diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-03-01 12:18:49 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:27 +0200 |
| commit | a0ab86dedca2471ca2e4bb222f272d4bd35c85df (patch) | |
| tree | 27ba831ad2af6e92a45e307eb2c85dc83ff1da24 /auth/auth_log.c | |
| parent | 3bc56854457191ab817bc9a4419b1dee74138b0f (diff) | |
| download | samba-a0ab86dedca2471ca2e4bb222f272d4bd35c85df.tar.gz | |
auth: Add logging of service authorization
In ntlm_auth.c and authdata.c, the session info will be incomplete
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'auth/auth_log.c')
| -rw-r--r-- | auth/auth_log.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c index 64b6eaa102c..9bbc172e664 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -159,3 +159,57 @@ void log_authentication_event(const struct auth_usersupplied_info *ui, talloc_free(frame); } + + +/* + * Log details of a successful authorization to a service. + * + * Only successful authorizations are logged. For clarity: + * - NTLM bad passwords will be recorded by the above + * - Kerberos decrypt failures need to be logged in gensec_gssapi et al + * + * The service may later refuse authorization due to an ACL. + * + */ +void log_successful_authz_event(const struct tsocket_address *remote, + const struct tsocket_address *local, + const char *service_description, + struct auth_session_info *session_info) +{ + TALLOC_CTX *frame = NULL; + + char *ts = NULL; /* formatted current time */ + char *remote_str = NULL; /* formatted remote host */ + char *local_str = NULL; /* formatted local host */ + char sid_buf[DOM_SID_STR_BUFLEN]; + + /* set the log level */ + if (!CHECK_DEBUGLVLC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL)) { + return; + } + + frame = talloc_stackframe(); + + /* Get the current time */ + ts = http_timestring(frame, time(NULL)); + + remote_str = tsocket_address_string(remote, frame); + local_str = tsocket_address_string(local, frame); + + dom_sid_string_buf(&session_info->security_token->sids[0], sid_buf, sizeof(sid_buf)); + + DEBUGC( DBGC_AUTH_AUDIT, AUTHZ_SUCCESS_LEVEL, ( + "Successful AuthZ: [%s] user [%s]\\[%s] [%s]" + " at [%s]" + " Remote host [%s]" + " local host [%s]\n", + service_description, + log_escape(frame, session_info->info->domain_name), + log_escape(frame, session_info->info->account_name), + sid_buf, + ts, + remote_str, + local_str)); + + talloc_free(frame); +} |