auth/authn_policy.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba Active Directory authentication policy functions
   4
   5    Copyright (C) Catalyst.Net Ltd 2023
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "lib/replace/replace.h"
  22 #include "auth/authn_policy.h"
  23 #include "auth/authn_policy_impl.h"
  24
  25 bool authn_policy_is_enforced(const struct authn_policy *policy)
  26 {
  27         return policy->enforced;
  28 }
  29
  30 /* Authentication policies for Kerberos clients. */
  31
  32 /* Get the raw TGT lifetime enforced by an authentication policy. */
  33 int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy *policy)
  34 {
  35         if (policy == NULL) {
  36                 return 0;
  37         }
  38
  39         if (!authn_policy_is_enforced(&policy->policy)) {
  40                 return 0;
  41         }
  42
  43         return policy->tgt_lifetime_raw;
  44 }
  45
  46 /* Authentication policies for NTLM clients. */
  47
  48 /* Return whether an authentication policy enforces device restrictions. */
  49 static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
  50 {
  51         if (policy == NULL) {
  52                 return false;
  53         }
  54
  55         return policy->allowed_to_authenticate_from.data != NULL;
  56 }
  57
  58 /* Check whether the client is allowed to authenticate using NTLM. */
  59 NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name,
  60                                                     const char *device_account_name,
  61                                                     const struct authn_ntlm_client_policy *client_policy)
  62 {
  63         /*
  64          * If NTLM authentication is disallowed and the policy enforces a device
  65          * restriction, deny the authentication.
  66          */
  67
  68         if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
  69                 return NT_STATUS_OK;
  70         }
  71
  72         /*
  73          * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
  74          * applies to interactive logons too.
  75          */
  76         if (client_policy->allowed_ntlm_network_auth) {
  77                 return NT_STATUS_OK;
  78         }
  79
  80         if (authn_policy_is_enforced(&client_policy->policy)) {
  81                 return NT_STATUS_ACCOUNT_RESTRICTION;
  82         } else {
  83                 return NT_STATUS_OK;
  84         }
  85 }