_STATUS_ACCOUNT_RESTRICTION; - } else { - return NT_STATUS_OK; - } + return status; } /* Authentication policies for servers. */ diff --git a/source4/kdc/authn_policy_util.h b/source4/kdc/authn_policy_util.h index 969c2da7a01..e39bcf3b160 100644 --- a/source4/kdc/authn_policy_util.h +++ b/source4/kdc/authn_policy_util.h @@ -88,9 +88,9 @@ int authn_policy_ntlm_client(struct ldb_context *samdb, const struct authn_ntlm_client_policy **policy_out); /* Check whether the client is allowed to authenticate using NTLM. */ -NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, - const char *device_account_name, - const struct authn_ntlm_client_policy *client_policy); +NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx, + const struct authn_ntlm_client_policy *client_policy, + struct authn_audit_info **client_audit_info_out); /* Authentication policies for servers. */