This will allow tests to be written to confirm the correct events are triggered.
We pass in a messaging context from the callers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Write the json object to the debug logs.
*
*/
-static void log_json( struct json_context *context,
+static void log_json(struct imessaging_context *msg_ctx,
+ struct json_context *context,
const char *type, int debug_class, int debug_level)
{
char* json = NULL;
}
DEBUGC( debug_class, debug_level, ( "JSON %s: %s\n", type, json));
+ auth_message_send(msg_ctx, json);
if (json) {
free(json);
* \t\(.Authentication.localAddress)"'
*/
static void log_authentication_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
add_string(&authentication, "passwordType", get_password_type( ui));
add_object(&context,AUTH_JSON_TYPE, &authentication);
- log_json(&context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
+ log_json(msg_ctx, &context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
free_json_context(&context);
}
*
*/
static void log_successful_authz_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
add_string(&authorization, "accountFlags", account_flags);
add_object(&context,AUTHZ_JSON_TYPE, &authorization);
- log_json(&context,
+ log_json(msg_ctx,
+ &context,
AUTHZ_JSON_TYPE,
DBGC_AUTH_AUDIT,
debug_level);
#else
+static void log_no_json(struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx)
+{
+ if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
+ static bool auth_event_logged = false;
+ if (auth_event_logged == false) {
+ auth_event_logged = true;
+ DBG_ERR("auth event notification = true but Samba was not compiled with jansson\n");
+ }
+ } else {
+ static bool json_logged = false;
+ if (json_logged == false) {
+ json_logged = true;
+ DBG_NOTICE("JSON auth logs not available unless compiled with jansson\n");
+ }
+ }
+
+ return;
+}
+
static void log_authentication_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
struct dom_sid *sid,
int debug_level)
{
+ log_no_json(msg_ctx, lp_ctx);
return;
}
static void log_successful_authz_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
struct auth_session_info *session_info,
int debug_level)
{
+ log_no_json(msg_ctx, lp_ctx);
return;
}
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
-void log_authentication_event( const struct auth_usersupplied_info *ui,
+void log_authentication_event(struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
const char *account_name,
sid,
debug_level);
}
- if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level)) {
- log_authentication_event_json(ui,
+ if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level) ||
+ (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
+ log_authentication_event_json(msg_ctx, lp_ctx,
+ ui,
status,
domain_name,
account_name,
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
-void log_successful_authz_event(const struct tsocket_address *remote,
+void log_successful_authz_event(struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
session_info,
debug_level);
}
- if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level)) {
- log_successful_authz_event_json(remote,
+ if (CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT_JSON, debug_level) ||
+ (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
+ log_successful_authz_event_json(msg_ctx, lp_ctx,
+ remote,
local,
service_description,
auth_type,
#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
-void log_authentication_event(const struct auth_usersupplied_info *ui,
+/*
+ * Log details of an authentication attempt.
+ * Successful and unsuccessful attempts are logged.
+ *
+ * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
+ * authentication events over the message bus.
+ */
+void log_authentication_event(struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *account_name,
const char *domain_name,
const char *unix_username,
struct dom_sid *sid);
-void log_successful_authz_event(const struct tsocket_address *remote,
+/*
+ * Log details of a successful authorization to a service.
+ *
+ * Only successful authorizations are logged. For clarity:
+ * - NTLM bad passwords will be recorded by log_authentication_event
+ * - Kerberos decrypt failures need to be logged in gensec_gssapi et al
+ *
+ * The service may later refuse authorization due to an ACL.
+ *
+ *
+ * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
+ * authorization events over the message bus.
