diff --git a/auth/auth_log.c b/auth/auth_log.c index 019cbe114bf..9a110fd0b48 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -44,9 +44,9 @@ * increment the major version. */ #define AUTH_MAJOR 1 -#define AUTH_MINOR 2 +#define AUTH_MINOR 3 #define AUTHZ_MAJOR 1 -#define AUTHZ_MINOR 1 +#define AUTHZ_MINOR 2 #define KDC_AUTHZ_MAJOR 1 #define KDC_AUTHZ_MINOR 0 @@ -149,11 +149,15 @@ static void log_authentication_event_json( const char *domain_name, const char *account_name, struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, enum event_id_type event_id, int debug_level) { struct json_object wrapper = json_empty_object; struct json_object authentication = json_empty_object; + struct json_object client_policy = json_null_object(); + struct json_object server_policy = json_null_object(); char logon_id[19]; int rc = 0; const char *clientDomain = ui->orig_client.domain_name ? @@ -285,6 +289,30 @@ static void log_authentication_event_json( goto failure; } + if (client_audit_info != NULL) { + client_policy = json_from_audit_info(client_audit_info); + if (json_is_invalid(&client_policy)) { + goto failure; + } + } + + rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + wrapper = json_new_object(); if (json_is_invalid(&wrapper)) { goto failure; @@ -327,6 +355,8 @@ static void log_authentication_event_json( json_free(&wrapper); return; failure: + json_free(&server_policy); + json_free(&client_policy); /* * On a failure authentication will not have been added to wrapper so it * needs to be freed to avoid a leak. @@ -365,10 +395,14 @@ static void log_successful_authz_event_json( const char *auth_type, const char *transport_protection, struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, int debug_level) { struct json_object wrapper = json_empty_object; struct json_object authorization = json_empty_object; + struct json_object client_policy = json_null_object(); + struct json_object server_policy = json_null_object(); int rc = 0; authorization = json_new_object(); @@ -431,6 +465,30 @@ static void log_successful_authz_event_json( goto failure; } + if (client_audit_info != NULL) { + client_policy = json_from_audit_info(client_audit_info); + if (json_is_invalid(&client_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + wrapper = json_new_object(); if (json_is_invalid(&wrapper)) { goto failure; @@ -456,6 +514,8 @@ static void log_successful_authz_event_json( json_free(&wrapper); return; failure: + json_free(&server_policy); + json_free(&client_policy); /* * On a failure authorization will not have been added to wrapper so it * needs to be freed to avoid a leak. @@ -490,6 +550,7 @@ static void log_authz_event_json( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, @@ -502,6 +563,7 @@ static void log_authz_event_json( { struct json_object wrapper = json_empty_object; struct json_object authorization = json_empty_object; + struct json_object server_policy = json_null_object(); int rc = 0; authorization = json_new_object(); @@ -554,6 +616,18 @@ static void log_authz_event_json( goto failure; } + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + wrapper = json_new_object(); if (json_is_invalid(&wrapper)) { goto failure; @@ -579,6 +653,7 @@ static void log_authz_event_json( json_free(&wrapper); return; failure: + json_free(&server_policy); /* * On a failure authorization will not have been added to wrapper so it * needs to be freed to avoid a leak. @@ -619,6 +694,8 @@ static void log_authentication_event_json( const char *domain_name, const char *account_name, struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, enum event_id_type event_id, int debug_level) { @@ -634,6 +711,8 @@ static void log_successful_authz_event_json( const char *auth_type, const char *transport_protection, struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, int debug_level) { log_no_json(msg_ctx, lp_ctx); @@ -644,6 +723,7 @@ static void log_authz_event_json( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, @@ -813,7 +893,9 @@ void log_authentication_event( NTSTATUS status, const char *domain_name, const char *account_name, - struct dom_sid *sid) + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info) { /* set the log level */ int debug_level = AUTH_FAILURE_LEVEL; @@ -845,6 +927,8 @@ void log_authentication_event( domain_name, account_name, sid, + client_audit_info, + server_audit_info, event_id, debug_level); } @@ -918,7 +1002,9 @@ void log_successful_authz_event( const char *service_description, const char *auth_type, const char *transport_protection, - struct auth_session_info *session_info) + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info) { int debug_level = AUTHZ_SUCCESS_LEVEL; @@ -944,6 +1030,8 @@ void log_successful_authz_event( auth_type, transport_protection, session_info, + client_audit_info, + server_audit_info, debug_level); } } @@ -959,6 +1047,7 @@ void log_authz_event( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, @@ -980,6 +1069,7 @@ void log_authz_event( log_authz_event_json(msg_ctx, lp_ctx, remote, local, + server_audit_info, service_description, auth_type, domain_name, diff --git a/auth/common_auth.h b/auth/common_auth.h index 3880b857058..24b7b14f51a 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -177,6 +177,7 @@ struct auth4_context { * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the * authentication events over the message bus. */ +struct authn_audit_info; void log_authentication_event(struct imessaging_context *msg_ctx, struct loadparm_context *lp_ctx, const struct timeval *start_time, @@ -184,7 +185,9 @@ void log_authentication_event(struct imessaging_context *msg_ctx, NTSTATUS status, const char *domain_name, const char *account_name, - struct dom_sid *sid); + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info); /* * Log details of a successful authorization to a service. @@ -206,7 +209,9 @@ void log_successful_authz_event(struct imessaging_context *msg_ctx, const char *service_description, const char *auth_type, const char *transport_protection, - struct auth_session_info *session_info); + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info); /* * Log details of an authorization to a service. @@ -219,6 +224,7 @@ void log_authz_event( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 3641d4ba65e..26b5865bff5 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -242,7 +242,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec service_description, final_auth_type, transport_protection, - session_info); + session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); } diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index c8edb50ea66..29bde221a89 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -59,8 +59,8 @@ HRES_SEC_E_INVALID_TOKEN = 0x80090308 HRES_SEC_E_LOGON_DENIED = 0x8009030C -AUTHN_VERSION = {'major': 1, 'minor': 2} -AUTHZ_VERSION = {'major': 1, 'minor': 1} +AUTHN_VERSION = {'major': 1, 'minor': 3} +AUTHZ_VERSION = {'major': 1, 'minor': 2} KDC_AUTHZ_VERSION = {'major': 1, 'minor': 0} diff --git a/source3/auth/auth.c b/source3/auth/auth.c index fec19c76dbb..b388b619d75 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -319,7 +319,9 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, nt_status, server_info->info3->base.logon_domain.string, server_info->info3->base.account_name.string, - &sid); + &sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); DEBUG(server_info->guest ? 