search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
[Samba.git] / source4 / kdc / authn_policy_util.c
blobbcbe14804d905fa99c27b794e7514ed1fcbf5c3e
1 /*
2 Unix SMB/CIFS implementation.
3 Samba Active Directory authentication policy utility functions
4
5 Copyright (C) Catalyst.Net Ltd 2023
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "lib/replace/replace.h"
22 #include "source4/kdc/authn_policy_util.h"
23 #include "auth/authn_policy_impl.h"
24 #include "lib/util/debug.h"
25 #include "lib/util/samba_util.h"
26 #include "libcli/security/security.h"
27 #include "libcli/util/werror.h"
28 #include "auth/common_auth.h"
29 #include "source4/auth/session.h"
30 #include "source4/dsdb/samdb/samdb.h"
31 #include "source4/dsdb/samdb/ldb_modules/util.h"
32
33 bool authn_policy_silos_and_policies_in_effect(struct ldb_context *samdb)
34 {
35 /*
36 * Authentication Silos and Authentication Policies are not
37 * honoured by Samba unless the DC is at FL 2012 R2. This is
38 * to match Windows, which will offer these features as soon
39 * as the DC is upgraded.
40 */
41 const int functional_level = dsdb_dc_functional_level(samdb);
42 return functional_level >= DS_DOMAIN_FUNCTION_2012_R2;
43 }
44
45 bool authn_policy_allowed_ntlm_network_auth_in_effect(struct ldb_context *samdb)
46 {
47 /*
48 * The allowed NTLM network authentication Policies are not
49 * honoured by Samba unless the DC is at FL2016. This
50 * is to match Windows, which will enforce these restrictions
51 * as soon as the DC is upgraded.
52 */
53 const int functional_level = dsdb_dc_functional_level(samdb);
54 return functional_level >= DS_DOMAIN_FUNCTION_2016;
55 }
56
57 /*
58 * Depending on the type of the account, we need to refer to different
59 * attributes of authentication silo objects. This structure keeps track of the
60 * attributes to use for a certain account type.
61 */
62 struct authn_silo_attrs {
63 const char *policy;
64 const char *attrs[];
65 };
66
67 /*
68 * Depending on the type of the account, we need to refer to different
69 * attributes of authentication policy objects. This structure keeps track of
70 * the attributes to use for a certain account type.
71 */
72 struct authn_policy_attrs {
73 /* This applies at FL2016 and up. */
74 const char *allowed_ntlm_network_auth;
75 /* The remainder apply at FL2012_R2 and up. */
76 const char *allowed_to_authenticate_from;
77 const char *allowed_to_authenticate_to;
78 const char *tgt_lifetime;
79 const char *attrs[];
80 };
81
82 struct authn_attrs {
83 const struct authn_silo_attrs *silo;
84 const struct authn_policy_attrs *policy;
85 };
86
87 /*
88 * Get the authentication attributes that apply to an account of a certain
89 * class.
90 */
91 static const struct authn_attrs authn_policy_get_attrs(const struct ldb_message *msg)
92 {
93 const struct authn_attrs null_authn_attrs = {
94 .silo = NULL,
95 .policy = NULL,
96 };
97 const struct ldb_message_element *objectclass_el = NULL;
98 unsigned i;
99
100 objectclass_el = ldb_msg_find_element(msg, "objectClass");
101 if (objectclass_el == NULL || objectclass_el->num_values == 0) {
102 return null_authn_attrs;
103 }
104
105 /*
106 * Iterate over the objectClasses, starting at the most-derived class.
107 */
108 for (i = objectclass_el->num_values; i > 0; --i) {
109 const struct ldb_val *objectclass_val = &objectclass_el->values[i - 1];
110 const char *objectclass = NULL;
111
112 objectclass = (const char *)objectclass_val->data;
113 if (objectclass == NULL) {
114 continue;
115 }
116
117 #define COMMON_AUTHN_SILO_ATTRS \
118 "msDS-AuthNPolicySiloEnforced", \
119 "msDS-AuthNPolicySiloMembers", \
120 "name"
121
122 #define COMMON_AUTHN_POLICY_ATTRS \
123 "msDS-AuthNPolicyEnforced", \
124 "msDS-StrongNTLMPolicy", \
125 "name"
126
127 /*
128 * See which of three classes this object is most closely
129 * derived from.
