diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-03-01 16:00:03 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:27 +0200 |
| commit | 0e508853fcb6cc0e8ca2b6ff48d8b5468b339468 (patch) | |
| tree | 90589fa5cd0dd8e8754300f8161abf219fbd9c87 | |
| parent | 46a800fae3b054a2e9c2f26f35630cadf11cfe3e (diff) | |
| download | samba-0e508853fcb6cc0e8ca2b6ff48d8b5468b339468.tar.gz | |
auth_log: Also log the final type of authentication (ntlmssp,krb5)
Administrators really care about how their users were authenticated, so make
this clear.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
| -rw-r--r-- | auth/auth_log.c | 4 | ||||
| -rw-r--r-- | auth/common_auth.h | 1 | ||||
| -rw-r--r-- | auth/gensec/gensec.c | 16 | ||||
| -rw-r--r-- | auth/gensec/gensec.h | 3 | ||||
| -rw-r--r-- | auth/gensec/gensec_internal.h | 3 | ||||
| -rw-r--r-- | auth/gensec/spnego.c | 12 | ||||
| -rw-r--r-- | auth/ntlmssp/ntlmssp.c | 6 | ||||
| -rw-r--r-- | auth/ntlmssp/ntlmssp_server.c | 9 | ||||
| -rw-r--r-- | source3/librpc/crypto/gse.c | 16 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 16 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 9 |
11 files changed, 91 insertions, 4 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c index fec77077bc9..1509c7b9be6 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -213,6 +213,7 @@ void log_authentication_event(const struct auth_usersupplied_info *ui, void log_successful_authz_event(const struct tsocket_address *remote, const struct tsocket_address *local, const char *service_description, + const char *auth_type, struct auth_session_info *session_info) { TALLOC_CTX *frame = NULL; @@ -238,11 +239,12 @@ void log_successful_authz_event(const struct tsocket_address *remote, dom_sid_string_buf(&session_info->security_token->sids[0], sid_buf, sizeof(sid_buf)); DEBUGC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL, ( - "Successful AuthZ: [%s] user [%s]\\[%s] [%s]" + "Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]" " at [%s]" " Remote host [%s]" " local host [%s]\n", service_description, + auth_type, log_escape(frame, session_info->info->domain_name), log_escape(frame, session_info->info->account_name), sid_buf, diff --git a/auth/common_auth.h b/auth/common_auth.h index 8950a0cdc91..925d3f59ea9 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -156,5 +156,6 @@ void log_authentication_event(const struct auth_usersupplied_info *ui, void log_successful_authz_event(const struct tsocket_address *remote, const struct tsocket_address *local, const char *service_description, + const char *auth_type, struct auth_session_info *session_info); #endif diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 63cc35e9074..09be9fd531c 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -193,6 +193,15 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key); } +const char *gensec_final_auth_type(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->final_auth_type) { + return gensec_security->ops->name; + } + + return gensec_security->ops->final_auth_type(gensec_security); +} + /* * Log details of a successful GENSEC authorization to a service. * @@ -210,7 +219,12 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec = gensec_get_local_address(gensec_security); const char *service_description = gensec_get_target_service_description(gensec_security); - log_successful_authz_event(remote, local, service_description, session_info); + const char *final_auth_type + = gensec_final_auth_type(gensec_security); + log_successful_authz_event(remote, local, + service_description, + final_auth_type, + session_info); } diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index 7bd893266b9..bc96e697de4 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -34,6 +34,9 @@ #define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2" #define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3" +#define GENSEC_FINAL_AUTH_TYPE_KRB5 "krb5" +#define GENSEC_FINAL_AUTH_TYPE_NTLMSSP "NTLMSSP" + enum gensec_priority { GENSEC_SPNEGO = 90, GENSEC_GSSAPI = 80, diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h index 55352417e99..26c9817d5df 100644 --- a/auth/gensec/gensec_internal.h +++ b/auth/gensec/gensec_internal.h @@ -85,6 +85,7 @@ struct gensec_security_ops { bool (*have_feature)(struct gensec_security *gensec_security, uint32_t feature); NTTIME (*expire_time)(struct gensec_security *gensec_security); + const char *(*final_auth_type)(struct gensec_security *gensec_security); bool enabled; bool kerberos; enum gensec_priority priority; @@ -126,4 +127,6 @@ struct gensec_critical_sizes { NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security, bool full_reset); +const char *gensec_final_auth_type(struct gensec_security *gensec_security); + #endif /* __GENSEC_H__ */ diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index f063f7b358b..017181a3622 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -1651,6 +1651,17 @@ static NTTIME gensec_spnego_expire_time(struct gensec_security *gensec_security) return gensec_expire_time(spnego_state->sub_sec_security); } +static const char *gensec_spnego_final_auth_type(struct gensec_security *gensec_security) +{ + struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data; + + if (!spnego_state->sub_sec_security) { + return "NONE"; + } else { + return gensec_final_auth_type(spnego_state->sub_sec_security); + } +} + static const char *gensec_spnego_oids[] = { GENSEC_OID_SPNEGO, NULL @@ -1678,6 +1689,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = { .want_feature = gensec_spnego_want_feature, .have_feature = gensec_spnego_have_feature, .expire_time = gensec_spnego_expire_time, + .final_auth_type = gensec_spnego_final_auth_type, .enabled = true, .priority = GENSEC_SPNEGO }; diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c index 3283c964470..6f7c089467f 100644 --- a/auth/ntlmssp/ntlmssp.c +++ b/auth/ntlmssp/ntlmssp.c @@ -207,6 +207,11 @@ static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_s return NT_STATUS_OK; } +static const char *gensec_ntlmssp_final_auth_type(struct gensec_security *gensec_security) +{ + return GENSEC_FINAL_AUTH_TYPE_NTLMSSP; +} + static const char *gensec_ntlmssp_oids[] = { GENSEC_OID_NTLMSSP, NULL @@ -232,6 +237,7 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = { .session_key = gensec_ntlmssp_session_key, .session_info = gensec_ntlmssp_session_info, .have_feature = gensec_ntlmssp_have_feature, + .final_auth_type = gensec_ntlmssp_final_auth_type, .enabled = true, .priority = GENSEC_NTLMSSP }; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 1bfd4ccdc24..c525a93941f 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -721,7 +721,14 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec user_info->local_host = gensec_get_local_address(gensec_security); user_info->service_description = gensec_get_target_service_description(gensec_security); - user_info->auth_description = "NTLMSSP"; + + /* + * This will just be the string "NTLMSSP" from + * gensec_ntlmssp_final_auth_type, but ensures it stays in sync + * with the same use in the authorization logging triggered by + * gensec_session_info() later + */ + user_info->auth_description = gensec_final_auth_type(gensec_security); user_info->password_state = AUTH_PASSWORD_RESPONSE; user_info->password.response.lanman = ntlmssp_state->lm_resp; diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 273fd02c197..142627c0011 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -1275,6 +1275,21 @@ static size_t gensec_gse_sig_size(struct gensec_security *gensec_security, return gse_ctx->sig_size; } +static const char *gensec_gse_final_auth_type(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + + /* Only return the string for GSSAPI/Krb5 */ + if (smb_gss_oid_equal(&gse_ctx->gss_mech, + gss_mech_krb5)) { + return GENSEC_FINAL_AUTH_TYPE_KRB5; + } else { + return "gensec_gse: UNKNOWN MECH"; + } +} + static const char *gensec_gse_krb5_oids[] = { GENSEC_OID_KERBEROS5_OLD, GENSEC_OID_KERBEROS5, @@ -1302,6 +1317,7 @@ const struct gensec_security_ops gensec_gse_krb5_security_ops = { .unwrap = gensec_gse_unwrap, .have_feature = gensec_gse_have_feature, .expire_time = gensec_gse_expire_time, + .final_auth_type = gensec_gse_final_auth_type, .enabled = true, .kerberos = true, .priority = GENSEC_GSSAPI diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index cfe2ea88aad..e2755b3d228 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1539,6 +1539,19 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si return gensec_gssapi_state->sig_size; } +static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security) +{ + struct gensec_gssapi_state *gensec_gssapi_state + = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); + /* Only return the string for GSSAPI/Krb5 */ + if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid, + gss_mech_krb5)) { + return GENSEC_FINAL_AUTH_TYPE_KRB5; + } else { + return "gensec_gssapi: UNKNOWN MECH"; + } +} + static const char *gensec_gssapi_krb5_oids[] = { GENSEC_OID_KERBEROS5_OLD, GENSEC_OID_KERBEROS5, @@ -1572,6 +1585,7 @@ static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = { .unwrap = gensec_gssapi_unwrap, .have_feature = gensec_gssapi_have_feature, .expire_time = gensec_gssapi_expire_time, + .final_auth_type = gensec_gssapi_final_auth_type, .enabled = false, .kerberos = true, .priority = GENSEC_GSSAPI @@ -1599,6 +1613,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = { .unwrap = gensec_gssapi_unwrap, .have_feature = gensec_gssapi_have_feature, .expire_time = gensec_gssapi_expire_time, + .final_auth_type = gensec_gssapi_final_auth_type, .enabled = true, .kerberos = true, .priority = GENSEC_GSSAPI @@ -1619,6 +1634,7 @@ static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = { .unwrap = gensec_gssapi_unwrap, .have_feature = gensec_gssapi_have_feature, .expire_time = gensec_gssapi_expire_time, + .final_auth_type = gensec_gssapi_final_auth_type, .enabled = true, .kerberos = true, .priority = GENSEC_GSSAPI diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index b54a41bfd5d..49469298964 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -1038,6 +1038,11 @@ static bool gensec_krb5_have_feature(struct gensec_security *gensec_security, return false; } +static const char *gensec_krb5_final_auth_type(struct gensec_security *gensec_security) +{ + return GENSEC_FINAL_AUTH_TYPE_KRB5; +} + static const char *gensec_krb5_oids[] = { GENSEC_OID_KERBEROS5, GENSEC_OID_KERBEROS5_OLD, @@ -1055,9 +1060,10 @@ static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = { .session_key = gensec_krb5_session_key, .session_info = gensec_krb5_session_info, .have_feature = gensec_krb5_have_feature, + .final_auth_type = gensec_krb5_final_auth_type, .enabled = false, .kerberos = true, - .priority = GENSEC_KRB5 + .priority = GENSEC_KRB5, }; static const struct gensec_security_ops gensec_krb5_security_ops = { @@ -1070,6 +1076,7 @@ static const struct gensec_security_ops gensec_krb5_security_ops = { .have_feature = gensec_krb5_have_feature, .wrap = gensec_krb5_wrap, .unwrap = gensec_krb5_unwrap, + .final_auth_type = gensec_krb5_final_auth_type, .enabled = true, .kerberos = true, .priority = GENSEC_KRB5 |