mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’
We’re going to extend this code, and so we will require functions from the utility module. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
b5506d5ee3
commit
6dce6318e4
@ -49,47 +49,6 @@ int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_clien
|
|||||||
return policy->tgt_lifetime_raw;
|
return policy->tgt_lifetime_raw;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Authentication policies for NTLM clients. */
|
|
||||||
|
|
||||||
/* Return whether an authentication policy enforces device restrictions. */
|
|
||||||
static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
|
|
||||||
{
|
|
||||||
if (policy == NULL) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return policy->allowed_to_authenticate_from.data != NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check whether the client is allowed to authenticate using NTLM. */
|
|
||||||
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
|
|
||||||
const char *device_account_name,
|
|
||||||
const struct authn_ntlm_client_policy *client_policy)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* If NTLM authentication is disallowed and the policy enforces a device
|
|
||||||
* restriction, deny the authentication.
|
|
||||||
*/
|
|
||||||
|
|
||||||
if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
|
|
||||||
* applies to interactive logons too.
|
|
||||||
*/
|
|
||||||
if (client_policy->allowed_ntlm_network_auth) {
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (authn_policy_is_enforced(&client_policy->policy)) {
|
|
||||||
return NT_STATUS_ACCOUNT_RESTRICTION;
|
|
||||||
} else {
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Auditing information. */
|
/* Auditing information. */
|
||||||
|
|
||||||
enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
|
enum auth_event_id_type authn_audit_info_event_id(const struct authn_audit_info *audit_info)
|
||||||
|
@ -35,15 +35,6 @@ bool authn_kerberos_client_policy_is_enforced(const struct authn_kerberos_client
|
|||||||
/* Get the raw TGT lifetime enforced by an authentication policy. */
|
/* Get the raw TGT lifetime enforced by an authentication policy. */
|
||||||
int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy);
|
int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy);
|
||||||
|
|
||||||
/* Authentication policies for NTLM clients. */
|
|
||||||
|
|
||||||
struct authn_ntlm_client_policy;
|
|
||||||
|
|
||||||
/* Check whether the client is allowed to authenticate using NTLM. */
|
|
||||||
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
|
|
||||||
const char *device_account_name,
|
|
||||||
const struct authn_ntlm_client_policy *client_policy);
|
|
||||||
|
|
||||||
/* Auditing information. */
|
/* Auditing information. */
|
||||||
|
|
||||||
struct authn_audit_info;
|
struct authn_audit_info;
|
||||||
|
@ -944,6 +944,45 @@ out:
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Return whether an authentication policy enforces device restrictions. */
|
||||||
|
static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
|
||||||
|
{
|
||||||
|
if (policy == NULL) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return policy->allowed_to_authenticate_from.data != NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check whether the client is allowed to authenticate using NTLM. */
|
||||||
|
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
|
||||||
|
const char *device_account_name,
|
||||||
|
const struct authn_ntlm_client_policy *client_policy)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* If NTLM authentication is disallowed and the policy enforces a device
|
||||||
|
* restriction, deny the authentication.
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
|
||||||
|
* applies to interactive logons too.
|
||||||
|
*/
|
||||||
|
if (client_policy->allowed_ntlm_network_auth) {
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (authn_policy_is_enforced(&client_policy->policy)) {
|
||||||
|
return NT_STATUS_ACCOUNT_RESTRICTION;
|
||||||
|
} else {
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Authentication policies for servers. */
|
/* Authentication policies for servers. */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -76,6 +76,8 @@ bool authn_policy_device_restrictions_present(const struct authn_kerberos_client
|
|||||||
|
|
||||||
/* Authentication policies for NTLM clients. */
|
/* Authentication policies for NTLM clients. */
|
||||||
|
|
||||||
|
struct authn_ntlm_client_policy;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Get the applicable authentication policy for an account acting as an NTLM
|
* Get the applicable authentication policy for an account acting as an NTLM
|
||||||
* client.
|
* client.
|
||||||
@ -85,6 +87,11 @@ int authn_policy_ntlm_client(struct ldb_context *samdb,
|
|||||||
const struct ldb_message *msg,
|
const struct ldb_message *msg,
|
||||||
const struct authn_ntlm_client_policy **policy_out);
|
const struct authn_ntlm_client_policy **policy_out);
|
||||||
|
|
||||||
|
/* Check whether the client is allowed to authenticate using NTLM. */
|
||||||
|
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
|
||||||
|
const char *device_account_name,
|
||||||
|
const struct authn_ntlm_client_policy *client_policy);
|
||||||
|
|
||||||
/* Authentication policies for servers. */
|
/* Authentication policies for servers. */
|
||||||
|
|
||||||
struct authn_server_policy;
|
struct authn_server_policy;
|
||||||
|
Loading…
Reference in New Issue
Block a user