The branch, master has been updated via 32fdc764efb s4:auth: Remove unneeded ‘sam_ctx’ parameter via 6c9c7c5b698 s4:auth: Enforce machine authentication policy for NTLM authentication via 7a7dbdb7736 s4:auth: Enforce device restrictions for NTLM authentication via 63fe9863572 s4:kdc: Log TGS-REQs in the Heimdal KDC via ba2e54d5c5f tests/auth_log: Ensure tests continue to pass when new log types are added via 7f771070535 tests/auth_log: Add support for new ‘KDC Authorization’ log type via e2d925f5a57 auth: Add new ‘KDC Authorization’ log type via 9325c14b7e1 lib:audit_logging: Add function to create JSON object containing auditing information via 3f3c017a268 s4:kdc: Add function to perform an access check to a service via 5bd6ce29def s4:kdc: Generate auditing infomation for NTLM device restrictions via 6dce6318e4f s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’ via b5506d5ee38 s4:kdc: Add function to perform an authentication policy access check with a device via f47631b3605 s4:kdc: Add getter functions for authn_audit_info via a3063fb4f59 s4:kdc: Add functions to create structures of auditing information for authentication policies via 9585bf9bb72 s4:kdc: Add helper functions to create optional int64 values via b1429830699 s4:kdc: Add structure containing authentication policy auditing information via a2ff8c4e434 s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds via a1364c205ff s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw via b3a85655825 auth: Move authn_policy code into auth subsystem from 9b0a71bd308 tests/auth_log: Refactor waitForMessages() to use nextMessage()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 32fdc764efb5edbbaca9c1e5a6b5f896da411e52 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 12:31:03 2023 +1200 s4:auth: Remove unneeded ‘sam_ctx’ parameter Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Jun 15 06:30:35 UTC 2023 on atb-devel-224 commit 6c9c7c5b698e4bc726cbe76629720f6e02ade7ad Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 16:43:47 2023 +1200 s4:auth: Enforce machine authentication policy for NTLM authentication Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7a7dbdb7736018018bb9459b79b95ae63d9e6e7d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 4 16:39:55 2023 +1200 s4:auth: Enforce device restrictions for NTLM authentication Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 63fe9863572357bf55c6446c90830fd2e6372b4b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 11:24:27 2023 +1200 s4:kdc: Log TGS-REQs in the Heimdal KDC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ba2e54d5c5fe22a3ba1481c890fc49bcdfa38781 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 14:33:37 2023 +1200 tests/auth_log: Ensure tests continue to pass when new log types are added Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7f771070535bd12d5ad0644893607f5c47c615e9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 16:35:26 2023 +1200 tests/auth_log: Add support for new ‘KDC Authorization’ log type Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e2d925f5a57a94c6e28372756f1bf15d9e4db628 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 11:18:45 2023 +1200 auth: Add new ‘KDC Authorization’ log type This is similar, but not identical, to the existing ‘Authorization’ event. It will be used to log Kerberos TGS-REQs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9325c14b7e10d79a130f6633f6bfd59680f4b756 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 11:12:22 2023 +1200 lib:audit_logging: Add function to create JSON object containing auditing information This can be included in logged authentications and authorizations. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3f3c017a2686a823012c1d6f6c6639f40837b0d8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 11:03:00 2023 +1200 s4:kdc: Add function to perform an access check to a service If the ‘server_audit_info_out’ parameter is non-NULL, auditing information will be returned so that it might be logged. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5bd6ce29def85cbf2864a06447cc7daf9b2d1990 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 11:00:38 2023 +1200 s4:kdc: Generate auditing infomation for NTLM device restrictions This will provide more detail to be logged. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6dce6318e4fa38e995248ff8fded021c51577c3d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:54:18 2023 +1200 s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’ We’re going to extend this code, and so we will require functions from the utility module. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5506d5ee38dabbb26dfc889a8a222e632ddf99b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:46:55 2023 +1200 s4:kdc: Add function to perform an authentication policy access check with a device If the ‘audit_info_out’ parameter is non-NULL, auditing information will be returned so that it might be logged. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f47631b3605e806f3018efa6a64f5c9821475001 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:37:03 2023 +1200 s4:kdc: Add getter functions for authn_audit_info These functions return various pieces of information about an audit event that can go into audit logs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a3063fb4f59331f43dfb7d6930dbe0f8b383f6b7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:30:34 2023 +1200 s4:kdc: Add functions to create structures of auditing information for authentication policies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9585bf9bb723d58dd0fc07ae65de071cd189817f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:18:38 2023 +1200 s4:kdc: Add helper functions to create optional int64 values These values will be used to represent TGT lifetimes, which might or might not be present. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b1429830699fa457f26643e246b5fd07eab3a32d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:18:00 2023 +1200 s4:kdc: Add structure containing authentication policy auditing information Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a2ff8c4e434f8db414fdd2bba8c1c2908050c61c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:01:33 2023 +1200 s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a1364c205ffd1cfaaba8862a096be82b5d5c5f11 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 10:00:53 2023 +1200 s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw This more clearly indicates that it is the raw TGT lifetime value straight from the database. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b3a85655825fb6c6a1d668379c1ab004707dc56d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 14:59:10 2023 +1200 auth: Move authn_policy code into auth subsystem This ensures that this code will still be usable by other libraries and subsystems if Samba is built with ‘--without-ad-dc’. We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have needed anyway. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/auth_log.c | 189 +++++++++++ auth/authn_policy.c | 198 ++++++++++++ auth/authn_policy.h | 87 +++++ {source4/kdc => auth}/authn_policy_impl.h | 31 +- auth/common_auth.h | 21 ++ auth/wscript_build | 4 + lib/audit_logging/audit_logging.c | 132 ++++++++ lib/audit_logging/audit_logging.h | 3 + lib/audit_logging/wscript_build | 5 +- python/samba/tests/auth_log_base.py | 27 +- selftest/knownfail_heimdal_kdc | 26 -- selftest/knownfail_mit_kdc | 26 -- source4/auth/ntlm/auth.c | 4 +- source4/auth/ntlm/auth_sam.c | 165 +++++++++- source4/auth/ntlm/wscript_build | 2 +- source4/kdc/authn_policy.c | 85 ----- source4/kdc/authn_policy.h | 44 --- source4/kdc/authn_policy_util.c | 509 +++++++++++++++++++++++++++++- source4/kdc/authn_policy_util.h | 131 +++++++- source4/kdc/db-glue.c | 22 +- source4/kdc/hdb-samba4.c | 99 +++++- source4/kdc/wscript_build | 6 - 22 files changed, 1601 insertions(+), 215 deletions(-) create mode 100644 auth/authn_policy.c create mode 100644 auth/authn_policy.h rename {source4/kdc => auth}/authn_policy_impl.h (69%) delete mode 100644 source4/kdc/authn_policy.c delete mode 100644 source4/kdc/authn_policy.h Changeset truncated at 500 lines: diff --git a/auth/auth_log.c b/auth/auth_log.c index c0506823008..019cbe114bf 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -25,6 +25,8 @@ #define AUTH_FAILURE_LEVEL 2 #define AUTH_SUCCESS_LEVEL 3 #define AUTHZ_SUCCESS_LEVEL 4 +#define KDC_AUTHZ_FAILURE_LEVEL 2 +#define KDC_AUTHZ_SUCCESS_LEVEL 3 /* 5 is used for both authentication and authorization */ #define AUTH_ANONYMOUS_LEVEL 5 @@ -32,6 +34,7 @@ #define AUTHZ_JSON_TYPE "Authorization" #define AUTH_JSON_TYPE "Authentication" +#define KDC_AUTHZ_JSON_TYPE "KDC Authorization" /* * JSON message version numbers @@ -44,6 +47,8 @@ #define AUTH_MINOR 2 #define AUTHZ_MAJOR 1 #define AUTHZ_MINOR 1 +#define KDC_AUTHZ_MAJOR 1 +#define KDC_AUTHZ_MINOR 0 #include "includes.h" #include "../lib/tsocket/tsocket.h" @@ -461,6 +466,128 @@ failure: DBG_ERR("Unable to log Authentication event JSON audit message\n"); } +/* + * Log details of an authorization to a service, in a machine parsable json + * format + * + * IF removing or changing the format/meaning of a field please update the + * major version number KDC_AUTHZ_MAJOR + * + * IF adding a new field please update the minor version number KDC_AUTHZ_MINOR + * + * To process the resulting log lines from the command line use jq to + * parse the json. + * + * grep "^ {" log_file |\ + * jq -rc '"\(.timestamp)\t + * \(."KDC Authorization".domain)\t + * \(."KDC Authorization".account)\t + * \(."KDC Authorization".remoteAddress)"' + * + */ +static void log_authz_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status, + int debug_level) +{ + struct json_object wrapper = json_empty_object; + struct json_object authorization = json_empty_object; + int rc = 0; + + authorization = json_new_object(); + if (json_is_invalid(&authorization)) { + goto failure; + } + rc = json_add_version(&authorization, KDC_AUTHZ_MAJOR, KDC_AUTHZ_MINOR); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "status", nt_errstr(status)); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authorization, "localAddress", local); + if (rc != 0) { + goto failure; + } + rc = json_add_address(&authorization, "remoteAddress", remote); + if (rc != 0) { + goto failure; + } + rc = json_add_string( + &authorization, "serviceDescription", service_description); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "authType", auth_type); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "domain", domain_name); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "account", account_name); + if (rc != 0) { + goto failure; + } + rc = json_add_sid(&authorization, "sid", sid); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&authorization, "logonServer", logon_server); + if (rc != 0) { + goto failure; + } + rc = json_add_time(&authorization, "authTime", authtime); + if (rc != 0) { + goto failure; + } + + wrapper = json_new_object(); + if (json_is_invalid(&wrapper)) { + goto failure; + } + rc = json_add_timestamp(&wrapper); + if (rc != 0) { + goto failure; + } + rc = json_add_string(&wrapper, "type", KDC_AUTHZ_JSON_TYPE); + if (rc != 0) { + goto failure; + } + rc = json_add_object(&wrapper, KDC_AUTHZ_JSON_TYPE, &authorization); + if (rc != 0) { + goto failure; + } + + log_json(msg_ctx, + lp_ctx, + &wrapper, + DBGC_AUTH_AUDIT_JSON, + debug_level); + json_free(&wrapper); + return; +failure: + /* + * On a failure authorization will not have been added to wrapper so it + * needs to be freed to avoid a leak. + */ + json_free(&authorization); + json_free(&wrapper); + DBG_ERR("Unable to log KDC Authorization event JSON audit message\n"); +} + #else static void log_no_json(struct imessaging_context *msg_ctx, @@ -512,6 +639,24 @@ static void log_successful_authz_event_json( log_no_json(msg_ctx, lp_ctx); } +static void log_authz_event_json( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status, + int debug_level) +{ + log_no_json(msg_ctx, lp_ctx); +} + #endif /* @@ -802,3 +947,47 @@ void log_successful_authz_event( debug_level); } } + +/* + * Log details of an authorization to a service. + * + * NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the + * authorization events over the message bus. + */ +void log_authz_event( + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + const char *auth_type, + const char *domain_name, + const char *account_name, + const struct dom_sid *sid, + const char *logon_server, + const struct timeval authtime, + NTSTATUS status) +{ + /* set the log level */ + int debug_level = KDC_AUTHZ_FAILURE_LEVEL; + + if (NT_STATUS_IS_OK(status)) { + debug_level = KDC_AUTHZ_SUCCESS_LEVEL; + } + + if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) || + (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) { + log_authz_event_json(msg_ctx, lp_ctx, + remote, + local, + service_description, + auth_type, + domain_name, + account_name, + sid, + logon_server, + authtime, + status, + debug_level); + } +} diff --git a/auth/authn_policy.c b/auth/authn_policy.c new file mode 100644 index 00000000000..5929c005677 --- /dev/null +++ b/auth/authn_policy.c @@ -0,0 +1,198 @@ +/* + Unix SMB/CIFS implementation. + Samba Active Directory authentication policy functions + + Copyright (C) Catalyst.Net Ltd 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "lib/replace/replace.h" +#include "auth/authn_policy.h" +#include "auth/authn_policy_impl.h" + +bool authn_policy_is_enforced(const struct authn_policy *policy) +{ + return policy->enforced; +} + +/* Authentication policies for Kerberos clients. */ + +/* Is an authentication policy enforced? */ +bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy) +{ + return authn_policy_is_enforced(&policy->policy); +} + +/* Get the raw TGT lifetime enforced by an authentication policy. */ +int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy) +{ + if (policy == NULL) { + return 0; + } + + if (!authn_policy_is_enforced(&policy->policy)) { + return 0; + } + + return policy->tgt_lifetime_raw; +} + +/* Auditing information. */ + +enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info) +{ + bool is_enforced; + + if (audit_info->event == AUTHN_AUDIT_EVENT_OK) { + /* We didn’t get an error. */ + return AUTH_EVT_ID_NONE; + } + + if (audit_info->policy == NULL) { + /* + * We got an error, but there’s no policy, so it must have + * stemmed from something else. + */ + return AUTH_EVT_ID_NONE; + } + + is_enforced = authn_policy_is_enforced(audit_info->policy); + + switch (audit_info->event) { + case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION: + if (is_enforced) { + return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION; + } + + return