From d017e2eb2a69b0f759e9ab912a0a5e8aaef5701d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Mar 2017 16:27:51 +1300 Subject: [PATCH] s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done) gensec_session_info() is not called for bare NTLM, so we have to log manually Signed-off-by: Andrew Bartlett Pair-Programmed-by: Gary Lockyer Signed-off-by: Gary Lockyer --- source3/auth/auth_generic.c | 44 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 7c57e18e1aa..7a6ec10d8cd 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -399,6 +399,11 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/* + * Check a username and password, and return the final session_info. + * We also log the authorization of the session here, just as + * gensec_session_info() does. + */ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, struct auth_usersupplied_info *user_info, @@ -414,16 +419,35 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, &authoritative, &server_info, NULL, NULL); - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = auth_context->generate_session_info(auth_context, - mem_ctx, - server_info, - user_info->client.account_name, - AUTH_SESSION_INFO_UNIX_TOKEN | - AUTH_SESSION_INFO_DEFAULT_GROUPS | - AUTH_SESSION_INFO_NTLM, - session_info); - TALLOC_FREE(server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } + + nt_status = auth_context->generate_session_info(auth_context, + mem_ctx, + server_info, + user_info->client.account_name, + AUTH_SESSION_INFO_UNIX_TOKEN | + AUTH_SESSION_INFO_DEFAULT_GROUPS | + AUTH_SESSION_INFO_NTLM, + session_info); + TALLOC_FREE(server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + /* + * This is rather redundant (the authentication has just been + * logged, with much the same details), but because we want to + * log all authorizations consistently (be they NLTM, NTLMSSP + * or krb5) we log this info again as an authorization. + */ + log_successful_authz_event(user_info->remote_host, + user_info->local_host, + user_info->service_description, + user_info->auth_description, + *session_info); + return nt_status; } -- 2.11.4.GIT