diff options
-rw-r--r-- | auth/auth_log.c | 1 | ||||
-rw-r--r-- | auth/common_auth.h | 7 | ||||
-rw-r--r-- | auth/gensec/gensec.c | 13 | ||||
-rw-r--r-- | auth/gensec/gensec.h | 2 | ||||
-rw-r--r-- | source3/auth/auth_generic.c | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 6 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 1 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 1 | ||||
-rw-r--r-- | source4/auth/auth.h | 1 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_simple.c | 12 | ||||
-rw-r--r-- | source4/ldap_server/ldap_backend.c | 6 | ||||
-rw-r--r-- | source4/ldap_server/ldap_bind.c | 9 | ||||
-rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 5 | ||||
-rw-r--r-- | source4/smb_server/smb/sesssetup.c | 2 | ||||
-rw-r--r-- | source4/smb_server/smb2/sesssetup.c | 1 |
15 files changed, 66 insertions, 2 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c index 7da47f6b659..b7b8810f03d 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -227,6 +227,7 @@ void log_successful_authz_event(const struct tsocket_address *remote, const struct tsocket_address *local, const char *service_description, const char *auth_type, + const char *transport_protection, struct auth_session_info *session_info) { TALLOC_CTX *frame = NULL; diff --git a/auth/common_auth.h b/auth/common_auth.h index 925d3f59ea9..f94c5f15a79 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -146,6 +146,12 @@ struct auth4_context { struct auth_session_info **session_info); }; +#define AUTHZ_TRANSPORT_PROTECTION_NONE "NONE" +#define AUTHZ_TRANSPORT_PROTECTION_SMB "SMB" +#define AUTHZ_TRANSPORT_PROTECTION_TLS "TLS" +#define AUTHZ_TRANSPORT_PROTECTION_SEAL "SEAL" +#define AUTHZ_TRANSPORT_PROTECTION_SIGN "SIGN" + void log_authentication_event(const struct auth_usersupplied_info *ui, NTSTATUS status, const char *account_name, @@ -157,5 +163,6 @@ void log_successful_authz_event(const struct tsocket_address *remote, const struct tsocket_address *local, const char *service_description, const char *auth_type, + const char *transport_protection, struct auth_session_info *session_info); #endif diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 09be9fd531c..2cd5a22a9a9 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -221,9 +221,22 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec = gensec_get_target_service_description(gensec_security); const char *final_auth_type = gensec_final_auth_type(gensec_security); + const char *transport_protection = NULL; + if (gensec_security->want_features & GENSEC_FEATURE_SMB_TRANSPORT) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB; + } else if (gensec_security->want_features & GENSEC_FEATURE_LDAPS_TRANSPORT) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; + } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SEAL; + } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SIGN; + } else { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + } log_successful_authz_event(remote, local, service_description, final_auth_type, + transport_protection, session_info); } diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index bc96e697de4..6764ee5e461 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -68,6 +68,8 @@ struct gensec_target { #define GENSEC_FEATURE_NTLM_CCACHE 0x00000200 #define GENSEC_FEATURE_LDAP_STYLE 0x00000400 #define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800 +#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000 +#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 7a6ec10d8cd..c18b5435ac4 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -447,6 +447,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, user_info->local_host, user_info->service_description, user_info->auth_description, + AUTHZ_TRANSPORT_PROTECTION_SMB, *session_info); return nt_status; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index bd56be6b79e..c8b0fdccf42 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -822,6 +822,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p, goto err_exit; } } else { + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + if (p->transport == NCACN_NP) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB; + } + p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; p->auth.auth_context_id = 0; @@ -835,6 +840,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p, p->local_address, table->name, derpc_transport_string_by_transport(p->transport), + transport_protection, p->session_info); } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 0cc49d916f8..2ed5a4c7ed7 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -263,6 +263,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY); gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN); + gensec_want_feature(auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT); status = gensec_start_mech_by_oid(auth->gensec, GENSEC_OID_SPNEGO); diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 52462882771..53cd7ded2b0 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -864,6 +864,7 @@ auth: gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SESSION_KEY); gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_UNIX_TOKEN); + gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT); status = gensec_start_mech_by_oid(state->auth->gensec, GENSEC_OID_SPNEGO); diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 