130 */
131 if (strcasecmp(objectclass, "user") == 0) {
132 static const struct authn_silo_attrs user_authn_silo_attrs = {
133 .policy = "msDS-UserAuthNPolicy",
134 .attrs = {
135 COMMON_AUTHN_SILO_ATTRS,
136 "msDS-UserAuthNPolicy",
137 NULL,
138 },
139 };
140
141 static const struct authn_policy_attrs user_authn_policy_attrs = {
142 .allowed_ntlm_network_auth = "msDS-UserAllowedNTLMNetworkAuthentication",
143 .allowed_to_authenticate_from = "msDS-UserAllowedToAuthenticateFrom",
144 .allowed_to_authenticate_to = "msDS-UserAllowedToAuthenticateTo",
145 .tgt_lifetime = "msDS-UserTGTLifetime",
146 .attrs = {
147 COMMON_AUTHN_POLICY_ATTRS,
148 "msDS-UserAllowedNTLMNetworkAuthentication",
149 "msDS-UserAllowedToAuthenticateFrom",
150 "msDS-UserAllowedToAuthenticateTo",
151 "msDS-UserTGTLifetime",
152 NULL,
153 },
154 };
155
156 return (struct authn_attrs) {
157 .silo = &user_authn_silo_attrs,
158 .policy = &user_authn_policy_attrs,
159 };
160 }
161
162 if (strcasecmp(objectclass, "computer") == 0) {
163 static const struct authn_silo_attrs computer_authn_silo_attrs = {
164 .policy = "msDS-ComputerAuthNPolicy",
165 .attrs = {
166 COMMON_AUTHN_SILO_ATTRS,
167 "msDS-ComputerAuthNPolicy",
168 NULL,
169 },
170 };
171
172 static const struct authn_policy_attrs computer_authn_policy_attrs = {
173 .allowed_ntlm_network_auth = NULL,
174 .allowed_to_authenticate_from = NULL,
175 .allowed_to_authenticate_to = "msDS-ComputerAllowedToAuthenticateTo",
176 .tgt_lifetime = "msDS-ComputerTGTLifetime",
177 .attrs = {
178 COMMON_AUTHN_POLICY_ATTRS,
179 "msDS-ComputerAllowedToAuthenticateTo",
180 "msDS-ComputerTGTLifetime",
181 NULL,
182 },
183 };
184
185 return (struct authn_attrs) {
186 .silo = &computer_authn_silo_attrs,
187 .policy = &computer_authn_policy_attrs,
188 };
189 }
190
191 if (strcasecmp(objectclass, "msDS-ManagedServiceAccount") == 0) {
192 static const struct authn_silo_attrs service_authn_silo_attrs = {
193 .policy = "msDS-ServiceAuthNPolicy",
194 .attrs = {
195 COMMON_AUTHN_SILO_ATTRS,
196 "msDS-ServiceAuthNPolicy",
197 NULL,
198 },
199 };
200
201 static const struct authn_policy_attrs service_authn_policy_attrs = {
202 .allowed_ntlm_network_auth = "msDS-ServiceAllowedNTLMNetworkAuthentication",
203 .allowed_to_authenticate_from = "msDS-ServiceAllowedToAuthenticateFrom",
204 .allowed_to_authenticate_to = "msDS-ServiceAllowedToAuthenticateTo",
205 .tgt_lifetime = "msDS-ServiceTGTLifetime",
206 .attrs = {
207 COMMON_AUTHN_POLICY_ATTRS,
208 "msDS-ServiceAllowedNTLMNetworkAuthentication",
209 "msDS-ServiceAllowedToAuthenticateFrom",
210 "msDS-ServiceAllowedToAuthenticateTo",
211 "msDS-ServiceTGTLifetime",
212 NULL,
213 },
214 };
215
216 return (struct authn_attrs) {
217 .silo = &service_authn_silo_attrs,
218 .policy = &service_authn_policy_attrs,
219 };
220 }
221 }
222
223 #undef COMMON_AUTHN_SILO_ATTRS
224 #undef COMMON_AUTHN_POLICY_ATTRS
225
226 /* No match — this object is not a user. */
227 return null_authn_attrs;
228 }
229
230 /*
231 * Look up the silo assigned to an account. If one exists, returns its details
232 * and whether it is enforced or not. ‘silo_attrs’ comprises the attributes to
233 * include in the search result, the relevant set of which can differ depending
234 * on the account’s objectClass.
235 */
236 int authn_policy_get_assigned_silo(struct ldb_context *samdb,
237 TALLOC_CTX *mem_ctx,
238 const struct ldb_message *msg,
239 const char * const *silo_attrs,
240 const struct ldb_message **silo_msg_out,
241 bool *is_enforced)
242 {
243 TALLOC_CTX *tmp_ctx = NULL;
244 int ret = 0;
245 const struct ldb_message_element *authn_silo = NULL;
246 struct ldb_dn *authn_silo_dn = NULL;
247 struct ldb_message *authn_silo_msg = NULL;
248 const struct ldb_message_element *members = NULL;
249 const char *linearized_dn = NULL;
250 struct ldb_val linearized_dn_val;
251
252 *silo_msg_out = NULL;
253 *is_enforced = true;
254
255 if (!authn_policy_silos_and_policies_in_effect(samdb)) {
256 return 0;
257 }
258
259 tmp_ctx = talloc_new(mem_ctx);
260 if (tmp_ctx == NULL) {
261 ret = ENOMEM;
262 goto out;
263 }
264
265 authn_silo = ldb_msg_find_element(msg, "msDS-AssignedAuthNPolicySilo");
266 /* Is the account assigned to a silo? */
267 if (authn_silo == NULL || !authn_silo->num_values) {
268 goto out;
269 }
270
271 authn_silo_dn = ldb_dn_from_ldb_val(tmp_ctx, samdb, &authn_silo->values[0]);
272 if (authn_silo_dn == NULL) {
273 ret = ENOMEM;
274 goto out;
275 }
276
277 ret = dsdb_search_one(samdb,
278 tmp_ctx,
279 &authn_silo_msg,
280 authn_silo_dn,
281 LDB_SCOPE_BASE,
282 silo_attrs,
283 0, NULL);
284 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
285 /* Not found. */
286 ret = 0;
287 goto out;
288 }
289 if (ret) {
290 goto out;
291 }
292
293 members = ldb_msg_find_element(authn_silo_msg,
294 "msDS-AuthNPolicySiloMembers");
295 if (members == NULL) {
296 goto out;
297 }
298
299 linearized_dn = ldb_dn_get_linearized(msg->dn);
300 if (linearized_dn == NULL) {
301 ret = ENOMEM;
302 goto out;
303 }
304
305 linearized_dn_val = data_blob_string_const(linearized_dn);
306 /* Is the account a member of the silo? */
307 if (!ldb_msg_find_val(members, &linearized_dn_val)) {
308 goto out;
309 }
310
311 /* Is the silo actually enforced? */
312 *is_enforced = ldb_msg_find_attr_as_bool(
313 authn_silo_msg,
314 "msDS-AuthNPolicySiloEnforced",
315 false);
316
317 *silo_msg_out = talloc_move(mem_ctx, &authn_silo_msg);
318
319 out:
320 talloc_free(tmp_ctx);
321 return ret;
322 }
323
324 /*
325 * Look up the authentication policy assigned to an account, returning its
326 * details if it exists. ‘authn_attrs’ specifies which attributes are relevant,
327 * and should be chosen based on the account’s objectClass.