AUTH_EVT_ID_KERBEROS_DEVICE_RESTRICTION_AUDIT; + + case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION: + if (is_enforced) { + return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION; + } + + return AUTH_EVT_ID_KERBEROS_SERVER_RESTRICTION_AUDIT; + + case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION: + if (is_enforced) { + return AUTH_EVT_ID_NTLM_DEVICE_RESTRICTION; + } + + /* No relevant event ID. */ + break; + + case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION: + case AUTHN_AUDIT_EVENT_OTHER_ERROR: + default: + /* No relevant event ID. */ + break; + } + + return AUTH_EVT_ID_NONE; +} + +const char *authn_audit_info_silo_name(const struct authn_audit_info *audit_info) +{ + if (audit_info->policy == NULL) { + return NULL; + } + + return audit_info->policy->silo_name; +} + +const char *authn_audit_info_policy_name(const struct authn_audit_info *audit_info) +{ + if (audit_info->policy == NULL) { + return NULL; + } + + return audit_info->policy->policy_name; +} + +const bool *authn_audit_info_policy_enforced(const struct authn_audit_info *audit_info) +{ + if (audit_info->policy == NULL) { + return NULL; + } + + return &audit_info->policy->enforced; +} + +const struct auth_user_info_dc *authn_audit_info_client_info(const struct authn_audit_info *audit_info) +{ + return audit_info->client_info; +} + +const char *authn_audit_info_event(const struct authn_audit_info *audit_info) +{ + switch (audit_info->event) { + case AUTHN_AUDIT_EVENT_OK: + return "OK"; + case AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION: + return "KERBEROS_DEVICE_RESTRICTION"; + case AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION: + return "KERBEROS_SERVER_RESTRICTION"; + case AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION: + return "NTLM_DEVICE_RESTRICTION"; + case AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION: + return "NTLM_SERVER_RESTRICTION"; + case AUTHN_AUDIT_EVENT_OTHER_ERROR: + default: + return "OTHER_ERROR"; + } +} + +const char *authn_audit_info_reason(const struct authn_audit_info *audit_info) +{ + switch (audit_info->reason) { + case AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID: + return "DESCRIPTOR_INVALID"; + case AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER: + return "DESCRIPTOR_NO_OWNER"; + case AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE: + return "SECURITY_TOKEN_FAILURE"; + case AUTHN_AUDIT_REASON_ACCESS_DENIED: + return "ACCESS_DENIED"; + case AUTHN_AUDIT_REASON_FAST_REQUIRED: + return "FAST_REQUIRED"; + case AUTHN_AUDIT_REASON_NONE: + default: + return NULL; + } +} + +NTSTATUS authn_audit_info_policy_status(const struct authn_audit_info *audit_info) +{ + return audit_info->policy_status; +} + +const char *authn_audit_info_location(const struct authn_audit_info *audit_info) +{ + return audit_info->location; +} + +struct authn_int64_optional authn_audit_info_policy_tgt_lifetime_mins(const struct authn_audit_info *audit_info) +{ + int64_t lifetime; + + if (!audit_info->tgt_lifetime_raw.is_present) { + return authn_int64_none(); + } + + lifetime = audit_info->tgt_lifetime_raw.val; + lifetime /= INT64_C(1000) * 1000 * 10 * 60; + + return authn_int64_some(lifetime); +} diff --git a/auth/authn_policy.h b/auth/authn_policy.h new file mode 100644 index 00000000000..f2142feac92 --- /dev/null +++ b/auth/authn_policy.h @@ -0,0 +1,87 @@ +/* + Unix SMB/CIFS implementation. + Samba Active Directory authentication policy functions + + Copyright (C) Catalyst.Net Ltd 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef KDC_AUTHN_POLICY_H +#define KDC_AUTHN_POLICY_H + +#include "lib/replace/replace.h" +#include "libcli/util/ntstatus.h" +#include "librpc/gen_ndr/windows_event_ids.h" + +/* Authentication policies for Kerberos clients. */ + +struct authn_kerberos_client_policy; + +/* Is an authentication policy enforced? */ +bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client_policy *policy); + +/* Get the raw TGT lifetime enforced by an authentication policy. */ +int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy); + +/* Auditing information. */ + +struct authn_audit_info; + +/* This enum should be kept in sync with authn_audit_info_event(). */ +enum authn_audit_event { + AUTHN_AUDIT_EVENT_OK = 0, + AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION, + AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION, + AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION, + AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION, + AUTHN_AUDIT_EVENT_OTHER_ERROR, +}; + +/* This enum should be kept in sync with authn_audit_info_reason(). */ +enum authn_audit_reason { + AUTHN_AUDIT_REASON_NONE = 0, + AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID, + AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER, + AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE, + AUTHN_AUDIT_REASON_ACCESS_DENIED, -- Samba Shared Repository