/src/samba/source4/kdc/authn_policy_util.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | Unix SMB/CIFS implementation. |
3 | | Samba Active Directory authentication policy utility functions |
4 | | |
5 | | Copyright (C) Catalyst.Net Ltd 2023 |
6 | | |
7 | | This program is free software; you can redistribute it and/or modify |
8 | | it under the terms of the GNU General Public License as published by |
9 | | the Free Software Foundation; either version 3 of the License, or |
10 | | (at your option) any later version. |
11 | | |
12 | | This program is distributed in the hope that it will be useful, |
13 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | GNU General Public License for more details. |
16 | | |
17 | | You should have received a copy of the GNU General Public License |
18 | | along with this program. If not, see <http://www.gnu.org/licenses/>. |
19 | | */ |
20 | | |
21 | | #include "lib/replace/replace.h" |
22 | | #include "source4/kdc/authn_policy_util.h" |
23 | | #include "auth/authn_policy_impl.h" |
24 | | #include "lib/util/debug.h" |
25 | | #include "lib/util/samba_util.h" |
26 | | #include "libcli/security/security.h" |
27 | | #include "libcli/util/werror.h" |
28 | | #include "auth/common_auth.h" |
29 | | #include "source4/auth/session.h" |
30 | | #include "source4/dsdb/samdb/samdb.h" |
31 | | #include "source4/dsdb/samdb/ldb_modules/util.h" |
32 | | |
33 | | bool authn_policy_silos_and_policies_in_effect(struct ldb_context *samdb) |
34 | 0 | { |
35 | | /* |
36 | | * Authentication Silos and Authentication Policies are not |
37 | | * honoured by Samba unless the DC is at FL 2012 R2. This is |
38 | | * to match Windows, which will offer these features as soon |
39 | | * as the DC is upgraded. |
40 | | */ |
41 | 0 | const int functional_level = dsdb_dc_functional_level(samdb); |
42 | 0 | return functional_level >= DS_DOMAIN_FUNCTION_2012_R2; |
43 | 0 | } |
44 | | |
45 | | bool authn_policy_allowed_ntlm_network_auth_in_effect(struct ldb_context *samdb) |
46 | 0 | { |
47 | | /* |
48 | | * The allowed NTLM network authentication Policies are not |
49 | | * honoured by Samba unless the DC is at FL2016. This |
50 | | * is to match Windows, which will enforce these restrictions |
51 | | * as soon as the DC is upgraded. |
52 | | */ |
53 | 0 | const int functional_level = dsdb_dc_functional_level(samdb); |
54 | 0 | return functional_level >= DS_DOMAIN_FUNCTION_2016; |
55 | 0 | } |
56 | | |
57 | | /* |
58 | | * Depending on the type of the account, we need to refer to different |
59 | | * attributes of authentication silo objects. This structure keeps track of the |
60 | | * attributes to use for a certain account type. |
61 | | */ |
62 | | struct authn_silo_attrs { |
63 | | const char *policy; |
64 | | const char *attrs[]; |
65 | | }; |
66 | | |
67 | | /* |
68 | | * Depending on the type of the account, we need to refer to different |
69 | | * attributes of authentication policy objects. This structure keeps track of |
70 | | * the attributes to use for a certain account type. |
71 | | */ |
72 | | struct authn_policy_attrs { |
73 | | /* This applies at FL2016 and up. */ |
74 | | const char *allowed_ntlm_network_auth; |
75 | | /* The remainder apply at FL2012_R2 and up. */ |
76 | | const char *allowed_to_authenticate_from; |
77 | | const char *allowed_to_authenticate_to; |
78 | | const char *tgt_lifetime; |
79 | | const char *attrs[]; |
80 | | }; |
81 | | |
82 | | struct authn_attrs { |
83 | | const struct authn_silo_attrs *silo; |
84 | | const struct authn_policy_attrs *policy; |
85 | | }; |
86 | | |
87 | | /* |
88 | | * Get the authentication attributes that apply to an account of a certain |
89 | | * class. |
90 | | */ |
91 | | static const struct authn_attrs authn_policy_get_attrs(const struct ldb_message *msg) |
92 | 0 | { |
93 | 0 | const struct authn_attrs null_authn_attrs = { |
94 | 0 | .silo = NULL, |
95 | 0 | .policy = NULL, |