328 */
329 static int samba_kdc_authn_policy_msg(struct ldb_context *samdb,
330 TALLOC_CTX *mem_ctx,
331 const struct ldb_message *msg,
332 const struct authn_attrs authn_attrs,
333 struct ldb_message **authn_policy_msg_out,
334 struct authn_policy *authn_policy_out)
335 {
336 TALLOC_CTX *tmp_ctx = NULL;
337 int ret = 0;
338 const struct ldb_message *authn_silo_msg = NULL;
339 const struct ldb_message_element *authn_policy = NULL;
340 const char *silo_name = NULL;
341 const char *policy_name = NULL;
342 struct ldb_dn *authn_policy_dn = NULL;
343 struct ldb_message *authn_policy_msg = NULL;
344 bool belongs_to_silo = false;
345 bool is_enforced = true;
346
347 *authn_policy_msg_out = NULL;
348 *authn_policy_out = (struct authn_policy) {};
349
350 tmp_ctx = talloc_new(mem_ctx);
351 if (tmp_ctx == NULL) {
352 ret = ENOMEM;
353 goto out;
354 }
355
356 /* See whether the account is assigned to a silo. */
357 ret = authn_policy_get_assigned_silo(samdb,
358 tmp_ctx,
359 msg,
360 authn_attrs.silo->attrs,
361 &authn_silo_msg,
362 &is_enforced);
363 if (ret) {
364 goto out;
365 }
366
367 if (authn_silo_msg != NULL) {
368 belongs_to_silo = true;
369
370 silo_name = ldb_msg_find_attr_as_string(authn_silo_msg, "name", NULL);
371
372 /* Get the applicable authentication policy. */
373 authn_policy = ldb_msg_find_element(
374 authn_silo_msg,
375 authn_attrs.silo->policy);
376 } else {
377 /*
378 * If no silo is assigned, take the policy that is directly
379 * assigned to the account.
380 */
381 authn_policy = ldb_msg_find_element(msg, "msDS-AssignedAuthNPolicy");
382 }
383
384 if (authn_policy == NULL || !authn_policy->num_values) {
385 /* No policy applies; we’re done. */
386 goto out;
387 }
388
389 authn_policy_dn = ldb_dn_from_ldb_val(tmp_ctx, samdb, &authn_policy->values[0]);
390 if (authn_policy_dn == NULL) {
391 ret = ENOMEM;
392 goto out;
393 }
394
395 /* Look up the policy object. */
396 ret = dsdb_search_one(samdb,
397 tmp_ctx,
398 &authn_policy_msg,
399 authn_policy_dn,
400 LDB_SCOPE_BASE,
401 authn_attrs.policy->attrs,
402 0, NULL);
403 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
404 /* Not found. */
405 ret = 0;
406 goto out;
407 }
408 if (ret) {
409 goto out;
410 }
411
412 policy_name = ldb_msg_find_attr_as_string(authn_policy_msg, "name", NULL);
413
414 if (!belongs_to_silo) {
415 is_enforced = ldb_msg_find_attr_as_bool(
416 authn_policy_msg,
417 "msDS-AuthNPolicyEnforced",
418 false);
419 }
420
421 authn_policy_out->silo_name = talloc_move(mem_ctx, &silo_name);
422 authn_policy_out->policy_name = talloc_move(mem_ctx, &policy_name);
423 authn_policy_out->enforced = is_enforced;
424
425 *authn_policy_msg_out = talloc_move(mem_ctx, &authn_policy_msg);
426
427 out:
428 talloc_free(tmp_ctx);
429 return ret;
430 }
431
432 /*
433 * Reference an existing authentication policy onto a talloc context, returning
434 * ‘true’ on success.
435 */
436 static bool authn_policy_ref(TALLOC_CTX *mem_ctx,
437 struct authn_policy *policy_out,
438 const struct authn_policy *policy)
439 {
440 const char *silo_name = NULL;
441 const char *policy_name = NULL;
442
443 if (policy->silo_name != NULL) {
444 silo_name = talloc_strdup(mem_ctx, policy->silo_name);
445 if (silo_name == NULL) {
446 return false;
447 }
448 }
449
450 if (policy->policy_name != NULL) {
451 policy_name = talloc_strdup(mem_ctx, policy->policy_name);
452 if (policy_name == NULL) {
453 /*
454 * We can’t free ‘silo_name’ here, as it is declared
455 * const. It will be freed with the parent context.
