1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/source4/kdc/authn_policy.c
Joseph Sutton f547cf1db8 s4:kdc: Add helper functions for authentication policies
These functions are not yet used.

They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00

86 lines
2.4 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Unix SMB/CIFS implementation.
Samba Active Directory authentication policy functions
Copyright (C) Catalyst.Net Ltd 2023
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "lib/replace/replace.h"
#include "source4/kdc/authn_policy.h"
#include "source4/kdc/authn_policy_impl.h"
bool authn_policy_is_enforced(const struct authn_policy *policy)
{
return policy->enforced;
}
/* Authentication policies for Kerberos clients. */
/* Get the TGT lifetime enforced by an authentication policy. */
int64_t authn_policy_enforced_tgt_lifetime(const struct authn_kerberos_client_policy *policy)
{
if (policy == NULL) {
return 0;
}
if (!authn_policy_is_enforced(&policy->policy)) {
return 0;
}
return policy->tgt_lifetime;
}
/* Authentication policies for NTLM clients. */
/* Return whether an authentication policy enforces device restrictions. */
static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
{
if (policy == NULL) {
return false;
}
return policy->allowed_to_authenticate_from.data != NULL;
}
/* Check whether the client is allowed to authenticate using NTLM. */
NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
const char *device_account_name,
const struct authn_ntlm_client_policy *client_policy)
{
/*
* If NTLM authentication is disallowed and the policy enforces a device
* restriction, deny the authentication.
*/
if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
return NT_STATUS_OK;
}
/*
* Although MS-APDS doesnt state it, AllowedNTLMNetworkAuthentication
* applies to interactive logons too.
*/
if (client_policy->allowed_ntlm_network_auth) {
return NT_STATUS_OK;
}
if (authn_policy_is_enforced(&client_policy->policy)) {
return NT_STATUS_ACCOUNT_RESTRICTION;
} else {
return NT_STATUS_OK;
}
}