auth_log: Also log the final type of authentication (ntlmssp,krb5)

Administrators really care about how their users were authenticated, so make
this clear.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/auth/auth_log.c b/auth/auth_log.c
index fec77077bc94c7ff44a75ebfc90bd35c7c1eac7d..1509c7b9be696857dcb35866ab11bb788698fac9 100644 (file)
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -213,6 +213,7 @@ void log_authentication_event(const struct auth_usersupplied_info *ui,
 void log_successful_authz_event(const struct tsocket_address *remote,
                                const struct tsocket_address *local,
                                const char *service_description,
+                               const char *auth_type,
                                struct auth_session_info *session_info)
 {
        TALLOC_CTX *frame = NULL;
@@ -238,11 +239,12 @@ void log_successful_authz_event(const struct tsocket_address *remote,
        dom_sid_string_buf(&session_info->security_token->sids[0], sid_buf, sizeof(sid_buf));
 
        DEBUGC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL, (
-               "Successful AuthZ: [%s] user [%s]\\[%s] [%s]"
+               "Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]"
                " at [%s]"
                " Remote host [%s]"
                " local host [%s]\n",
                service_description,
+               auth_type,
                log_escape(frame, session_info->info->domain_name),
                log_escape(frame, session_info->info->account_name),
                sid_buf,

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 8950a0cdc9196f9065098402049e4163ba5c3feb..925d3f59ea934f3ab63676cf8956fa8db338385e 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -156,5 +156,6 @@ void log_authentication_event(const struct auth_usersupplied_info *ui,
 void log_successful_authz_event(const struct tsocket_address *remote,
                                const struct tsocket_address *local,
                                const char *service_description,
+                               const char *auth_type,
                                struct auth_session_info *session_info);
 #endif

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 63cc35e907416120a71385c510ec4cff642f942e..09be9fd531c558e509e379e2b74af2d858295ac7 100644 (file)
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -193,6 +193,15 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
        return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
 }
 
+const char *gensec_final_auth_type(struct gensec_security *gensec_security)
+{
+       if (!gensec_security->ops->final_auth_type) {
+               return gensec_security->ops->name;
+       }
+
+       return gensec_security->ops->final_auth_type(gensec_security);
+}
+
 /*
  * Log details of a successful GENSEC authorization to a service.
  *
@@ -210,7 +219,12 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
                = gensec_get_local_address(gensec_security);
        const char *service_description
                = gensec_get_target_service_description(gensec_security);
-       log_successful_authz_event(remote, local, service_description, session_info);
+       const char *final_auth_type
+               = gensec_final_auth_type(gensec_security);
+       log_successful_authz_event(remote, local,
+                                  service_description,
+                                  final_auth_type,
+                                  session_info);
 }
 
 

diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 7bd893266b95f4fb5057ee8dcca4371fd535d237..bc96e697de4e5c29ee9b623bff57f58c20daf2f2 100644 (file)
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -34,6 +34,9 @@
 #define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
 #define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3"
 
+#define GENSEC_FINAL_AUTH_TYPE_KRB5 "krb5"
+#define GENSEC_FINAL_AUTH_TYPE_NTLMSSP "NTLMSSP"
+
 enum gensec_priority {
        GENSEC_SPNEGO = 90,
        GENSEC_GSSAPI = 80,

diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 55352417e99a5e7b29f6603e0916b09a1914ff66..26c9817d5dfd796c1fda83e9c902c0e867270c5d 100644 (file)
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -85,6 +85,7 @@ struct gensec_security_ops {
        bool (*have_feature)(struct gensec_security *gensec_security,
                                    uint32_t feature);
        NTTIME (*expire_time)(struct gensec_security *gensec_security);
+       const char *(*final_auth_type)(struct gensec_security *gensec_security);
        bool enabled;
        bool kerberos;
        enum gensec_priority priority;
@@ -126,4 +127,6 @@ struct gensec_critical_sizes {
 NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
                                 bool full_reset);
 