456 */
457 return false;
458 }
459 }
460
461 *policy_out = (struct authn_policy) {
462 .silo_name = silo_name,
463 .policy_name = policy_name,
464 .enforced = policy->enforced,
465 };
466
467 return true;
468 }
469
470 /* Create a structure containing auditing information. */
471 static NTSTATUS _authn_policy_audit_info(TALLOC_CTX *mem_ctx,
472 const struct authn_policy *policy,
473 const struct authn_int64_optional tgt_lifetime_raw,
474 const struct auth_user_info_dc *client_info,
475 const enum authn_audit_event event,
476 const enum authn_audit_reason reason,
477 const NTSTATUS policy_status,
478 const char *location,
479 struct authn_audit_info **audit_info_out)
480 {
481 struct authn_audit_info *audit_info = NULL;
482 bool ok;
483
484 if (audit_info_out == NULL) {
485 return NT_STATUS_OK;
486 }
487
488 audit_info = talloc_zero(mem_ctx, struct authn_audit_info);
489 if (audit_info == NULL) {
490 return NT_STATUS_NO_MEMORY;
491 }
492
493 if (client_info != NULL) {
494 /*
495 * Keep a reference to the client’s user information so that it
496 * is available to be logged later.
497 */
498 audit_info->client_info = talloc_reference(audit_info, client_info);
499 if (audit_info->client_info == NULL) {
500 talloc_free(audit_info);
501 return NT_STATUS_NO_MEMORY;
502 }
503 }
504
505 if (policy != NULL) {
506 audit_info->policy = talloc_zero(audit_info, struct authn_policy);
507 if (audit_info->policy == NULL) {
508 talloc_free(audit_info);
509 return NT_STATUS_NO_MEMORY;
510 }
511
512 ok = authn_policy_ref(audit_info, audit_info->policy, policy);
513 if (!ok) {
514 talloc_free(audit_info);
515 return NT_STATUS_NO_MEMORY;
516 }
517 }
518
519 audit_info->event = event;
520 audit_info->reason = reason;
521 audit_info->policy_status = policy_status;
522 audit_info->location = location;
523 audit_info->tgt_lifetime_raw = tgt_lifetime_raw;
524
525 *audit_info_out = audit_info;
526 return NT_STATUS_OK;
527 }
528
529 /* Create a structure containing auditing information. */
530 #define authn_policy_audit_info( \
531 mem_ctx, \
532 policy, \
533 tgt_lifetime_raw, \
534 client_info, \
535 event, \
536 reason, \
537 policy_status, \
538 audit_info_out) \
539 _authn_policy_audit_info( \
540 mem_ctx, \
541 policy, \
542 tgt_lifetime_raw, \
543 client_info, \
544 event, \
545 reason, \
546 policy_status, \
547 __location__, \
548 audit_info_out)
549
550 /*
551 * Perform an access check against the security descriptor set in an
552 * authentication policy. ‘client_info’ must be talloc-allocated so that we can
553 * make a reference to it.
554 */
555 static NTSTATUS _authn_policy_access_check(TALLOC_CTX *mem_ctx,
556 struct ldb_context *samdb,
557 struct loadparm_context* lp_ctx,
558 const struct auth_user_info_dc *client_info,
559 const struct authn_policy *policy,
560 const struct authn_int64_optional tgt_lifetime_raw,
561 const enum authn_audit_event restriction_event,
562 const DATA_BLOB *descriptor_blob,
563 const char *location,
564 struct authn_audit_info **audit_info_out)
565 {
566 TALLOC_CTX *tmp_ctx = NULL;
567 NTSTATUS status = NT_STATUS_OK;
568 NTSTATUS status2;
569 enum ndr_err_code ndr_err;
570 struct security_descriptor *descriptor = NULL;
571 struct security_token *security_token = NULL;
572 uint32_t session_info_flags =
573 AUTH_SESSION_INFO_DEFAULT_GROUPS |
574 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
575 const uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
576 uint32_t access_granted;
577 enum authn_audit_event event = restriction_event;
578 enum authn_audit_reason reason = AUTHN_AUDIT_REASON_NONE;
579
580 if (audit_info_out != NULL) {
581 *audit_info_out = NULL;
582 }
583
584 tmp_ctx = talloc_new(mem_ctx);
585 if (tmp_ctx == NULL) {
586 status = NT_STATUS_NO_MEMORY;
587 goto out;
588 }
589
590 if (!(client_info->info->user_flags & NETLOGON_GUEST)) {
591 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
592 }
593
594 descriptor = talloc(tmp_ctx, struct security_descriptor);
595 if (descriptor == NULL) {
596 status = NT_STATUS_NO_MEMORY;
597 goto out;
598 }
599
600 ndr_err = ndr_pull_struct_blob(descriptor_blob,
601 tmp_ctx,
602 descriptor,
603 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
604 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
605 status = ndr_map_error2ntstatus(ndr_err);
606 DBG_ERR("Failed to unmarshall "
607 "security descriptor for authentication policy: %s\n",
608 nt_errstr(status));
609 reason = AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID;
610 goto out;
611 }
612
613 /* Require that the security descriptor has an owner set. */
614 if (descriptor->owner_sid == NULL) {
615 status = NT_STATUS_INVALID_PARAMETER;
616 reason = AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER;
617 goto out;
618 }
619
620 status = auth_generate_security_token(tmp_ctx,
621 lp_ctx,
622 samdb,
623 client_info,
624 session_info_flags,
625 &security_token);
626 if (!NT_STATUS_IS_OK(status)) {
627 reason = AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE;
628 goto out;
629 }
630
631 status = sec_access_check_ds(descriptor, security_token,
632 access_desired, &access_granted,
633 NULL, NULL);
634 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
635 status = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
636 reason = AUTHN_AUDIT_REASON_ACCESS_DENIED;
637 goto out;
638 }
639 if (!NT_STATUS_IS_OK(status)) {
640 goto out;
641 }
642
643 event = AUTHN_AUDIT_EVENT_OK;
644 out:
645 /*
646 * Create the structure with auditing information here while we have all
647 * the relevant information to hand. It will contain references to
648 * information regarding the client and the policy, to be consulted
649 * after the referents have possibly been freed.
