auth: Log the transport connection for the authorization

We also log if a simple bind was over TLS, as this particular case matters to a lot of folks

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

4 files changed, 23 insertions, 0 deletions

diff --git a/auth/auth_log.c b/auth/auth_log.c
index 7da47f6b659..b7b8810f03d 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -227,6 +227,7 @@ void log_successful_authz_event(const struct tsocket_address *remote,
 				const struct tsocket_address *local,
 				const char *service_description,
 				const char *auth_type,
+				const char *transport_protection,
 				struct auth_session_info *session_info)
 {
 	TALLOC_CTX *frame = NULL;
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 925d3f59ea9..f94c5f15a79 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -146,6 +146,12 @@ struct auth4_context {
 					      struct auth_session_info **session_info);
 };
 
+#define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE"
+#define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB"
+#define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS"
+#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL"
+#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN"
+
 void log_authentication_event(const struct auth_usersupplied_info *ui,
 			      NTSTATUS status,
 			      const char *account_name,
@@ -157,5 +163,6 @@ void log_successful_authz_event(const struct tsocket_address *remote,
 				const struct tsocket_address *local,
 				const char *service_description,
 				const char *auth_type,
+				const char *transport_protection,
 				struct auth_session_info *session_info);
 #endif
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 09be9fd531c..2cd5a22a9a9 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -221,9 +221,22 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
 		= gensec_get_target_service_description(gensec_security);
 	const char *final_auth_type
 		= gensec_final_auth_type(gensec_security);
+	const char *transport_protection = NULL;
+	if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) {
+		transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
+	} else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) {
+		transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+		transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL;
+	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN;
+	} else {
+		transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+	}
 	log_successful_authz_event(remote, local,
 				   service_description,
 				   final_auth_type,
+				   transport_protection,
 				   session_info);
 }
 
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index bc96e697de4..6764ee5e461 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -68,6 +68,8 @@ struct gensec_target {
 #define GENSEC_FEATURE_NTLM_CCACHE	0x00000200
 #define GENSEC_FEATURE_LDAP_STYLE	0x00000400
 #define GENSEC_FEATURE_NO_AUTHZ_LOG	0x00000800
+#define GENSEC_FEATURE_SMB_TRANSPORT	0x00001000
+#define GENSEC_FEATURE_LDAPS_TRANSPORT	0x00002000
 
 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL