From 5bd6ce29def85cbf2864a06447cc7daf9b2d1990 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 15 Jun 2023 11:00:38 +1200 Subject: [PATCH] s4:kdc: Generate auditing infomation for NTLM device restrictions This will provide more detail to be logged. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- source4/kdc/authn_policy_util.c | 62 +++++++++++++++++++++++++++++++++-------- source4/kdc/authn_policy_util.h | 6 ++-- 2 files changed, 53 insertions(+), 15 deletions(-) diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c index 2f6d53c3cc8..ba33ea1d5d4 100644 --- a/source4/kdc/authn_policy_util.c +++ b/source4/kdc/authn_policy_util.c @@ -955,32 +955,70 @@ static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntl } /* Check whether the client is allowed to authenticate using NTLM. */ -NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, - const char *device_account_name, - const struct authn_ntlm_client_policy *client_policy) +NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx, + const struct authn_ntlm_client_policy *client_policy, + struct authn_audit_info **client_audit_info_out) { + NTSTATUS status; + NTSTATUS status2; + + if (client_audit_info_out != NULL) { + *client_audit_info_out = NULL; + } + + if (client_policy == NULL) { + return NT_STATUS_OK; + } + /* + * Access control restrictions cannot be applied to NTLM. + * * If NTLM authentication is disallowed and the policy enforces a device * restriction, deny the authentication. */ if (!authn_policy_ntlm_device_restrictions_present(client_policy)) { - return NT_STATUS_OK; + return authn_policy_audit_info(mem_ctx, + &client_policy->policy, + authn_int64_none() /* tgt_lifetime_raw */, + NULL /* client_info */, + AUTHN_AUDIT_EVENT_OK, + AUTHN_AUDIT_REASON_NONE, + NT_STATUS_OK, + client_audit_info_out); } /* - * Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication - * applies to interactive logons too. + * (Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication + * applies to interactive logons too.) */ if (client_policy->allowed_ntlm_network_auth) { - return NT_STATUS_OK; + return authn_policy_audit_info(mem_ctx, + &client_policy->policy, + authn_int64_none() /* tgt_lifetime_raw */, + NULL /* client_info */, + AUTHN_AUDIT_EVENT_OK, + AUTHN_AUDIT_REASON_NONE, + NT_STATUS_OK, + client_audit_info_out); + } + + status = NT_STATUS_ACCOUNT_RESTRICTION; + status2 = authn_policy_audit_info(mem_ctx, + &client_policy->policy, + authn_int64_none() /* tgt_lifetime_raw */, + NULL /* client_info */, + AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION, + AUTHN_AUDIT_REASON_NONE, + status, + client_audit_info_out); + if (!NT_STATUS_IS_OK(status2)) { + status = status2; + } else if (!authn_policy_is_enforced(&client_policy->policy)) { + status = NT_STATUS_OK; } - if (authn_policy_is_enforced(&client_policy->policy)) { - return NT_STATUS_ACCOUNT_RESTRICTION; - } else { - return NT_STATUS_OK; - } + return status; } /* Authentication policies for servers. */ diff --git a/source4/kdc/authn_policy_util.h b/source4/kdc/authn_policy_util.h index 969c2da7a01..e39bcf3b160 100644 --- a/source4/kdc/authn_policy_util.h +++ b/source4/kdc/authn_policy_util.h @@ -88,9 +88,9 @@ int authn_policy_ntlm_client(struct ldb_context *samdb, const struct authn_ntlm_client_policy **policy_out); /* Check whether the client is allowed to authenticate using NTLM. */ -NTSTATUS authn_policy_ntlm_apply_device_restriction(const char *client_account_name, - const char *device_account_name, - const struct authn_ntlm_client_policy *client_policy); +NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx, + const struct authn_ntlm_client_policy *client_policy, + struct authn_audit_info **client_audit_info_out); /* Authentication policies for servers. */ -- 2.11.4.GIT