2 Unix SMB/CIFS implementation.
3 Samba Active Directory authentication policy utility functions
5 Copyright (C) Catalyst.Net Ltd 2023
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #ifndef KDC_AUTHN_POLICY_UTIL_H
22 #define KDC_AUTHN_POLICY_UTIL_H
24 #include "lib/replace/replace.h"
25 #include "auth/authn_policy.h"
29 struct loadparm_context
;
32 bool authn_policy_silos_and_policies_in_effect(struct ldb_context
*samdb
);
34 bool authn_policy_allowed_ntlm_network_auth_in_effect(struct ldb_context
*samdb
);
37 * Look up the silo assigned to an account. If one exists, returns its details
38 * and whether it is enforced or not. ‘silo_attrs’ comprises the attributes to
39 * include in the search result, the relevant set of which can differ depending
40 * on the account’s objectClass.
42 int authn_policy_get_assigned_silo(struct ldb_context
*samdb
,
44 const struct ldb_message
*msg
,
45 const char *const *silo_attrs
,
46 const struct ldb_message
**silo_msg_out
,
49 struct auth_user_info_dc
;
51 /* Authentication policies for Kerberos clients. */
54 * Get the applicable authentication policy for an account acting as a Kerberos
57 int authn_policy_kerberos_client(struct ldb_context
*samdb
,
59 const struct ldb_message
*msg
,
60 const struct authn_kerberos_client_policy
**policy_out
);
63 * Perform an access check for the device with which the client is
64 * authenticating. ‘device_info’ must be talloc-allocated so that we can make a
67 NTSTATUS
authn_policy_authenticate_from_device(TALLOC_CTX
*mem_ctx
,
68 struct ldb_context
*samdb
,
69 struct loadparm_context
* lp_ctx
,
70 const struct auth_user_info_dc
*device_info
,
71 const struct authn_kerberos_client_policy
*client_policy
,
72 struct authn_audit_info
**client_audit_info_out
);
74 /* Return whether an authentication policy enforces device restrictions. */
75 bool authn_policy_device_restrictions_present(const struct authn_kerberos_client_policy
*policy
);
77 /* Authentication policies for NTLM clients. */
79 struct authn_ntlm_client_policy
;
82 * Get the applicable authentication policy for an account acting as an NTLM
85 int authn_policy_ntlm_client(struct ldb_context
*samdb
,
87 const struct ldb_message
*msg
,
88 const struct authn_ntlm_client_policy
**policy_out
);
90 /* Check whether the client is allowed to authenticate using NTLM. */
91 NTSTATUS
authn_policy_ntlm_apply_device_restriction(TALLOC_CTX
*mem_ctx
,
92 const struct authn_ntlm_client_policy
*client_policy
,
93 struct authn_audit_info
**client_audit_info_out
);
95 /* Authentication policies for servers. */
97 struct authn_server_policy
;
100 * Get the applicable authentication policy for an account acting as a
103 int authn_policy_server(struct ldb_context
*samdb
,
105 const struct ldb_message
*msg
,
106 const struct authn_server_policy
**policy_out
);
108 /* Return whether an authentication policy enforces restrictions. */
109 bool authn_policy_restrictions_present(const struct authn_server_policy
*policy
);
111 enum authn_policy_auth_type
{
112 AUTHN_POLICY_AUTH_TYPE_KERBEROS
,
113 AUTHN_POLICY_AUTH_TYPE_NTLM
,
117 * Perform an access check for the client attempting to authenticate to the
118 * server. ‘user_info’ must be talloc-allocated so that we can make a reference
121 NTSTATUS
authn_policy_authenticate_to_service(TALLOC_CTX
*mem_ctx
,
122 struct ldb_context
*samdb
,
123 struct loadparm_context
* lp_ctx
,
124 enum authn_policy_auth_type auth_type
,
125 const struct auth_user_info_dc
*user_info
,
126 const struct authn_server_policy
*server_policy
,
127 struct authn_audit_info
**server_audit_info_out
);
129 /* Create a structure containing auditing information. */
130 NTSTATUS
_authn_kerberos_client_policy_audit_info(
132 const struct authn_kerberos_client_policy
*client_policy
,
133 const struct auth_user_info_dc
*client_info
,
134 enum authn_audit_event event
,
135 enum authn_audit_reason reason
,
136 NTSTATUS policy_status
,
137 const char *location
,
138 struct authn_audit_info
**audit_info_out
);
140 /* Create a structure containing auditing information. */
141 #define authn_kerberos_client_policy_audit_info( \
149 _authn_kerberos_client_policy_audit_info( \
159 /* Create a structure containing auditing information. */
160 NTSTATUS
_authn_ntlm_client_policy_audit_info(
162 const struct authn_ntlm_client_policy
*policy
,
163 const struct auth_user_info_dc
*client_info
,
164 enum authn_audit_event event
,
165 enum authn_audit_reason reason
,
166 NTSTATUS policy_status
,
167 const char *location
,
168 struct authn_audit_info
**audit_info_out
);
170 /* Create a structure containing auditing information. */
171 #define authn_ntlm_client_policy_audit_info( \
179 _authn_ntlm_client_policy_audit_info( \
189 /* Create a structure containing auditing information. */
190 NTSTATUS
_authn_server_policy_audit_info(
192 const struct authn_server_policy
*policy
,
193 const struct auth_user_info_dc
*client_info
,
194 enum authn_audit_event event
,
195 enum authn_audit_reason reason
,
196 NTSTATUS policy_status
,
197 const char *location
,
198 struct authn_audit_info
**audit_info_out
);
200 /* Create a structure containing auditing information. */
201 #define authn_server_policy_audit_info( \
209 _authn_server_policy_audit_info( \