+ */
+void log_successful_authz_event(struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct tsocket_address *remote,
const struct tsocket_address *local,
const char *service_description,
const char *auth_type,
} else {
transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
}
- log_successful_authz_event(remote, local,
+ log_successful_authz_event(gensec_security->auth_context->msg_ctx,
+ gensec_security->auth_context->lp_ctx,
+ remote, local,
service_description,
final_auth_type,
transport_protection,
bld.SAMBA_LIBRARY('common_auth',
source='auth_sam_reply.c wbc_auth_util.c auth_log.c',
deps='talloc samba-security samba-util util_str_escape LIBTSOCKET jansson MESSAGING_SEND server_id_db ',
- private_library=True,
- allow_warnings=True)
+ private_library=True)
bld.RECURSE('gensec')
bld.RECURSE('ntlmssp')
--- /dev/null
+<samba:parameter name="auth event notification"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>When enabled, this option causes Samba (acting as an
+ Active Directory Domain Controller) to stream authentication
+ events across the internal message bus. Scripts built using
+ Samba's python bindings can listen to these events by
+ registering as the service
+ <filename moreinfo="none">auth_event</filename>.</para>
+
+ <para>This should be considered a developer option (it assists
+ in the Samba testsuite) rather than a facility for external
+ auditing, as message delivery is not guaranteed (a feature
+ that the testsuite works around). Additionally Samba must be
+ compiled with the jansson support for this option to be
+ effective.</para>
+
+ <para>The authentication events are also logged via the normal
+ logging methods when the <smbconfoption name="log level"/> is
+ set appropriately.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
sid = (struct dom_sid) {0};
}
- log_authentication_event(user_info, nt_status,
+ log_authentication_event(NULL, NULL,
+ user_info, nt_status,
server_info->info3->base.logon_domain.string,
server_info->info3->base.account_name.string,
unix_username, &sid);
user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status), *pauthoritative));
- log_authentication_event(user_info, nt_status, NULL, NULL, NULL, NULL);
+ log_authentication_event(NULL, NULL, user_info, nt_status, NULL, NULL, NULL, NULL);
ZERO_STRUCTP(pserver_info);
* log all authorizations consistently (be they NLTM, NTLMSSP
* or krb5) we log this info again as an authorization.
*/
- log_successful_authz_event(user_info->remote_host,
+ log_successful_authz_event(auth_context->msg_ctx,
+ auth_context->lp_ctx,
+ user_info->remote_host,
user_info->local_host,
user_info->service_description,
user_info->auth_description,
* covered ncacn_np pass-through auth, and anonymous
* DCE/RPC (eg epmapper, netlogon etc)
*/
- log_successful_authz_event(p->remote_address,
+ log_successful_authz_event(NULL, NULL,
+ p->remote_address,
p->local_address,
table->name,
derpc_transport_string_by_transport(p->transport),
state->user_info->mapped.account_name,
nt_errstr(status), state->authoritative));
- log_authentication_event(state->user_info, status,
+ log_authentication_event(state->auth_ctx->msg_ctx,
+ state->auth_ctx->lp_ctx,
+ state->user_info, status,
NULL, NULL, NULL, NULL);
tevent_req_received(req);
return status;
state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name));
- log_authentication_event(state->user_info, status,
+ log_authentication_event(state->auth_ctx->msg_ctx,
+ state->auth_ctx->lp_ctx,
+ state->user_info, status,
state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name,
NULL,
talloc_steal(mem_ctx, *session_info);
}
- log_successful_authz_event(remote_address,
+ log_successful_authz_event(auth_context->msg_ctx,
+ auth_context->lp_ctx,
+ remote_address,
local_address,
"LDAP",
"simple bind",
transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
}
- log_successful_authz_event(call->conn->connection->remote_address,
+ log_successful_authz_event(call->conn->connection->msg_ctx,
+ call->conn->connection->lp_ctx,
+ call->conn->connection->remote_address,
call->conn->connection->local_address,
"LDAP",
"no bind",
* covered ncacn_np pass-through auth, and anonymous
* DCE/RPC (eg epmapper, netlogon etc)
*/
- log_successful_authz_event(call->conn->remote_address,
+ log_successful_authz_event(call->conn->msg_ctx,
+ call->conn->dce_ctx->lp_ctx,
+ call->conn->remote_address,
call->conn->local_address,
"DCE/RPC",
auth_type,
local_address = socket_get_local_addr(req->smb_conn->connection->socket,
frame);
- log_successful_authz_event(remote_address,
+ log_successful_authz_event(req->smb_conn->connection->msg_ctx,
+ req->smb_conn->lp_ctx,
+ remote_address,
local_address,
"SMB",
"bare-NTLM",