650 */
651 status2 = _authn_policy_audit_info(mem_ctx,
652 policy,
653 tgt_lifetime_raw,
654 client_info,
655 event,
656 reason,
657 status,
658 location,
659 audit_info_out);
660 if (!NT_STATUS_IS_OK(status2)) {
661 status = status2;
662 } else if (!authn_policy_is_enforced(policy)) {
663 status = NT_STATUS_OK;
664 }
665
666 talloc_free(tmp_ctx);
667 return status;
668 }
669
670 #define authn_policy_access_check(mem_ctx, \
671 samdb, \
672 lp_ctx, \
673 client_info, \
674 policy, \
675 tgt_lifetime_raw, \
676 restriction_event, \
677 descriptor_blob, \
678 audit_info_out) \
679 _authn_policy_access_check(mem_ctx, \
680 samdb, \
681 lp_ctx, \
682 client_info, \
683 policy, \
684 tgt_lifetime_raw, \
685 restriction_event, \
686 descriptor_blob, \
687 __location__, \
688 audit_info_out)
689
690 /* Return an authentication policy moved onto a talloc context. */
691 static struct authn_policy authn_policy_move(TALLOC_CTX *mem_ctx,
692 struct authn_policy *policy)
693 {
694 return (struct authn_policy) {
695 .silo_name = talloc_move(mem_ctx, &policy->silo_name),
696 .policy_name = talloc_move(mem_ctx, &policy->policy_name),
697 .enforced = policy->enforced,
698 };
699 }
700
701 /* Authentication policies for Kerberos clients. */
702
703 /*
704 * Get the applicable authentication policy for an account acting as a Kerberos
705 * client.
706 */
707 int authn_policy_kerberos_client(struct ldb_context *samdb,
708 TALLOC_CTX *mem_ctx,
709 const struct ldb_message *msg,
710 const struct authn_kerberos_client_policy **policy_out)
711 {
712 TALLOC_CTX *tmp_ctx = NULL;
713 int ret = 0;
714 struct authn_attrs authn_attrs;
715 struct ldb_message *authn_policy_msg = NULL;
716 struct authn_kerberos_client_policy *client_policy = NULL;
717 struct authn_policy policy;
718
719 *policy_out = NULL;
720
721 if (!authn_policy_silos_and_policies_in_effect(samdb)) {
722 return 0;
723 }
724
725 /*
726 * Get the silo and policy attributes that apply to objects of this
727 * account’s objectclass.
728 */
729 authn_attrs = authn_policy_get_attrs(msg);
730 if (authn_attrs.silo == NULL || authn_attrs.policy == NULL) {
731 /*
732 * No applicable silo or policy attributes (somehow). Either
733 * this account isn’t derived from ‘user’, or the message is
734 * missing an objectClass element.
735 */
736 goto out;
737 }
738
739 if (authn_attrs.policy->allowed_to_authenticate_from == NULL &&
740 authn_attrs.policy->tgt_lifetime == NULL)
741 {
742 /* No relevant policy attributes apply. */
743 goto out;
744 }
745
746 tmp_ctx = talloc_new(mem_ctx);
747 if (tmp_ctx == NULL) {
748 ret = ENOMEM;
749 goto out;
750 }
751
752 ret = samba_kdc_authn_policy_msg(samdb,
753 tmp_ctx,
754 msg,
755 authn_attrs,
756 &authn_policy_msg,
757 &policy);
758 if (ret) {
759 goto out;
760 }
761
762 if (authn_policy_msg == NULL) {
763 /* No policy applies. */
764 goto out;
765 }
766
767 client_policy = talloc_zero(tmp_ctx, struct authn_kerberos_client_policy);
768 if (client_policy == NULL) {
769 ret = ENOMEM;
770 goto out;
771 }
772
773 client_policy->policy = authn_policy_move(client_policy, &policy);
774
775 if (authn_attrs.policy->allowed_to_authenticate_from != NULL) {
776 const struct ldb_val *allowed_from = ldb_msg_find_ldb_val(
777 authn_policy_msg,
778 authn_attrs.policy->allowed_to_authenticate_from);
779
780 if (allowed_from != NULL && allowed_from->data != NULL) {
781 client_policy->allowed_to_authenticate_from = data_blob_const(
782 talloc_steal(client_policy, allowed_from->data),
783 allowed_from->length);
784 }
785 }
786
787 if (authn_attrs.policy->tgt_lifetime != NULL) {
788 client_policy->tgt_lifetime_raw = ldb_msg_find_attr_as_int64(
789 authn_policy_msg,
790 authn_attrs.policy->tgt_lifetime,
791 0);
792 }
793
794 *policy_out = talloc_move(mem_ctx, &client_policy);
795
796 out:
797 talloc_free(tmp_ctx);
798 return ret;
799 }
800
801 /* Get device restrictions enforced by an authentication policy. */
802 static const DATA_BLOB *authn_policy_kerberos_device_restrictions(const struct authn_kerberos_client_policy *policy)
803 {
804 const DATA_BLOB *restrictions = NULL;
805
806 if (policy == NULL) {
807 return NULL;
808 }
809
810 restrictions = &policy->allowed_to_authenticate_from;
811 if (restrictions->data == NULL) {
812 return NULL;
813 }
814
815 return restrictions;
816 }
817
818 /* Return whether an authentication policy enforces device restrictions. */
819 bool authn_policy_device_restrictions_present(const struct authn_kerberos_client_policy *policy)
820 {
821 return authn_policy_kerberos_device_restrictions(policy) != NULL;
822 }
823
824 /*
825 * Perform an access check for the device with which the client is
826 * authenticating. ‘device_info’ must be talloc-allocated so that we can make a
827 * reference to it.
