#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
-#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
+#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
+#define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user authenticated with a device. */
+#define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS 0x40 /* Add the device to the default world and network groups */
+#define AUTH_SESSION_INFO_DEVICE_AUTHENTICATED 0x80 /* Add the device to the 'authenticated users' group */
struct auth_usersupplied_info
{
uint32_t logon_parameters;
- bool mapped_state;
+ bool cracknames_called;
bool was_mapped;
+ uint64_t logon_id;
/* the values the client gives us */
struct {
const char *account_name;
const char *domain_name;
- } client, mapped;
+ } client, mapped, orig_client;
enum auth_password_state password_state;
const char *service_description;
const char *auth_description;
+
+ /*
+ * for logging only, normally worked out from the password but
+ * for krb5 logging only (krb5 normally doesn't use this) we
+ * record the enc type here
+ */
+ const char *password_type;
};
struct auth_method_context;
/* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */
struct ldb_context *sam_ctx;
+ /* The time this authentication started */
+ struct timeval start_time;
+
/* Private data for the callbacks on this auth context */
void *private_data;
- NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
+ /* Kerberos context, set up on demand */
+ struct smb_krb5_context *smb_krb5_context;
+
+ struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct auth4_context *auth_ctx,
+ const struct auth_usersupplied_info *user_info);
+ NTSTATUS (*check_ntlm_password_recv)(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
uint8_t *pauthoritative,
void **server_returned_info,
- DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
+ DATA_BLOB *nt_session_key,
+ DATA_BLOB *lm_session_key);
NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
+struct authn_audit_info;
void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
+ const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
- const char *account_name,
const char *domain_name,
- const char *unix_username,
- struct dom_sid *sid);
+ const char *account_name,
+ struct dom_sid *sid,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info);
/*
* Log details of a successful authorization to a service.
const char *service_description,
const char *auth_type,
const char *transport_protection,
- struct auth_session_info *session_info);
+ struct auth_session_info *session_info,
+ const struct authn_audit_info *client_audit_info,
+ const struct authn_audit_info *server_audit_info);
+
+/*
+ * Log details of an authorization to a service.
+ *
+ * NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the
+ * authorization events over the message bus.
+ */
+void log_authz_event(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ const struct authn_audit_info *server_audit_info,
+ const char *service_description,
+ const char *auth_type,
+ const char *domain_name,
+ const char *account_name,
+ const struct dom_sid *sid,
+ const char *logon_server,
+ const struct timeval authtime,
+ NTSTATUS status);
+
#endif