mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:kdc: Add helper function to determine whether authentication to a server is allowed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
af95ec0b3f
commit
071ad174d9
@ -31,6 +31,7 @@
|
||||
#include "auth/auth_sam_reply.h"
|
||||
#include "auth/kerberos/kerberos.h"
|
||||
#include "auth/kerberos/pac_utils.h"
|
||||
#include "auth/authn_policy.h"
|
||||
#include "libcli/security/security.h"
|
||||
#include "libds/common/flags.h"
|
||||
#include "librpc/gen_ndr/ndr_krb5pac.h"
|
||||
@ -38,6 +39,7 @@
|
||||
#include "source4/auth/auth.h"
|
||||
#include "source4/dsdb/common/util.h"
|
||||
#include "source4/dsdb/samdb/samdb.h"
|
||||
#include "source4/kdc/authn_policy_util.h"
|
||||
#include "source4/kdc/samba_kdc.h"
|
||||
#include "source4/kdc/pac-glue.h"
|
||||
#include "source4/kdc/ad_claims.h"
|
||||
@ -1633,6 +1635,86 @@ WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
|
||||
return werr;
|
||||
}
|
||||
|
||||
/*
|
||||
* Perform an access check for the client attempting to authenticate to the
|
||||
* server. ‘client_info’ must be talloc-allocated so that we can make a
|
||||
* reference to it.
|
||||
*/
|
||||
krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_context *samdb,
|
||||
struct loadparm_context *lp_ctx,
|
||||
const struct samba_kdc_entry *client,
|
||||
const struct auth_user_info_dc *client_info,
|
||||
const struct samba_kdc_entry *server,
|
||||
struct authn_audit_info **server_audit_info_out,
|
||||
NTSTATUS *status_out)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
NTSTATUS status;
|
||||
_UNUSED_ NTSTATUS _status;
|
||||
struct dom_sid server_sid = {};
|
||||
const struct authn_server_policy *server_policy = server->server_policy;
|
||||
|
||||
if (status_out != NULL) {
|
||||
*status_out = NT_STATUS_OK;
|
||||
}
|
||||
|
||||
ret = samdb_result_dom_sid_buf(server->msg, "objectSid", &server_sid);
|
||||
if (ret) {
|
||||
/*
|
||||
* Ignore the return status — we are already in an error path,
|
||||
* and overwriting the real error code with the audit info
|
||||
* status is unhelpful.
|
||||
*/
|
||||
_status = authn_server_policy_audit_info(mem_ctx,
|
||||
server_policy,
|
||||
client_info,
|
||||
AUTHN_AUDIT_EVENT_OTHER_ERROR,
|
||||
AUTHN_AUDIT_REASON_NONE,
|
||||
dsdb_ldb_err_to_ntstatus(ret),
|
||||
server_audit_info_out);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (dom_sid_equal(&client_info->sids[PRIMARY_USER_SID_INDEX].sid, &server_sid)) {
|
||||
/* Authenticating to ourselves is always allowed. */
|
||||
status = authn_server_policy_audit_info(mem_ctx,
|
||||
server_policy,
|
||||
client_info,
|
||||
AUTHN_AUDIT_EVENT_OK,
|
||||
AUTHN_AUDIT_REASON_NONE,
|
||||
NT_STATUS_OK,
|
||||
server_audit_info_out);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
ret = KRB5KRB_ERR_GENERIC;
|
||||
}
|
||||
goto out;
|
||||
}
|
||||
|
||||
status = authn_policy_authenticate_to_service(mem_ctx,
|
||||
samdb,
|
||||
lp_ctx,
|
||||
AUTHN_POLICY_AUTH_TYPE_KERBEROS,
|
||||
client_info,
|
||||
server_policy,
|
||||
server_audit_info_out);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
if (status_out != NULL) {
|
||||
*status_out = status;
|
||||
}
|
||||
if (NT_STATUS_EQUAL(status, NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)) {
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
} else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
|
||||
ret = KRB5KDC_ERR_POLICY;
|
||||
} else {
|
||||
ret = KRB5KRB_ERR_GENERIC;
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
|
||||
struct PAC_DEVICE_INFO *info,
|
||||
const struct netr_SidAttr *sid)
|
||||
|
@ -128,6 +128,7 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
|
||||
const krb5_const_pac *device_pac,
|
||||
krb5_const_pac pac);
|
||||
|
||||
struct authn_audit_info;
|
||||
krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
|
||||
krb5_context context,
|
||||
struct ldb_context *samdb,
|
||||
@ -160,3 +161,12 @@ NTSTATUS samba_kdc_get_requester_sid_blob(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
|
||||
const struct samba_kdc_entry *p,
|
||||
DATA_BLOB **_claims_blob);
|
||||
|
||||
krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_context *samdb,
|
||||
struct loadparm_context *lp_ctx,
|
||||
const struct samba_kdc_entry *client,
|
||||
const struct auth_user_info_dc *client_info,
|
||||
const struct samba_kdc_entry *server,
|
||||
struct authn_audit_info **server_audit_info_out,
|
||||
NTSTATUS *status_out);
|
||||
|
@ -123,7 +123,7 @@ bld.SAMBA_SUBSYSTEM('sdb_kdb',
|
||||
|
||||
bld.SAMBA_SUBSYSTEM('PAC_GLUE',
|
||||
source='pac-glue.c pac-blobs.c',
|
||||
deps='ldb auth4_sam common_auth samba-credentials samba-hostconfig com_err ad_claims'
|
||||
deps='ldb auth4_sam common_auth samba-credentials samba-hostconfig com_err ad_claims authn_policy authn_policy_util'
|
||||
)
|
||||
|
||||
bld.SAMBA_LIBRARY('pac',
|
||||
|
Loading…
Reference in New Issue
Block a user