diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-03-01 16:00:03 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:27 +0200 |
commit | 0e508853fcb6cc0e8ca2b6ff48d8b5468b339468 (patch) | |
tree | 90589fa5cd0dd8e8754300f8161abf219fbd9c87 /auth/gensec | |
parent | 46a800fae3b054a2e9c2f26f35630cadf11cfe3e (diff) | |
download | samba-0e508853fcb6cc0e8ca2b6ff48d8b5468b339468.tar.gz |
auth_log: Also log the final type of authentication (ntlmssp,krb5)
Administrators really care about how their users were authenticated, so make
this clear.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'auth/gensec')
-rw-r--r-- | auth/gensec/gensec.c | 16 | ||||
-rw-r--r-- | auth/gensec/gensec.h | 3 | ||||
-rw-r--r-- | auth/gensec/gensec_internal.h | 3 | ||||
-rw-r--r-- | auth/gensec/spnego.c | 12 |
4 files changed, 33 insertions, 1 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 63cc35e9074..09be9fd531c 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -193,6 +193,15 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key); } +const char *gensec_final_auth_type(struct gensec_security *gensec_security) +{ + if (!gensec_security->ops->final_auth_type) { + return gensec_security->ops->name; + } + + return gensec_security->ops->final_auth_type(gensec_security); +} + /* * Log details of a successful GENSEC authorization to a service. * @@ -210,7 +219,12 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec = gensec_get_local_address(gensec_security); const char *service_description = gensec_get_target_service_description(gensec_security); - log_successful_authz_event(remote, local, service_description, session_info); + const char *final_auth_type + = gensec_final_auth_type(gensec_security); + log_successful_authz_event(remote, local, + service_description, + final_auth_type, + session_info); } diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index 7bd893266b9..bc96e697de4 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -34,6 +34,9 @@ #define GENSEC_OID_KERBEROS5_OLD "1.2.840.48018.1.2.2" #define GENSEC_OID_KERBEROS5_USER2USER "1.2.840.113554.1.2.2.3" +#define GENSEC_FINAL_AUTH_TYPE_KRB5 "krb5" +#define GENSEC_FINAL_AUTH_TYPE_NTLMSSP "NTLMSSP" + enum gensec_priority { GENSEC_SPNEGO = 90, GENSEC_GSSAPI = 80, diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h index 55352417e99..26c9817d5df 100644 --- a/auth/gensec/gensec_internal.h +++ b/auth/gensec/gensec_internal.h @@ -85,6 +85,7 @@ struct gensec_security_ops { bool (*have_feature)(struct gensec_security *gensec_security, uint32_t feature); NTTIME (*expire_time)(struct gensec_security *gensec_security); + const char *(*final_auth_type)(struct gensec_security *gensec_security); bool enabled; bool kerberos; enum gensec_priority priority; @@ -126,4 +127,6 @@ struct gensec_critical_sizes { NTSTATUS gensec_may_reset_crypto(struct gensec_security *gensec_security, bool full_reset); +const char *gensec_final_auth_type(struct gensec_security *gensec_security); + #endif /* __GENSEC_H__ */ diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index f063f7b358b..017181a3622 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -1651,6 +1651,17 @@ static NTTIME gensec_spnego_expire_time(struct gensec_security *gensec_security) return gensec_expire_time(spnego_state->sub_sec_security); } +static const char *gensec_spnego_final_auth_type(struct gensec_security *gensec_security) +{ + struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data; + + if (!spnego_state->sub_sec_security) { + return "NONE"; + } else { + return gensec_final_auth_type(spnego_state->sub_sec_security); + } +} + static const char *gensec_spnego_oids[] = { GENSEC_OID_SPNEGO, NULL @@ -1678,6 +1689,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = { .want_feature = gensec_spnego_want_feature, .have_feature = gensec_spnego_have_feature, .expire_time = gensec_spnego_expire_time, + .final_auth_type = gensec_spnego_final_auth_type, .enabled = true, .priority = GENSEC_SPNEGO }; |