5 : 2, ("check_ntlm_password: %sauthentication for user " @@ -354,7 +356,9 @@ fail: nt_status, NULL, NULL, - NULL); + NULL, + NULL /* client_audit_info */, + NULL /* server_audit_info */); ZERO_STRUCTP(pserver_info); diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 6c61eb4e827..673f441d9a5 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -549,7 +549,9 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, user_info->service_description, user_info->auth_description, AUTHZ_TRANSPORT_PROTECTION_SMB, - *session_info); + *session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); return nt_status; } diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index 06fb6bb4472..6f50ca5fdb5 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -126,7 +126,9 @@ void dcesrv_log_successful_authz( "DCE/RPC", auth_type, transport_protection, - auth->session_info); + auth->session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); auth->auth_audited = true; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index f306bdad0f8..7225757d12e 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2178,7 +2178,9 @@ static void log_authentication( result, base_info != NULL ? base_info->logon_domain.string : "", base_info != NULL ? base_info->account_name.string : "", - sid); + sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); TALLOC_FREE(ui); } diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index b88201913b7..570f82156f9 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -404,7 +404,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, state->auth_ctx->lp_ctx, &state->auth_ctx->start_time, state->user_info, status, - NULL, NULL, NULL); + NULL, NULL, NULL, + NULL /* client_audit_info */, + NULL /* server_audit_info */); tevent_req_received(req); return status; } @@ -421,7 +423,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, state->user_info, status, state->user_info_dc->info->domain_name, state->user_info_dc->info->account_name, - &state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid); + &state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); /* Release our handle to state->user_info_dc. */ *user_info_dc = talloc_reparent(state, mem_ctx, state->user_info_dc); diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index 1a55a59f0db..605ed9eb664 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -115,7 +115,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c log_authentication_event(msg, lp_ctx, &state->auth_context->start_time, user_info, status, - NULL, NULL, NULL); + NULL, NULL, NULL, + NULL /* client_audit_info */, + NULL /* server_audit_info */); } if (tevent_req_nterror(req, status)) { return tevent_req_post(req, ev); @@ -190,7 +192,9 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq) "LDAP", "simple bind", transport_protection, - state->session_info); + state->session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); tevent_req_done(req); } diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index addba4786f4..29a5a55fc54 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3247,7 +3247,9 @@ static int check_password_restrictions_and_log(struct setup_password_fields_io * status, domain_name, io->u.sAMAccountName, - io->u.account_sid); + io->u.account_sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); } return ret; diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index c176a84eb5b..526e9037e1a 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -622,6 +622,7 @@ static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *k kdc_db_ctx->lp_ctx, remote_host, NULL /* local */, + NULL /* server_audit_info */, r->sname, "TGS-REQ with Ticket-Granting Ticket", domain_name, @@ -911,7 +912,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, status, domain_name, account_name, - sid); + sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) { /* * If we're running under make test @@ -951,7 +954,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, &ui, NT_STATUS_NO_SUCH_USER, NULL, NULL, - NULL); + NULL, + NULL /* client_audit_info */, + NULL /* server_audit_info */); TALLOC_FREE(frame); break; } diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 8db85c58fac..dbb9c1e7a0a 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -1596,7 +1596,9 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call) "LDAP", "no bind", transport_protection, - call->conn->session_info); + call->conn->session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); call->conn->authz_logged = true; } diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 13c0f7acb96..b3b114d3746 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -667,7 +667,9 @@ void log_successful_dcesrv_authz_event( "DCE/RPC", auth_type, transport_protection, - auth->session_info); + auth->session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); auth->auth_audited = true; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 9d9b6c792ab..6ccba65d3bf 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -839,7 +839,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3( status, lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), trust_account_in_db, - sid); + sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); return status; } diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 9b7e6e21e51..3142707fdc7 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -81,7 +81,9 @@ static void log_password_change_event(struct imessaging_context *msg_ctx, status, ui.mapped.domain_name, ui.mapped.account_name, - sid); + sid, + NULL /* client_audit_info */, + NULL /* server_audit_info */); } /* samr_ChangePasswordUser diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index f651c622443..00d927375a3 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -61,7 +61,9 @@ void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req, "SMB", "bare-NTLM", AUTHZ_TRANSPORT_PROTECTION_SMB, - session_info); + session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); talloc_free(frame); return;