From 6dce6318e4fa38e995248ff8fded021c51577c3d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 15 Jun 2023 10:54:18 +1200 Subject: [PATCH] =?UTF-8?q?s4:kdc:=20Move=20NTLM=20device=20restrictions?= =?UTF-8?q?=20to=20=E2=80=98authn=5Fpolicy=5Futil=E2=80=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We’re going to extend this code, and so we will require functions from the utility module. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- auth/authn_policy.c | 41 --------------------------------- auth/authn_policy.h | 9 -------- source4/kdc/authn_policy_util.c | 39 +++++++++++++++++++++++++++++++ source4/kdc/authn_policy_util.h | 7 ++++++ 4 files changed, 46 insertions(+), 50 deletions(-) diff --git a/auth/authn_policy.c b/auth/authn_policy.c index 11dcf33e6e0..5929c005677 100644 --- a/auth/authn_policy.c +++ b/auth/authn_policy.c @@ -49,47 +49,6 @@ int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_clien return policy->tgt_lifetime_raw; } -/* Authentication policies for NTLM clients. */ - -/* Return whether an authentication policy enforces device restrictions. */ -static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy) -{ - if (policy == NULL) { - return false; - } - - return policy->allowed_to_authenticate_from.data != NULL; -} - -/* Check whether the client is allowed to authenticate using NTLM. */ -NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, - const char *device_account_name, - const struct authn_ntlm_client_policy *client_policy) -{ - /* - * If NTLM authentication is disallowed and the policy enforces a device - * restriction, deny the authentication. - */ - - if (!authn_policy_ntlm_device_restrictions_present(client_policy)) { - return NT_STATUS_OK; - } - - /* - * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication - * applies to interactive logons too. - */ - if (client_policy->allowed_ntlm_network_auth) { - return NT_STATUS_OK; - } - - if (authn_policy_is_enforced(&client_policy->policy)) { - return NT_STATUS_ACCOUNT_RESTRICTION; - } else { - return NT_STATUS_OK; - } -} - /* Auditing information. */ enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info) diff --git a/auth/authn_policy.h b/auth/authn_policy.h index 757a3485d82..f2142feac92 100644 --- a/auth/authn_policy.h +++ b/auth/authn_policy.h @@ -35,15 +35,6 @@ bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client /* Get the raw TGT lifetime enforced by an authentication policy. */ int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy); -/* Authentication policies for NTLM clients. */ - -struct authn_ntlm_client_policy; - -/* Check whether the client is allowed to authenticate using NTLM. */ -NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, - const char *device_account_name, - const struct authn_ntlm_client_policy *client_policy); - /* Auditing information. */ struct authn_audit_info; diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c index bf14096e6c3..2f6d53c3cc8 100644 --- a/source4/kdc/authn_policy_util.c +++ b/source4/kdc/authn_policy_util.c @@ -944,6 +944,45 @@ out: return ret; } +/* Return whether an authentication policy enforces device restrictions. */ +static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy) +{ + if (policy == NULL) { + return false; + } + + return policy->allowed_to_authenticate_from.data != NULL; +} + +/* Check whether the client is allowed to authenticate using NTLM. */ +NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, + const char *device_account_name, + const struct authn_ntlm_client_policy *client_policy) +{ + /* + * If NTLM authentication is disallowed and the policy enforces a device + * restriction, deny the authentication. + */ + + if (!authn_policy_ntlm_device_restrictions_present(client_policy)) { + return NT_STATUS_OK; + } + + /* + * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication + * applies to interactive logons too. + */ + if (client_policy->allowed_ntlm_network_auth) { + return NT_STATUS_OK; + } + + if (authn_policy_is_enforced(&client_policy->policy)) { + return NT_STATUS_ACCOUNT_RESTRICTION; + } else { + return NT_STATUS_OK; + } +} + /* Authentication policies for servers. */ /* diff --git a/source4/kdc/authn_policy_util.h b/source4/kdc/authn_policy_util.h index f768b5e5f8f..969c2da7a01 100644 --- a/source4/kdc/authn_policy_util.h +++ b/source4/kdc/authn_policy_util.h @@ -76,6 +76,8 @@ bool authn_policy_device_restrictions_present(const struct authn_kerberos_client /* Authentication policies for NTLM clients. */ +struct authn_ntlm_client_policy; + /* * Get the applicable authentication policy for an account acting as an NTLM * client. @@ -85,6 +87,11 @@ int authn_policy_ntlm_client(struct ldb_context *samdb, const struct ldb_message *msg, const struct authn_ntlm_client_policy **policy_out); +/* Check whether the client is allowed to authenticate using NTLM. */ +NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, + const char *device_account_name, + const struct authn_ntlm_client_policy *client_policy); + /* Authentication policies for servers. */ struct authn_server_policy;