sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-02 00:22:11 +03:00
Code Activity

auth: Log the transport connection for the authorization

Browse Source 
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett
2017-03-06 14:10:17 +13:00
parent f4a4522d1f
commit 366f8cf090
15 changed files with 66 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
auth/auth_log.c
View File

@ -227,6 +227,7 @@ void log_successful_authz_event(const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info)
{
TALLOC_CTX *frame = NULL;

7
auth/common_auth.h
View File

@ -146,6 +146,12 @@ struct auth4_context {
struct auth_session_info **session_info);
};
#define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE"
#define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB"
#define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS"
#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
void log_authentication_event(const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *account_name,
@ -157,5 +163,6 @@ void log_successful_authz_event(const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
const char *transport_protection,
struct auth_session_info *session_info);
#endif

13
auth/gensec/gensec.c
View File

@ -221,9 +221,22 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
= gensec_get_target_service_description(gensec_security);
const char *final_auth_type
= gensec_final_auth_type(gensec_security);
const char *transport_protection = NULL;
if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
} else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL;
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN;
} else {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
}
log_successful_authz_event(remote, local,
service_description,
final_auth_type,
transport_protection,
session_info);
}

2
auth/gensec/gensec.h
View File

@ -68,6 +68,8 @@ struct gensec_target {
#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200
#define GENSEC_FEATURE_LDAP_STYLE 0x00000400
#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800
#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL

1
source3/auth/auth_generic.c
View File

@ -447,6 +447,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
user_info->local_host,
user_info->service_description,
user_info->auth_description,
AUTHZ_TRANSPORT_PROTECTION_SMB,
*session_info);
return nt_status;

6
source3/rpc_server/srv_pipe.c
View File

@ -822,6 +822,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
goto err_exit;
}
} else {
const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
if (p->transport == NCACN_NP) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
}
p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->auth.auth_context_id = 0;
@ -835,6 +840,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
p->local_address,
table->name,
derpc_transport_string_by_transport(p->transport),
transport_protection,
p->session_info);
}

1
source3/smbd/sesssetup.c
View File

@ -263,6 +263,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT);
status = gensec_start_mech_by_oid(auth->gensec,
GENSEC_OID_SPNEGO);

1
source3/smbd/smb2_sesssetup.c
View File

@ -864,6 +864,7 @@ auth:
gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT);
status = gensec_start_mech_by_oid(state->auth->gensec,
GENSEC_OID_SPNEGO);

1
source4/auth/auth.h
View File

@ -164,6 +164,7 @@ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct tsocket_address *remote_address,
struct tsocket_address *local_address,
bool using_tls,
const char *dn,
const char *password,
struct auth_session_info **session_info);

12
source4/auth/ntlm/auth_simple.c
View File

@ -31,6 +31,7 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct tsocket_address *remote_address,
struct tsocket_address *local_address,
bool using_tls,
const char *dn,
const char *password,
struct auth_session_info **session_info)
@ -44,6 +45,10 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
const char *nt4_domain;
const char *nt4_username;
uint32_t flags = 0;
const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
if (using_tls) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
}
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
@ -85,7 +90,11 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
user_info->service_description = "LDAP";
user_info->auth_description = "simple bind";
if (using_tls) {
user_info->auth_description = "simple bind";
} else {
user_info->auth_description = "simple bind/TLS";
}
user_info->password_state = AUTH_PASSWORD_PLAIN;
user_info->password.plaintext = talloc_strdup(user_info, password);
@ -125,6 +134,7 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
local_address,
"LDAP",
"simple bind",
transport_protection,
*session_info);
talloc_free(tmp_ctx);

6
source4/ldap_server/ldap_backend.c
View File

@ -1280,10 +1280,16 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
}
if (log) {
const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
if (call->conn->sockets.active == call->conn->sockets.tls) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
}
log_successful_authz_event(call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",
transport_protection,
call->conn->session_info);
call->conn->authz_logged = true;

9
source4/ldap_server/ldap_bind.c
View File

@ -73,6 +73,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
NTSTATUS status;
bool using_tls = call->conn->sockets.active == call->conn->sockets.tls;
DEBUG(10, ("BindSimple dn: %s\n",req->dn));
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
@ -83,7 +85,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
if (req->dn != NULL &&
strlen(req->dn) != 0 &&
call->conn->require_strong_auth > LDAP_SERVER_REQUIRE_STRONG_AUTH_NO &&
call->conn->sockets.active != call->conn->sockets.tls)
!using_tls)
{
status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED;
@ -98,6 +100,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
call->conn->lp_ctx,
call->conn->connection->remote_address,
call->conn->connection->local_address,
using_tls,
req->dn,
req->creds.password,
&session_info);
@ -218,6 +221,10 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn,
gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
if (conn->sockets.active == conn->sockets.tls) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
}
status = gensec_start_mech_by_sasl_name(gensec_security, sasl_mech);
if (!NT_STATUS_IS_OK(status)) {

5
source4/rpc_server/dcesrv_auth.c
View File

@ -49,6 +49,10 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(call->conn->endpoint->ep_description);
const char *auth_type = derpc_transport_string_by_transport(transport);
const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
if (transport == NCACN_NP) {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
}
auth->auth_type = DCERPC_AUTH_TYPE_NONE;
auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
auth->auth_context_id = 0;
@ -62,6 +66,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
call->conn->local_address,
"DCE/RPC",
auth_type,
transport_protection,
call->conn->auth_state.session_info);
return true;

2
source4/smb_server/smb/sesssetup.c
View File

@ -58,6 +58,7 @@ void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req,
local_address,
"SMB",
"bare-NTLM",
AUTHZ_TRANSPORT_PROTECTION_SMB,
session_info);
talloc_free(frame);
@ -510,6 +511,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
}
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SMB_TRANSPORT);
remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
req);

1
source4/smb_server/smb2/sesssetup.c
View File

@ -145,6 +145,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
}
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SMB_TRANSPORT);
remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
req);