We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
+ const char *transport_protection,
struct auth_session_info *session_info)
{
TALLOC_CTX *frame = NULL;
struct auth_session_info **session_info);
};
+#define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE"
+#define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB"
+#define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS"
+#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
+#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
+
void log_authentication_event(const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *account_name,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
+ const char *transport_protection,
struct auth_session_info *session_info);
#endif
= gensec_get_target_service_description(gensec_security);
const char *final_auth_type
= gensec_final_auth_type(gensec_security);
+ const char *transport_protection = NULL;
+ if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
+ } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL;
+ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN;
+ } else {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ }
log_successful_authz_event(remote, local,
service_description,
final_auth_type,
+ transport_protection,
session_info);
}
#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200
#define GENSEC_FEATURE_LDAP_STYLE 0x00000400
#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800
+#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
+#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
user_info->local_host,
user_info->service_description,
user_info->auth_description,
+ AUTHZ_TRANSPORT_PROTECTION_SMB,
*session_info);
return nt_status;
goto err_exit;
}
} else {
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (p->transport == NCACN_NP) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
+ }
+
p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->auth.auth_context_id = 0;
p->local_address,
table->name,
derpc_transport_string_by_transport(p->transport),
+ transport_protection,
p->session_info);
}
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
+ gensec_want_feature(auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT);
status = gensec_start_mech_by_oid(auth->gensec,
GENSEC_OID_SPNEGO);
gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
+ gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT);
status = gensec_start_mech_by_oid(state->auth->gensec,
GENSEC_OID_SPNEGO);
struct loadparm_context *lp_ctx,
struct tsocket_address *remote_address,
struct tsocket_address *local_address,
+ bool using_tls,
const char *dn,
const char *password,
struct auth_session_info **session_info);
struct loadparm_context *lp_ctx,
struct tsocket_address *remote_address,
struct tsocket_address *local_address,
+ bool using_tls,
const char *dn,
const char *password,
struct auth_session_info **session_info)
const char *nt4_domain;
const char *nt4_username;
uint32_t flags = 0;
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (using_tls) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+ }
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
user_info->service_description = "LDAP";
- user_info->auth_description = "simple bind";
+ if (using_tls) {
+ user_info->auth_description = "simple bind";
+ } else {
+ user_info->auth_description = "simple bind/TLS";
+ }
user_info->password_state = AUTH_PASSWORD_PLAIN;
user_info->password.plaintext = talloc_strdup(user_info, password);
local_address,
"LDAP",
"simple bind",
+ transport_protection,
*session_info);
talloc_free(tmp_ctx);
}
if (log) {
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (call->conn->sockets.active == call->conn->sockets.tls) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+ }
+
log_successful_authz_event(call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",
+ transport_protection,
call->conn->session_info);
call->conn->authz_logged = true;
NTSTATUS status;
+ bool using_tls = call->conn->sockets.active == call->conn->sockets.tls;
+
DEBUG(10, ("BindSimple dn: %s\n",req->dn));
reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
if (req->dn != NULL &&
strlen(req->dn) != 0 &&
call->conn->require_strong_auth > LDAP_SERVER_REQUIRE_STRONG_AUTH_NO &&
- call->conn->sockets.active != call->conn->sockets.tls)
+ !using_tls)
{
status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED;
call->conn->lp_ctx,
call->conn->connection->remote_address,
call->conn->connection->local_address,
+ using_tls,
req->dn,
req->creds.password,
&session_info);
gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
+ if (conn->sockets.active == conn->sockets.tls) {
+ gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
+ }
+
status = gensec_start_mech_by_sasl_name(gensec_security, sasl_mech);
if (!NT_STATUS_IS_OK(status)) {
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(call->conn->endpoint->ep_description);
const char *auth_type = derpc_transport_string_by_transport(transport);
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (transport == NCACN_NP) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
+ }
auth->auth_type = DCERPC_AUTH_TYPE_NONE;
auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
auth->auth_context_id = 0;
call->conn->local_address,
"DCE/RPC",
auth_type,
+ transport_protection,
call->conn->auth_state.session_info);
return true;
local_address,
"SMB",
"bare-NTLM",
+ AUTHZ_TRANSPORT_PROTECTION_SMB,
session_info);
talloc_free(frame);
}
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SMB_TRANSPORT);
remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
req);
}
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SMB_TRANSPORT);
remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
req);