+const char *gensec_final_auth_type(struct gensec_security *gensec_security);
+
 #endif /* __GENSEC_H__ */

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f063f7b358be5ba26d1772507de7a1cb0a28c92d..017181a36229a41728fb5d459dc043fc317a66fb 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1651,6 +1651,17 @@ static NTTIME gensec_spnego_expire_time(struct gensec_security *gensec_security)
        return gensec_expire_time(spnego_state->sub_sec_security);
 }
 
+static const char *gensec_spnego_final_auth_type(struct gensec_security *gensec_security)
+{
+       struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
+
+       if (!spnego_state->sub_sec_security) {
+               return "NONE";
+       } else {
+               return gensec_final_auth_type(spnego_state->sub_sec_security);
+       }
+}
+
 static const char *gensec_spnego_oids[] = { 
        GENSEC_OID_SPNEGO,
        NULL 
@@ -1678,6 +1689,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = {
        .want_feature     = gensec_spnego_want_feature,
        .have_feature     = gensec_spnego_have_feature,
        .expire_time      = gensec_spnego_expire_time,
+       .final_auth_type  = gensec_spnego_final_auth_type,
        .enabled          = true,
        .priority         = GENSEC_SPNEGO
 };

diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 3283c964470811931e9624344c6b41a61dec5b77..6f7c089467f1991f00874a5c666688a08b645f9d 100644 (file)
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -207,6 +207,11 @@ static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_s
        return NT_STATUS_OK;
 }
 
+static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security)
+{
+       return GENSEC_FINAL_AUTH_TYPE_NTLMSSP;
+}
+
 static const char *gensec_ntlmssp_oids[] = {
        GENSEC_OID_NTLMSSP,
        NULL
@@ -232,6 +237,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
        .session_key    = gensec_ntlmssp_session_key,
        .session_info   = gensec_ntlmssp_session_info,
        .have_feature   = gensec_ntlmssp_have_feature,
+       .final_auth_type = gensec_ntlmssp_final_auth_type,
        .enabled        = true,
        .priority       = GENSEC_NTLMSSP
 };

diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 1bfd4ccdc242dc19370b170211bec24e0783a183..c525a93941f45d3109c6338a60d06a646f1f50d4 100644 (file)
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -721,7 +721,14 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
        user_info->local_host = gensec_get_local_address(gensec_security);
        user_info->service_description
                = gensec_get_target_service_description(gensec_security);
-       user_info->auth_description = "NTLMSSP";
+
+       /*
+        * This will just be the string "NTLMSSP" from
+        * gensec_ntlmssp_final_auth_type, but ensures it stays in sync
+        * with the same use in the authorization logging triggered by
+        * gensec_session_info() later
+        */
+       user_info->auth_description = gensec_final_auth_type(gensec_security);
 
        user_info->password_state = AUTH_PASSWORD_RESPONSE;
        user_info->password.response.lanman = ntlmssp_state->lm_resp;

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 273fd02c197bdb7ff6fcbc40b56238a56b6f1d50..142627c0011019445f110c7cba95ba17ec900ea9 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -1275,6 +1275,21 @@ static size_t gensec_gse_sig_size(struct gensec_security *gensec_security,
        return gse_ctx->sig_size;
 }
 
+static const char *gensec_gse_final_auth_type(struct gensec_security *gensec_security)
+{
+       struct gse_context *gse_ctx =
+               talloc_get_type_abort(gensec_security->private_data,
+               struct gse_context);
+
+       /* Only return the string for GSSAPI/Krb5 */
+       if (smb_gss_oid_equal(&gse_ctx->gss_mech,
+                             gss_mech_krb5)) {
+               return GENSEC_FINAL_AUTH_TYPE_KRB5;
+       } else {
+               return "gensec_gse: UNKNOWN MECH";
+       }
+}
+
 static const char *gensec_gse_krb5_oids[] = {
        GENSEC_OID_KERBEROS5_OLD,
        GENSEC_OID_KERBEROS5,
@@ -1302,6 +1317,7 @@ const struct gensec_security_ops gensec_gse_krb5_security_ops = {
        .unwrap         = gensec_gse_unwrap,
        .have_feature   = gensec_gse_have_feature,
        .expire_time    = gensec_gse_expire_time,
+       .final_auth_type  = gensec_gse_final_auth_type,
        .enabled        = true,
        .kerberos       = true,
        .priority       = GENSEC_GSSAPI

