diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-03-01 16:27:51 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:27 +0200 |
commit | d017e2eb2a69b0f759e9ab912a0a5e8aaef5701d (patch) | |
tree | 4d00d0eef4490113128e713e7f5ee01728a639f6 /source3/auth | |
parent | 0e508853fcb6cc0e8ca2b6ff48d8b5468b339468 (diff) | |
download | samba-d017e2eb2a69b0f759e9ab912a0a5e8aaef5701d.tar.gz |
s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
gensec_session_info() is not called for bare NTLM, so we have to log manually
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth_generic.c | 44 |
1 files changed, 34 insertions, 10 deletions
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 7c57e18e1aa..7a6ec10d8cd 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -399,6 +399,11 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/* + * Check a username and password, and return the final session_info. + * We also log the authorization of the session here, just as + * gensec_session_info() does. + */ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, struct auth_usersupplied_info *user_info, @@ -414,16 +419,35 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, &authoritative, &server_info, NULL, NULL); - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = auth_context->generate_session_info(auth_context, - mem_ctx, - server_info, - user_info->client.account_name, - AUTH_SESSION_INFO_UNIX_TOKEN | - AUTH_SESSION_INFO_DEFAULT_GROUPS | - AUTH_SESSION_INFO_NTLM, - session_info); - TALLOC_FREE(server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } + + nt_status = auth_context->generate_session_info(auth_context, + mem_ctx, + server_info, + user_info->client.account_name, + AUTH_SESSION_INFO_UNIX_TOKEN | + AUTH_SESSION_INFO_DEFAULT_GROUPS | + AUTH_SESSION_INFO_NTLM, + session_info); + TALLOC_FREE(server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + /* + * This is rather redundant (the authentication has just been + * logged, with much the same details), but because we want to + * log all authorizations consistently (be they NLTM, NTLMSSP + * or krb5) we log this info again as an authorization. + */ + log_successful_authz_event(user_info->remote_host, + user_info->local_host, + user_info->service_description, + user_info->auth_description, + *session_info); + return nt_status; } |