828 */
829 NTSTATUS authn_policy_authenticate_from_device(TALLOC_CTX *mem_ctx,
830 struct ldb_context *samdb,
831 struct loadparm_context* lp_ctx,
832 const struct auth_user_info_dc *device_info,
833 const struct authn_kerberos_client_policy *client_policy,
834 struct authn_audit_info **client_audit_info_out)
835 {
836 NTSTATUS status = NT_STATUS_OK;
837 const DATA_BLOB *restrictions = NULL;
838
839 restrictions = authn_policy_kerberos_device_restrictions(client_policy);
840 if (restrictions == NULL) {
841 goto out;
842 }
843
844 status = authn_policy_access_check(mem_ctx,
845 samdb,
846 lp_ctx,
847 device_info,
848 &client_policy->policy,
849 authn_int64_some(client_policy->tgt_lifetime_raw),
850 AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION,
851 restrictions,
852 client_audit_info_out);
853 out:
854 return status;
855 }
856
857 /* Authentication policies for NTLM clients. */
858
859 /*
860 * Get the applicable authentication policy for an account acting as an NTLM
861 * client.
862 */
863 int authn_policy_ntlm_client(struct ldb_context *samdb,
864 TALLOC_CTX *mem_ctx,
865 const struct ldb_message *msg,
866 const struct authn_ntlm_client_policy **policy_out)
867 {
868 TALLOC_CTX *tmp_ctx = NULL;
869 int ret = 0;
870 struct authn_attrs authn_attrs;
871 struct ldb_message *authn_policy_msg = NULL;
872 struct authn_ntlm_client_policy *client_policy = NULL;
873 struct authn_policy policy;
874
875 *policy_out = NULL;
876
877 if (!authn_policy_silos_and_policies_in_effect(samdb)) {
878 return 0;
879 }
880
881 /*
882 * Get the silo and policy attributes that apply to objects of this
883 * account’s objectclass.
884 */
885 authn_attrs = authn_policy_get_attrs(msg);
886 if (authn_attrs.silo == NULL || authn_attrs.policy == NULL) {
887 /*
888 * No applicable silo or policy attributes (somehow). Either
889 * this account isn’t derived from ‘user’, or the message is
890 * missing an objectClass element.
891 */
892 goto out;
893 }
894
895 if (authn_attrs.policy->allowed_to_authenticate_from == NULL &&
896 authn_attrs.policy->allowed_ntlm_network_auth == NULL)
897 {
898 /* No relevant policy attributes apply. */
899 goto out;
900 }
901
902 tmp_ctx = talloc_new(mem_ctx);
903 if (tmp_ctx == NULL) {
904 ret = ENOMEM;
905 goto out;
906 }
907
908 ret = samba_kdc_authn_policy_msg(samdb,
909 tmp_ctx,
910 msg,
911 authn_attrs,
912 &authn_policy_msg,
913 &policy);
914 if (ret) {
915 goto out;
916 }
917
918 if (authn_policy_msg == NULL) {
919 /* No policy applies. */
920 goto out;
921 }
922
923 client_policy = talloc_zero(tmp_ctx, struct authn_ntlm_client_policy);
924 if (client_policy == NULL) {
925 ret = ENOMEM;
926 goto out;
927 }
928
929 client_policy->policy = authn_policy_move(client_policy, &policy);
930
931 if (authn_attrs.policy->allowed_to_authenticate_from != NULL) {
932 const struct ldb_val *allowed_from = ldb_msg_find_ldb_val(
933 authn_policy_msg,
934 authn_attrs.policy->allowed_to_authenticate_from);
935
936 if (allowed_from != NULL && allowed_from->data != NULL) {
937 client_policy->allowed_to_authenticate_from = data_blob_const(
938 talloc_steal(client_policy, allowed_from->data),
939 allowed_from->length);
940 }
941 }
942
943 if (authn_attrs.policy->allowed_ntlm_network_auth != NULL &&
944 authn_policy_allowed_ntlm_network_auth_in_effect(samdb))
945 {
946 client_policy->allowed_ntlm_network_auth = ldb_msg_find_attr_as_bool(
947 authn_policy_msg,
948 authn_attrs.policy->allowed_ntlm_network_auth,
949 false);
950 }
951
952 *policy_out = talloc_move(mem_ctx, &client_policy);
953
954 out:
955 talloc_free(tmp_ctx);
956 return ret;
957 }
958
959 /* Return whether an authentication policy enforces device restrictions. */
960 static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy)
961 {
962 if (policy == NULL) {
963 return false;
964 }
965
966 return policy->allowed_to_authenticate_from.data != NULL;
967 }
968
969 /* Check whether the client is allowed to authenticate using NTLM. */
970 NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx,
971 const struct authn_ntlm_client_policy *client_policy,
972 struct authn_audit_info **client_audit_info_out)
973 {
974 NTSTATUS status;
975 NTSTATUS status2;
976
977 if (client_audit_info_out != NULL) {
978 *client_audit_info_out = NULL;
979 }
980
981 if (client_policy == NULL) {
982 return NT_STATUS_OK;
983 }
984
985 /*
986 * Access control restrictions cannot be applied to NTLM.