461d711d22e..a97cfb811d5 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -164,6 +164,7 @@ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct tsocket_address *remote_address, struct tsocket_address *local_address, + bool using_tls, const char *dn, const char *password, struct auth_session_info **session_info); diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index dc3b5de9e82..a00d8d4dd2b 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -31,6 +31,7 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct tsocket_address *remote_address, struct tsocket_address *local_address, + bool using_tls, const char *dn, const char *password, struct auth_session_info **session_info) @@ -44,6 +45,10 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, const char *nt4_domain; const char *nt4_username; uint32_t flags = 0; + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + if (using_tls) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; + } if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; @@ -85,7 +90,11 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, user_info->service_description = "LDAP"; - user_info->auth_description = "simple bind"; + if (using_tls) { + user_info->auth_description = "simple bind"; + } else { + user_info->auth_description = "simple bind/TLS"; + } user_info->password_state = AUTH_PASSWORD_PLAIN; user_info->password.plaintext = talloc_strdup(user_info, password); @@ -125,6 +134,7 @@ _PUBLIC_ NTSTATUS authenticate_ldap_simple_bind(TALLOC_CTX *mem_ctx, local_address, "LDAP", "simple bind", + transport_protection, *session_info); talloc_free(tmp_ctx); diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index b023eb4dd7c..7aa51f293ed 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -1280,10 +1280,16 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call) } if (log) { + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + if (call->conn->sockets.active == call->conn->sockets.tls) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS; + } + log_successful_authz_event(call->conn->connection->remote_address, call->conn->connection->local_address, "LDAP", "no bind", + transport_protection, call->conn->session_info); call->conn->authz_logged = true; diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 5fc50dce538..986ecbfcebb 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -73,6 +73,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) NTSTATUS status; + bool using_tls = call->conn->sockets.active == call->conn->sockets.tls; + DEBUG(10, ("BindSimple dn: %s\n",req->dn)); reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse); @@ -83,7 +85,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) if (req->dn != NULL && strlen(req->dn) != 0 && call->conn->require_strong_auth > LDAP_SERVER_REQUIRE_STRONG_AUTH_NO && - call->conn->sockets.active != call->conn->sockets.tls) + !using_tls) { status = NT_STATUS_NETWORK_ACCESS_DENIED; result = LDAP_STRONG_AUTH_REQUIRED; @@ -98,6 +100,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) call->conn->lp_ctx, call->conn->connection->remote_address, call->conn->connection->local_address, + using_tls, req->dn, req->creds.password, &session_info); @@ -218,6 +221,10 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn, gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES); gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE); + if (conn->sockets.active == conn->sockets.tls) { + gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT); + } + status = gensec_start_mech_by_sasl_name(gensec_security, sasl_mech); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 4b0bfdf1e20..1ebb5143b93 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -49,6 +49,10 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) enum dcerpc_transport_t transport = dcerpc_binding_get_transport(call->conn->endpoint->ep_description); const char *auth_type = derpc_transport_string_by_transport(transport); + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + if (transport == NCACN_NP) { + transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB; + } auth->auth_type = DCERPC_AUTH_TYPE_NONE; auth->auth_level = DCERPC_AUTH_LEVEL_NONE; auth->auth_context_id = 0; @@ -62,6 +66,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) call->conn->local_address, "DCE/RPC", auth_type, + transport_protection, call->conn->auth_state.session_info); return true; diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 594efd0c02d..cc022229736 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -58,6 +58,7 @@ void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req, local_address, "SMB", "bare-NTLM", + AUTHZ_TRANSPORT_PROTECTION_SMB, session_info); talloc_free(frame); @@ -510,6 +511,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se } gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SMB_TRANSPORT); remote_address = socket_get_remote_addr(req->smb_conn->connection->socket, req); diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 0a66f46856d..501aab671d7 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -145,6 +145,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses } gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SMB_TRANSPORT); remote_address = socket_get_remote_addr(req->smb_conn->connection->socket, req); |