talloc_free(frame);
}
+
+
+/*
+ * Log details of a successful authorization to a service.
+ *
+ * Only successful authorizations are logged. For clarity:
+ * - NTLM bad passwords will be recorded by the above
+ * - Kerberos decrypt failures need to be logged in gensec_gssapi et al
+ *
+ * The service may later refuse authorization due to an ACL.
+ *
+ */
+void log_successful_authz_event(const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ const char *service_description,
+ struct auth_session_info *session_info)
+{
+ TALLOC_CTX *frame = NULL;
+
+ char *ts = NULL; /* formatted current time */
+ char *remote_str = NULL; /* formatted remote host */
+ char *local_str = NULL; /* formatted local host */
+ char sid_buf[DOM_SID_STR_BUFLEN];
+
+ /* set the log level */
+ if (!CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL)) {
+ return;
+ }
+
+ frame = talloc_stackframe();
+
+ /* Get the current time */
+ ts = http_timestring(frame, time(NULL));
+
+ remote_str = tsocket_address_string(remote, frame);
+ local_str = tsocket_address_string(local, frame);
+
+ dom_sid_string_buf(&session_info->security_token->sids[0], sid_buf, sizeof(sid_buf));
+
+ DEBUGC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL, (
+ "Successful AuthZ: [%s] user [%s]\\[%s] [%s]"
+ " at [%s]"
+ " Remote host [%s]"
+ " local host [%s]\n",
+ service_description,
+ log_escape(frame, session_info->info->domain_name),
+ log_escape(frame, session_info->info->account_name),
+ sid_buf,
+ ts,
+ remote_str,
+ local_str));
+
+ talloc_free(frame);
+}
const char *domain_name,
const char *unix_username,
struct dom_sid *sid);
+
+void log_successful_authz_event(const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ const char *service_description,
+ struct auth_session_info *session_info);
#endif
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "librpc/gen_ndr/dcerpc.h"
+#include "auth/common_auth.h"
_PRIVATE_ NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security,
bool full_reset)
return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
}
+/*
+ * Log details of a successful GENSEC authorization to a service.
+ *
+ * Only successful authorizations are logged, as only these call gensec_session_info()
+ *
+ * The service may later refuse authorization due to an ACL.
+ *
+ */
+static void log_successful_gensec_authz_event(struct gensec_security *gensec_security,
+ struct auth_session_info *session_info)
+{
+ const struct tsocket_address *remote
+ = gensec_get_remote_address(gensec_security);
+ const struct tsocket_address *local
+ = gensec_get_local_address(gensec_security);
+ const char *service_description
+ = gensec_get_target_service_description(gensec_security);
+ log_successful_authz_event(remote, local, service_description, session_info);
+}
+
+
/**
* Return the credentials of a logged on user, including session keys
* etc.
*
* Only valid after a successful authentication
*
- * May only be called once per authentication.
+ * May only be called once per authentication. This will also make an
+ * authorization log entry, as it is already called by all the
+ * callers.
*
*/
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
+ NTSTATUS status;
if (!gensec_security->ops->session_info) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
+ status = gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
+
+ if (NT_STATUS_IS_OK(status) && !gensec_security->subcontext
+ && (gensec_security->want_features & GENSEC_FEATURE_NO_AUTHZ_LOG) == 0) {
+ log_successful_gensec_authz_event(gensec_security, *session_info);
+ }
+
+ return status;
}
_PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
#define GENSEC_FEATURE_UNIX_TOKEN 0x00000100
#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200
#define GENSEC_FEATURE_LDAP_STYLE 0x00000400
+#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
talloc_unlink(tmp_ctx, gensec_settings);
talloc_unlink(tmp_ctx, auth_context);
+ /* Session info is not complete, do not pass to auth log */
+ gensec_want_feature(gensec_server_context, GENSEC_FEATURE_NO_AUTHZ_LOG);
+
status = gensec_start_mech_by_oid(gensec_server_context, GENSEC_OID_KERBEROS5);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: %s\n", nt_errstr(status)));
gensec_want_feature_list(state->gensec_state, want_feature_list);
+ /* Session info is not complete, do not pass to auth log */
+ gensec_want_feature(state->gensec_state, GENSEC_FEATURE_NO_AUTHZ_LOG);
+
switch (stdio_helper_mode) {
case GSS_SPNEGO_CLIENT:
case GSS_SPNEGO_SERVER: