2 Unix SMB/CIFS implementation.
3 Samba Active Directory authentication policy functions
5 Copyright (C) Catalyst.Net Ltd 2023
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "lib/replace/replace.h"
22 #include "auth/authn_policy.h"
23 #include "auth/authn_policy_impl.h"
25 bool authn_policy_is_enforced(const struct authn_policy
*policy
)
27 return policy
->enforced
;
30 /* Authentication policies for Kerberos clients. */
32 /* Get the raw TGT lifetime enforced by an authentication policy. */
33 int64_t authn_policy_enforced_tgt_lifetime_raw(const struct authn_kerberos_client_policy
*policy
)
39 if (!authn_policy_is_enforced(&policy
->policy
)) {
43 return policy
->tgt_lifetime_raw
;
46 /* Authentication policies for NTLM clients. */
48 /* Return whether an authentication policy enforces device restrictions. */
49 static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy
*policy
)
55 return policy
->allowed_to_authenticate_from
.data
!= NULL
;
58 /* Check whether the client is allowed to authenticate using NTLM. */
59 NTSTATUS
authn_policy_ntlm_apply_device_restriction(const char *client_account_name
,
60 const char *device_account_name
,
61 const struct authn_ntlm_client_policy
*client_policy
)
64 * If NTLM authentication is disallowed and the policy enforces a device
65 * restriction, deny the authentication.
68 if (!authn_policy_ntlm_device_restrictions_present(client_policy
)) {
73 * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
74 * applies to interactive logons too.
76 if (client_policy
->allowed_ntlm_network_auth
) {
80 if (authn_policy_is_enforced(&client_policy
->policy
)) {
81 return NT_STATUS_ACCOUNT_RESTRICTION
;