1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth: Add hooks for notification of authentication events over the message bus

This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett 2017-03-24 15:18:46 +13:00
parent 631f1bcce6
commit d004196036
13 changed files with 132 additions and 24 deletions

View File

@ -200,7 +200,8 @@ static void auth_message_send(struct imessaging_context *msg_ctx,
* Write the json object to the debug logs.
*
*/
static void log_json( struct json_context *context,
static void log_json(struct imessaging_context *msg_ctx,
struct json_context *context,
const char *type, int debug_class, int debug_level)
{
char* json = NULL;
@ -217,6 +218,7 @@ static void log_json( struct json_context *context,
}
DEBUGC( debug_class, debug_level, ( "JSON %s: %s\n", type, json));
auth_message_send(msg_ctx, json);
if (json) {
free(json);
@ -446,6 +448,8 @@ static void add_sid(struct json_context *context,
* \t\(.Authentication.localAddress)"'
*/
static void log_authentication_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
@ -498,7 +502,7 @@ static void log_authentication_event_json(
add_string(&authentication, "passwordType", get_password_type( ui));
add_object(&context,AUTH_JSON_TYPE, &authentication);
log_json(&context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
log_json(msg_ctx, &context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
free_json_context(&context);
}
@ -523,6 +527,8 @@ static void log_authentication_event_json(
*
*/
static void log_successful_authz_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
@ -559,7 +565,8 @@ static void log_successful_authz_event_json(
add_string(&authorization, "accountFlags", account_flags);
add_object(&context,AUTHZ_JSON_TYPE, &authorization);
log_json(&context,
log_json(msg_ctx,
&context,
AUTHZ_JSON_TYPE,
DBGC_AUTH_AUDIT,
debug_level);
@ -568,7 +575,29 @@ static void log_successful_authz_event_json(
#else
static void log_no_json(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx)
{
if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
static bool auth_event_logged = false;
if (auth_event_logged == false) {
auth_event_logged = true;
DBG_ERR("auth event notification = true but Samba was not compiled with jansson\n");
}
} else {
static bool json_logged = false;
if (json_logged == false) {
json_logged = true;
DBG_NOTICE("JSON auth logs not available unless compiled with jansson\n");
}
}
return;
}
static void log_authentication_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
@ -577,10 +606,13 @@ static void log_authentication_event_json(
struct dom_sid *sid,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
return;
}
static void log_successful_authz_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
@ -589,6 +621,7 @@ static void log_successful_authz_event_json(
struct auth_session_info *session_info,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
return;
}
@ -722,7 +755,9 @@ static void log_authentication_event_human_readable(
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
void log_authentication_event( const struct auth_usersupplied_info *ui,
void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
const char *account_name,
@ -748,8 +783,10 @@ void log_authentication_event( const struct auth_usersupplied_info *ui,
sid,
debug_level);
}
if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level)) {
log_authentication_event_json(ui,
if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level) ||
(msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
log_authentication_event_json(msg_ctx, lp_ctx,
ui,
status,
domain_name,
account_name,
@ -823,7 +860,9 @@ static void log_successful_authz_event_human_readable(
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
void log_successful_authz_event(const struct tsocket_address *remote,
void log_successful_authz_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
@ -846,8 +885,10 @@ void log_successful_authz_event(const struct tsocket_address *remote,
session_info,
debug_level);
}
if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level)) {
log_successful_authz_event_json(remote,
if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level) ||
(msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
log_successful_authz_event_json(msg_ctx, lp_ctx,
remote,
local,
service_description,
auth_type,

View File

@ -152,14 +152,38 @@ struct auth4_context {
#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
void log_authentication_event(const struct auth_usersupplied_info *ui,
/*
* Log details of an authentication attempt.
* Successful and unsuccessful attempts are logged.
*
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *account_name,
const char *domain_name,
const char *unix_username,
struct dom_sid *sid);
void log_successful_authz_event(const struct tsocket_address *remote,
/*
* Log details of a successful authorization to a service.
*
* Only successful authorizations are logged. For clarity:
* - NTLM bad passwords will be recorded by log_authentication_event
* - Kerberos decrypt failures need to be logged in gensec_gssapi et al
*
* The service may later refuse authorization due to an ACL.
*
*
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authorization events over the message bus.
*/
void log_successful_authz_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,

View File

@ -233,7 +233,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
} else {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
}
log_successful_authz_event(remote, local,
log_successful_authz_event(gensec_security->auth_context->msg_ctx,
gensec_security->auth_context->lp_ctx,
remote, local,
service_description,
final_auth_type,
transport_protection,