987 *
988 * If NTLM authentication is disallowed and the policy enforces a device
989 * restriction, deny the authentication.
990 */
991
992 if (!authn_policy_ntlm_device_restrictions_present(client_policy)) {
993 return authn_policy_audit_info(mem_ctx,
994 &client_policy->policy,
995 authn_int64_none() /* tgt_lifetime_raw */,
996 NULL /* client_info */,
997 AUTHN_AUDIT_EVENT_OK,
998 AUTHN_AUDIT_REASON_NONE,
999 NT_STATUS_OK,
1000 client_audit_info_out);
1001 }
1002
1003 /*
1004 * (Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication
1005 * applies to interactive logons too.)
1006 */
1007 if (client_policy->allowed_ntlm_network_auth) {
1008 return authn_policy_audit_info(mem_ctx,
1009 &client_policy->policy,
1010 authn_int64_none() /* tgt_lifetime_raw */,
1011 NULL /* client_info */,
1012 AUTHN_AUDIT_EVENT_OK,
1013 AUTHN_AUDIT_REASON_NONE,
1014 NT_STATUS_OK,
1015 client_audit_info_out);
1016 }
1017
1018 status = NT_STATUS_ACCOUNT_RESTRICTION;
1019 status2 = authn_policy_audit_info(mem_ctx,
1020 &client_policy->policy,
1021 authn_int64_none() /* tgt_lifetime_raw */,
1022 NULL /* client_info */,
1023 AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION,
1024 AUTHN_AUDIT_REASON_NONE,
1025 status,
1026 client_audit_info_out);
1027 if (!NT_STATUS_IS_OK(status2)) {
1028 status = status2;
1029 } else if (!authn_policy_is_enforced(&client_policy->policy)) {
1030 status = NT_STATUS_OK;
1031 }
1032
1033 return status;
1034 }
1035
1036 /* Authentication policies for servers. */
1037
1038 /*
1039 * Get the applicable authentication policy for an account acting as a
1040 * server.
1041 */
1042 int authn_policy_server(struct ldb_context *samdb,
1043 TALLOC_CTX *mem_ctx,
1044 const struct ldb_message *msg,
1045 const struct authn_server_policy **policy_out)
1046 {
1047 TALLOC_CTX *tmp_ctx = NULL;
1048 int ret = 0;
1049 struct authn_attrs authn_attrs;
1050 struct ldb_message *authn_policy_msg = NULL;
1051 struct authn_server_policy *server_policy = NULL;
1052 struct authn_policy policy;
1053
1054 *policy_out = NULL;
1055
1056 if (!authn_policy_silos_and_policies_in_effect(samdb)) {
1057 return 0;
1058 }
1059
1060 /*
1061 * Get the silo and policy attributes that apply to objects of this
1062 * account’s objectclass.
1063 */
1064 authn_attrs = authn_policy_get_attrs(msg);
1065 if (authn_attrs.silo == NULL || authn_attrs.policy == NULL) {
1066 /*
1067 * No applicable silo or policy attributes (somehow). Either
1068 * this account isn’t derived from ‘user’, or the message is
1069 * missing an objectClass element.
1070 */
1071 goto out;
1072 }
1073
1074 if (authn_attrs.policy->allowed_to_authenticate_to == NULL) {
1075 /* The relevant policy attribute doesn’t apply. */
1076 goto out;
1077 }
1078
1079 tmp_ctx = talloc_new(mem_ctx);
1080 if (tmp_ctx == NULL) {
1081 ret = ENOMEM;
1082 goto out;
1083 }
1084
1085 ret = samba_kdc_authn_policy_msg(samdb,
1086 tmp_ctx,
1087 msg,
1088 authn_attrs,
1089 &authn_policy_msg,
1090 &policy);
1091 if (ret) {
1092 goto out;
1093 }
1094
1095 if (authn_policy_msg == NULL) {
1096 /* No policy applies. */
1097 goto out;
1098 }
1099
1100 server_policy = talloc_zero(tmp_ctx, struct authn_server_policy);
1101 if (server_policy == NULL) {
1102 ret = ENOMEM;
1103 goto out;
1104 }
1105
1106 server_policy->policy = authn_policy_move(server_policy, &policy);
1107
1108 if (authn_attrs.policy->allowed_to_authenticate_to != NULL) {
1109 const struct ldb_val *allowed_to = ldb_msg_find_ldb_val(
1110 authn_policy_msg,
1111 authn_attrs.policy->allowed_to_authenticate_to);
1112
1113 if (allowed_to != NULL && allowed_to->data != NULL) {
1114 server_policy->allowed_to_authenticate_to = data_blob_const(
1115 talloc_steal(server_policy, allowed_to->data),
1116 allowed_to->length);
1117 }
1118 }
1119
1120 *policy_out = talloc_move(mem_ctx, &server_policy);
1121
1122 out:
1123 talloc_free(tmp_ctx);
1124 return ret;
1125 }
1126
1127 /* Get restrictions enforced by an authentication policy. */
1128 static const DATA_BLOB *authn_policy_restrictions(const struct authn_server_policy *policy)
1129 {
1130 const DATA_BLOB *restrictions = NULL;
1131
1132 if (policy == NULL) {
1133 return NULL;
1134 }
1135
1136 restrictions = &policy->allowed_to_authenticate_to;
1137 if (restrictions->data == NULL) {
1138 return NULL;
1139 }
1140
1141 return restrictions;
1142 }
1143
1144 /* Return whether an authentication policy enforces restrictions. */
1145 bool authn_policy_restrictions_present(const struct authn_server_policy *policy)
1146 {
1147 return authn_policy_restrictions(policy) != NULL;
1148 }
1149
1150 /*
1151 * Perform an access check for the client attempting to authenticate to the
1152 * server. ‘user_info’ must be talloc-allocated so that we can make a reference
1153 * to it.