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index cfe2ea88aad7768812218c8456e5747e55f51aa3..e2755b3d2283ccf2cf160f841bb65ebac77e753e 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1539,6 +1539,19 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si
        return gensec_gssapi_state->sig_size;
 }
 
+static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security)
+{
+       struct gensec_gssapi_state *gensec_gssapi_state
+               = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
+       /* Only return the string for GSSAPI/Krb5 */
+       if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
+                             gss_mech_krb5)) {
+               return GENSEC_FINAL_AUTH_TYPE_KRB5;
+       } else {
+               return "gensec_gssapi: UNKNOWN MECH";
+       }
+}
+
 static const char *gensec_gssapi_krb5_oids[] = { 
        GENSEC_OID_KERBEROS5_OLD,
        GENSEC_OID_KERBEROS5,
@@ -1572,6 +1585,7 @@ static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
        .unwrap         = gensec_gssapi_unwrap,
        .have_feature   = gensec_gssapi_have_feature,
        .expire_time    = gensec_gssapi_expire_time,
+       .final_auth_type = gensec_gssapi_final_auth_type,
        .enabled        = false,
        .kerberos       = true,
        .priority       = GENSEC_GSSAPI
@@ -1599,6 +1613,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
        .unwrap         = gensec_gssapi_unwrap,
        .have_feature   = gensec_gssapi_have_feature,
        .expire_time    = gensec_gssapi_expire_time,
+       .final_auth_type = gensec_gssapi_final_auth_type,
        .enabled        = true,
        .kerberos       = true,
        .priority       = GENSEC_GSSAPI
@@ -1619,6 +1634,7 @@ static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
        .unwrap           = gensec_gssapi_unwrap,
        .have_feature     = gensec_gssapi_have_feature,
        .expire_time      = gensec_gssapi_expire_time,
+       .final_auth_type = gensec_gssapi_final_auth_type,
        .enabled          = true,
        .kerberos         = true,
        .priority         = GENSEC_GSSAPI

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index b54a41bfd5de8946c198a19b4499d280284d9043..494692989642c1460cf52fa09f2f8c3b19a5fb5e 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -1038,6 +1038,11 @@ static bool gensec_krb5_have_feature(struct gensec_security *gensec_security,
        return false;
 }
 
+static const char *gensec_krb5_final_auth_type(struct gensec_security *gensec_security)
+{
+       return GENSEC_FINAL_AUTH_TYPE_KRB5;
+}
+
 static const char *gensec_krb5_oids[] = { 
        GENSEC_OID_KERBEROS5,
        GENSEC_OID_KERBEROS5_OLD,
@@ -1055,9 +1060,10 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
        .session_key    = gensec_krb5_session_key,
        .session_info   = gensec_krb5_session_info,
        .have_feature   = gensec_krb5_have_feature,
+       .final_auth_type = gensec_krb5_final_auth_type,
        .enabled        = false,
        .kerberos       = true,
-       .priority       = GENSEC_KRB5
+       .priority       = GENSEC_KRB5,
 };
 
 static const struct gensec_security_ops gensec_krb5_security_ops = {
@@ -1070,6 +1076,7 @@ static const struct gensec_security_ops gensec_krb5_security_ops = {
        .have_feature   = gensec_krb5_have_feature,
        .wrap           = gensec_krb5_wrap,
        .unwrap         = gensec_krb5_unwrap,
+       .final_auth_type = gensec_krb5_final_auth_type,
        .enabled        = true,
        .kerberos       = true,
        .priority       = GENSEC_KRB5