1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’

We’re going to extend this code, and so we will require functions from
the utility module.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-06-15 10:54:18 +12:00 committed by Andrew Bartlett
parent b5506d5ee3
commit 6dce6318e4
4 changed files with 46 additions and 50 deletions

View File

@ -49,47 +49,6 @@ int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_clien
return policy->tgt_lifetime_raw; return policy->tgt_lifetime_raw;
} }
/* Authentication policies for NTLM clients. */
/* Return whether an authentication policy enforces device restrictions. */
static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
{
if (policy == NULL) {
return false;
}
return policy->allowed_to_authenticate_from.data != NULL;
}
/* Check whether the client is allowed to authenticate using NTLM. */
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
const char *device_account_name,
const struct authn_ntlm_client_policy *client_policy)
{
/*
* If NTLM authentication is disallowed and the policy enforces a device
* restriction, deny the authentication.
*/
if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
return NT_STATUS_OK;
}
/*
* Although MS-APDS doesnt state it, AllowedNTLMNetworkAuthentication
* applies to interactive logons too.
*/
if (client_policy->allowed_ntlm_network_auth) {
return NT_STATUS_OK;
}
if (authn_policy_is_enforced(&client_policy->policy)) {
return NT_STATUS_ACCOUNT_RESTRICTION;
} else {
return NT_STATUS_OK;
}
}
/* Auditing information. */ /* Auditing information. */
enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info) enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)

View File

@ -35,15 +35,6 @@ bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client
/* Get the raw TGT lifetime enforced by an authentication policy. */ /* Get the raw TGT lifetime enforced by an authentication policy. */
int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy); int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy);
/* Authentication policies for NTLM clients. */
struct authn_ntlm_client_policy;
/* Check whether the client is allowed to authenticate using NTLM. */
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
const char *device_account_name,
const struct authn_ntlm_client_policy *client_policy);
/* Auditing information. */ /* Auditing information. */
struct authn_audit_info; struct authn_audit_info;

View File

@ -944,6 +944,45 @@ out:
return ret; return ret;
} }
/* Return whether an authentication policy enforces device restrictions. */
static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
{
if (policy == NULL) {
return false;
}
return policy->allowed_to_authenticate_from.data != NULL;
}
/* Check whether the client is allowed to authenticate using NTLM. */
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
const char *device_account_name,
const struct authn_ntlm_client_policy *client_policy)
{
/*
* If NTLM authentication is disallowed and the policy enforces a device
* restriction, deny the authentication.
*/
if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
return NT_STATUS_OK;
}
/*
* Although MS-APDS doesnt state it, AllowedNTLMNetworkAuthentication
* applies to interactive logons too.
*/
if (client_policy->allowed_ntlm_network_auth) {
return NT_STATUS_OK;
}
if (authn_policy_is_enforced(&client_policy->policy)) {
return NT_STATUS_ACCOUNT_RESTRICTION;
} else {
return NT_STATUS_OK;
}
}
/* Authentication policies for servers. */ /* Authentication policies for servers. */
/* /*

View File

@ -76,6 +76,8 @@ bool authn_policy_device_restrictions_present(const struct authn_kerberos_client
/* Authentication policies for NTLM clients. */ /* Authentication policies for NTLM clients. */
struct authn_ntlm_client_policy;
/* /*
* Get the applicable authentication policy for an account acting as an NTLM * Get the applicable authentication policy for an account acting as an NTLM
* client. * client.
@ -85,6 +87,11 @@ int authn_policy_ntlm_client(struct ldb_context *samdb,
const struct ldb_message *msg, const struct ldb_message *msg,
const struct authn_ntlm_client_policy **policy_out); const struct authn_ntlm_client_policy **policy_out);
/* Check whether the client is allowed to authenticate using NTLM. */
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
const char *device_account_name,
const struct authn_ntlm_client_policy *client_policy);
/* Authentication policies for servers. */ /* Authentication policies for servers. */
struct authn_server_policy; struct authn_server_policy;