1154 */
1155 NTSTATUS authn_policy_authenticate_to_service(TALLOC_CTX *mem_ctx,
1156 struct ldb_context *samdb,
1157 struct loadparm_context* lp_ctx,
1158 const enum authn_policy_auth_type auth_type,
1159 const struct auth_user_info_dc *user_info,
1160 const struct authn_server_policy *server_policy,
1161 struct authn_audit_info **server_audit_info_out)
1162 {
1163 NTSTATUS status = NT_STATUS_OK;
1164 const DATA_BLOB *restrictions = NULL;
1165 enum authn_audit_event event;
1166
1167 restrictions = authn_policy_restrictions(server_policy);
1168 if (restrictions == NULL) {
1169 return authn_server_policy_audit_info(mem_ctx,
1170 server_policy,
1171 user_info,
1172 AUTHN_AUDIT_EVENT_OK,
1173 AUTHN_AUDIT_REASON_NONE,
1174 NT_STATUS_OK,
1175 server_audit_info_out);
1176 }
1177
1178 switch (auth_type) {
1179 case AUTHN_POLICY_AUTH_TYPE_KERBEROS:
1180 event = AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION;
1181 break;
1182 case AUTHN_POLICY_AUTH_TYPE_NTLM:
1183 event = AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION;
1184 break;
1185 default:
1186 return NT_STATUS_INVALID_PARAMETER_4;
1187 }
1188
1189 status = authn_policy_access_check(mem_ctx,
1190 samdb,
1191 lp_ctx,
1192 user_info,
1193 &server_policy->policy,
1194 authn_int64_none() /* tgt_lifetime_raw */,
1195 event,
1196 restrictions,
1197 server_audit_info_out);
1198 return status;
1199 }
1200
1201 /* Create a structure containing auditing information. */
1202 NTSTATUS _authn_kerberos_client_policy_audit_info(
1203 TALLOC_CTX *mem_ctx,
1204 const struct authn_kerberos_client_policy *client_policy,
1205 const struct auth_user_info_dc *client_info,
1206 const enum authn_audit_event event,
1207 const enum authn_audit_reason reason,
1208 const NTSTATUS policy_status,
1209 const char *location,
1210 struct authn_audit_info **audit_info_out)
1211 {
1212 const struct authn_policy *policy = NULL;
1213 struct authn_int64_optional tgt_lifetime_raw = authn_int64_none();
1214
1215 if (client_policy != NULL) {
1216 policy = &client_policy->policy;
1217 tgt_lifetime_raw = authn_int64_some(client_policy->tgt_lifetime_raw);
1218 }
1219
1220 return _authn_policy_audit_info(mem_ctx,
1221 policy,
1222 tgt_lifetime_raw,
1223 client_info,
1224 event,
1225 reason,
1226 policy_status,
1227 location,
1228 audit_info_out);
1229 }
1230
1231 /* Create a structure containing auditing information. */
1232 NTSTATUS _authn_ntlm_client_policy_audit_info(
1233 TALLOC_CTX *mem_ctx,
1234 const struct authn_ntlm_client_policy *client_policy,
1235 const struct auth_user_info_dc *client_info,
1236 const enum authn_audit_event event,
1237 const enum authn_audit_reason reason,
1238 const NTSTATUS policy_status,
1239 const char *location,
1240 struct authn_audit_info **audit_info_out)
1241 {
1242 const struct authn_policy *policy = NULL;
1243
1244 if (client_policy != NULL) {
1245 policy = &client_policy->policy;
1246 }
1247
1248 return _authn_policy_audit_info(mem_ctx,
1249 policy,
1250 authn_int64_none() /* tgt_lifetime_raw */,
1251 client_info,
1252 event,
1253 reason,
1254 policy_status,
1255 location,
1256 audit_info_out);
1257 }
1258
1259 /* Create a structure containing auditing information. */
1260 NTSTATUS _authn_server_policy_audit_info(
1261 TALLOC_CTX *mem_ctx,
1262 const struct authn_server_policy *server_policy,
1263 const struct auth_user_info_dc *client_info,
1264 const enum authn_audit_event event,
1265 const enum authn_audit_reason reason,
1266 const NTSTATUS policy_status,
1267 const char *location,
1268 struct authn_audit_info **audit_info_out)
1269 {
1270 const struct authn_policy *policy = NULL;
1271
1272 if (server_policy != NULL) {
1273 policy = &server_policy->policy;
1274 }
1275
1276 return _authn_policy_audit_info(mem_ctx,
1277 policy,
1278 authn_int64_none() /* tgt_lifetime_raw */,
1279 client_info,
1280 event,
1281 reason,
1282 policy_status,
1283 location,
1284 audit_info_out);
1285 }
Samba GIT mirror