View File

@ -3,8 +3,7 @@
bld.SAMBA_LIBRARY('common_auth',
source='auth_sam_reply.c wbc_auth_util.c auth_log.c',
deps='talloc samba-security samba-util util_str_escape LIBTSOCKET jansson MESSAGING_SEND server_id_db ',
private_library=True,
allow_warnings=True)
private_library=True)
bld.RECURSE('gensec')
bld.RECURSE('ntlmssp')

View File

@ -0,0 +1,26 @@
<samba:parameter name="auth event notification"
context="G"
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>When enabled, this option causes Samba (acting as an
Active Directory Domain Controller) to stream authentication
events across the internal message bus. Scripts built using
Samba's python bindings can listen to these events by
registering as the service
<filename moreinfo="none">auth_event</filename>.</para>
<para>This should be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
auditing, as message delivery is not guaranteed (a feature
that the testsuite works around). Additionally Samba must be
compiled with the jansson support for this option to be
effective.</para>
<para>The authentication events are also logged via the normal
logging methods when the <smbconfoption name="log level"/> is
set appropriately.</para>
</description>
<value type="default">no</value>
</samba:parameter>

View File

@ -299,7 +299,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
sid = (struct dom_sid) {0};
}
log_authentication_event(user_info, nt_status,
log_authentication_event(NULL, NULL,
user_info, nt_status,
server_info->info3->base.logon_domain.string,
server_info->info3->base.account_name.string,
unix_username, &sid);
@ -330,7 +331,7 @@ fail:
user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status), *pauthoritative));
log_authentication_event(user_info, nt_status, NULL, NULL, NULL, NULL);
log_authentication_event(NULL, NULL, user_info, nt_status, NULL, NULL, NULL, NULL);
ZERO_STRUCTP(pserver_info);

View File

@ -443,7 +443,9 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
* log all authorizations consistently (be they NLTM, NTLMSSP
* or krb5) we log this info again as an authorization.
*/
log_successful_authz_event(user_info->remote_host,
log_successful_authz_event(auth_context->msg_ctx,
auth_context->lp_ctx,
user_info->remote_host,
user_info->local_host,
user_info->service_description,
user_info->auth_description,

View File

@ -836,7 +836,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
* covered ncacn_np pass-through auth, and anonymous
* DCE/RPC (eg epmapper, netlogon etc)
*/
log_successful_authz_event(p->remote_address,
log_successful_authz_event(NULL, NULL,
p->remote_address,
p->local_address,
table->name,
derpc_transport_string_by_transport(p->transport),

View File

@ -449,7 +449,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
state->user_info->mapped.account_name,
nt_errstr(status), state->authoritative));
log_authentication_event(state->user_info, status,
log_authentication_event(state->auth_ctx->msg_ctx,
state->auth_ctx->lp_ctx,
state->user_info, status,
NULL, NULL, NULL, NULL);
tevent_req_received(req);
return status;
@ -461,7 +463,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name));
log_authentication_event(state->user_info, status,
log_authentication_event(state->auth_ctx->msg_ctx,
state->auth_ctx->lp_ctx,
state->user_info, status,
state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name,
NULL,

View File

@ -130,7 +130,9 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, *session_info);
}
log_successful_authz_event(remote_address,
log_successful_authz_event(auth_context->msg_ctx,
auth_context->lp_ctx,
remote_address,
local_address,
"LDAP",
"simple bind",

View File

@ -1285,7 +1285,9 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
}
log_successful_authz_event(call->conn->connection->remote_address,
log_successful_authz_event(call->conn->connection->msg_ctx,
call->conn->connection->lp_ctx,
call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",

View File

@ -62,7 +62,9 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
* covered ncacn_np pass-through auth, and anonymous
* DCE/RPC (eg epmapper, netlogon etc)
*/
log_successful_authz_event(call->conn->remote_address,
log_successful_authz_event(call->conn->msg_ctx,
call->conn->dce_ctx->lp_ctx,
call->conn->remote_address,
call->conn->local_address,
"DCE/RPC",
auth_type,

View File

@ -54,7 +54,9 @@ void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req,
local_address = socket_get_local_addr(req->smb_conn->connection->socket,
frame);
log_successful_authz_event(remote_address,
log_successful_authz_event(req->smb_conn->connection->msg_ctx,
req->smb_conn->lp_ctx,
remote_address,
local_address,
"SMB",
"bare-NTLM",