void log_successful_authz_event(const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
+ const char *auth_type,
struct auth_session_info *session_info)
{
TALLOC_CTX *frame = NULL;
dom_sid_string_buf(&session_info->security_token->sids[0], sid_buf, sizeof(sid_buf));
DEBUGC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL, (
- "Successful AuthZ: [%s] user [%s]\\[%s] [%s]"
+ "Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]"
" at [%s]"
" Remote host [%s]"
" local host [%s]\n",
service_description,
+ auth_type,
log_escape(frame, session_info->info->domain_name),
log_escape(frame, session_info->info->account_name),
sid_buf,
void log_successful_authz_event(const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
+ const char *auth_type,
struct auth_session_info *session_info);
#endif
return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
}
+const char *gensec_final_auth_type(struct gensec_security *gensec_security)
+{
+ if (!gensec_security->ops->final_auth_type) {
+ return gensec_security->ops->name;
+ }
+
+ return gensec_security->ops->final_auth_type(gensec_security);
+}
+
/*
* Log details of a successful GENSEC authorization to a service.
*
= gensec_get_local_address(gensec_security);
const char *service_description
= gensec_get_target_service_description(gensec_security);
- log_successful_authz_event(remote, local, service_description, session_info);
+ const char *final_auth_type
+ = gensec_final_auth_type(gensec_security);
+ log_successful_authz_event(remote, local,
+ service_description,
+ final_auth_type,
+ session_info);
}
#define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
#define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3"
+#define GENSEC_FINAL_AUTH_TYPE_KRB5 "krb5"
+#define GENSEC_FINAL_AUTH_TYPE_NTLMSSP "NTLMSSP"
+
enum gensec_priority {
GENSEC_SPNEGO = 90,
GENSEC_GSSAPI = 80,
bool (*have_feature)(struct gensec_security *gensec_security,
uint32_t feature);
NTTIME (*expire_time)(struct gensec_security *gensec_security);
+ const char *(*final_auth_type)(struct gensec_security *gensec_security);
bool enabled;
bool kerberos;
enum gensec_priority priority;
NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset);
+const char *gensec_final_auth_type(struct gensec_security *gensec_security);
+
#endif /* __GENSEC_H__ */
return gensec_expire_time(spnego_state->sub_sec_security);
}
+static const char *gensec_spnego_final_auth_type(struct gensec_security *gensec_security)
+{
+ struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
+
+ if (!spnego_state->sub_sec_security) {
+ return "NONE";
+ } else {
+ return gensec_final_auth_type(spnego_state->sub_sec_security);
+ }
+}
+
static const char *gensec_spnego_oids[] = {
GENSEC_OID_SPNEGO,
NULL
.want_feature = gensec_spnego_want_feature,
.have_feature = gensec_spnego_have_feature,
.expire_time = gensec_spnego_expire_time,
+ .final_auth_type = gensec_spnego_final_auth_type,
.enabled = true,
.priority = GENSEC_SPNEGO
};
return NT_STATUS_OK;
}
+static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security)
+{
+ return GENSEC_FINAL_AUTH_TYPE_NTLMSSP;
+}
+
static const char *gensec_ntlmssp_oids[] = {
GENSEC_OID_NTLMSSP,
NULL
.session_key = gensec_ntlmssp_session_key,
.session_info = gensec_ntlmssp_session_info,
.have_feature = gensec_ntlmssp_have_feature,
+ .final_auth_type = gensec_ntlmssp_final_auth_type,
.enabled = true,
.priority = GENSEC_NTLMSSP
};
user_info->local_host = gensec_get_local_address(gensec_security);
user_info->service_description
= gensec_get_target_service_description(gensec_security);
- user_info->auth_description = "NTLMSSP";
+
+ /*
+ * This will just be the string "NTLMSSP" from
+ * gensec_ntlmssp_final_auth_type, but ensures it stays in sync
+ * with the same use in the authorization logging triggered by
+ * gensec_session_info() later
+ */
+ user_info->auth_description = gensec_final_auth_type(gensec_security);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = ntlmssp_state->lm_resp;
return gse_ctx->sig_size;
}
+static const char *gensec_gse_final_auth_type(struct gensec_security *gensec_security)
+{
+ struct gse_context *gse_ctx =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gse_context);
+
+ /* Only return the string for GSSAPI/Krb5 */
+ if (smb_gss_oid_equal(&gse_ctx->gss_mech,
+ gss_mech_krb5)) {
+ return GENSEC_FINAL_AUTH_TYPE_KRB5;
+ } else {
+ return "gensec_gse: UNKNOWN MECH";
+ }
+}
+
static const char *gensec_gse_krb5_oids[] = {
GENSEC_OID_KERBEROS5_OLD,
GENSEC_OID_KERBEROS5,
.unwrap = gensec_gse_unwrap,
.have_feature = gensec_gse_have_feature,
.expire_time = gensec_gse_expire_time,
+ .final_auth_type = gensec_gse_final_auth_type,
.enabled = true,
.kerberos = true,
.priority = GENSEC_GSSAPI
return gensec_gssapi_state->sig_size;
}
+static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security)
+{
+ struct gensec_gssapi_state *gensec_gssapi_state
+ = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
+ /* Only return the string for GSSAPI/Krb5 */
+ if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
+ gss_mech_krb5)) {
+ return GENSEC_FINAL_AUTH_TYPE_KRB5;
+ } else {
+ return "gensec_gssapi: UNKNOWN MECH";
+ }
+}
+
static const char *gensec_gssapi_krb5_oids[] = {
GENSEC_OID_KERBEROS5_OLD,
GENSEC_OID_KERBEROS5,
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
.expire_time = gensec_gssapi_expire_time,
+ .final_auth_type = gensec_gssapi_final_auth_type,
.enabled = false,
.kerberos = true,
.priority = GENSEC_GSSAPI
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
.expire_time = gensec_gssapi_expire_time,
+ .final_auth_type = gensec_gssapi_final_auth_type,
.enabled = true,
.kerberos = true,
.priority = GENSEC_GSSAPI
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
.expire_time = gensec_gssapi_expire_time,
+ .final_auth_type = gensec_gssapi_final_auth_type,
.enabled = true,
.kerberos = true,
.priority = GENSEC_GSSAPI
return false;
}
+static const char *gensec_krb5_final_auth_type(struct gensec_security *gensec_security)
+{
+ return GENSEC_FINAL_AUTH_TYPE_KRB5;
+}
+
static const char *gensec_krb5_oids[] = {
GENSEC_OID_KERBEROS5,
GENSEC_OID_KERBEROS5_OLD,
.session_key = gensec_krb5_session_key,
.session_info = gensec_krb5_session_info,
.have_feature = gensec_krb5_have_feature,
+ .final_auth_type = gensec_krb5_final_auth_type,
.enabled = false,
.kerberos = true,
- .priority = GENSEC_KRB5
+ .priority = GENSEC_KRB5,
};
static const struct gensec_security_ops gensec_krb5_security_ops = {
.have_feature = gensec_krb5_have_feature,
.wrap = gensec_krb5_wrap,
.unwrap = gensec_krb5_unwrap,
+ .final_auth_type = gensec_krb5_final_auth_type,
.enabled = true,
.kerberos = true,
.priority = GENSEC_KRB5