96 | 0 | }; |
97 | 0 | const struct ldb_message_element *objectclass_el = NULL; |
98 | 0 | unsigned i; |
99 | |
|
100 | 0 | objectclass_el = ldb_msg_find_element(msg, "objectClass"); |
101 | 0 | if (objectclass_el == NULL || objectclass_el->num_values == 0) { |
102 | 0 | return null_authn_attrs; |
103 | 0 | } |
104 | | |
105 | | /* |
106 | | * Iterate over the objectClasses, starting at the most-derived class. |
107 | | */ |
108 | 0 | for (i = objectclass_el->num_values; i > 0; --i) { |
109 | 0 | const struct ldb_val *objectclass_val = &objectclass_el->values[i - 1]; |
110 | 0 | const char *objectclass = NULL; |
111 | |
|
112 | 0 | objectclass = (const char *)objectclass_val->data; |
113 | 0 | if (objectclass == NULL) { |
114 | 0 | continue; |
115 | 0 | } |
116 | | |
117 | 0 | #define COMMON_AUTHN_SILO_ATTRS \ |
118 | 0 | "msDS-AuthNPolicySiloEnforced", \ |
119 | 0 | "msDS-AuthNPolicySiloMembers", \ |
120 | 0 | "name" |
121 | | |
122 | 0 | #define COMMON_AUTHN_POLICY_ATTRS \ |
123 | 0 | "msDS-AuthNPolicyEnforced", \ |
124 | 0 | "msDS-StrongNTLMPolicy", \ |
125 | 0 | "name" |
126 | | |
127 | | /* |
128 | | * See which of three classes this object is most closely |
129 | | * derived from. |
130 | | */ |
131 | 0 | if (strcasecmp(objectclass, "user") == 0) { |
132 | 0 | static const struct authn_silo_attrs user_authn_silo_attrs = { |
133 | 0 | .policy = "msDS-UserAuthNPolicy", |
134 | 0 | .attrs = { |
135 | 0 | COMMON_AUTHN_SILO_ATTRS, |
136 | 0 | "msDS-UserAuthNPolicy", |
137 | 0 | NULL, |
138 | 0 | }, |
139 | 0 | }; |
140 | |
|
141 | 0 | static const struct authn_policy_attrs user_authn_policy_attrs = { |
142 | 0 | .allowed_ntlm_network_auth = "msDS-UserAllowedNTLMNetworkAuthentication", |
143 | 0 | .allowed_to_authenticate_from = "msDS-UserAllowedToAuthenticateFrom", |
144 | 0 | .allowed_to_authenticate_to = "msDS-UserAllowedToAuthenticateTo", |
145 | 0 | .tgt_lifetime = "msDS-UserTGTLifetime", |
146 | 0 | .attrs = { |
147 | 0 | COMMON_AUTHN_POLICY_ATTRS, |
148 | 0 | "msDS-UserAllowedNTLMNetworkAuthentication", |
149 | 0 | "msDS-UserAllowedToAuthenticateFrom", |
150 | 0 | "msDS-UserAllowedToAuthenticateTo", |
151 | 0 | "msDS-UserTGTLifetime", |
152 | 0 | NULL, |
153 | 0 | }, |
154 | 0 | }; |
155 | |
|
156 | 0 | return (struct authn_attrs) { |
157 | 0 | .silo = &user_authn_silo_attrs, |
158 | 0 | .policy = &user_authn_policy_attrs, |
159 | 0 | }; |
160 | 0 | } |
161 | | |
162 | 0 | if (strcasecmp(objectclass, "computer") == 0) { |
163 | 0 | static const struct authn_silo_attrs computer_authn_silo_attrs = { |
164 | 0 | .policy = "msDS-ComputerAuthNPolicy", |
165 | 0 | .attrs = { |
166 | 0 | COMMON_AUTHN_SILO_ATTRS, |
167 | 0 | "msDS-ComputerAuthNPolicy", |
168 | 0 | NULL, |
169 | 0 | }, |
170 | 0 | }; |
171 | |
|
172 | 0 | static const struct authn_policy_attrs computer_authn_policy_attrs = { |
173 | 0 | .allowed_ntlm_network_auth = NULL, |
174 | 0 | .allowed_to_authenticate_from = NULL, |
175 | 0 | .allowed_to_authenticate_to = "msDS-ComputerAllowedToAuthenticateTo", |
176 | 0 | .tgt_lifetime = "msDS-ComputerTGTLifetime", |
177 | 0 | .attrs = { |
178 | 0 | COMMON_AUTHN_POLICY_ATTRS, |
179 | 0 | "msDS-ComputerAllowedToAuthenticateTo", |
180 | 0 | "msDS-ComputerTGTLifetime", |
181 | 0 | NULL, |
182 | 0 | }, |
183 | 0 | }; |
184 | |
|
185 | 0 | return (struct authn_attrs) { |
186 | 0 | .silo = &computer_authn_silo_attrs, |
187 | 0 | .policy = &computer_authn_policy_attrs, |
188 | 0 | }; |
189 | 0 | } |
190 | | |
191 | 0 | if (strcasecmp(objectclass, "msDS-ManagedServiceAccount") == 0) { |
192 | 0 | static const struct authn_silo_attrs service_authn_silo_attrs = { |
193 | 0 | .policy = "msDS-ServiceAuthNPolicy", |
194 | 0 | .attrs = { |
195 | 0 | COMMON_AUTHN_SILO_ATTRS, |
196 | 0 | "msDS-ServiceAuthNPolicy", |
197 | 0 | NULL, |
198 | 0 | }, |
199 | 0 | }; |
200 | |
|
201 | 0 | static const struct authn_policy_attrs service_authn_policy_attrs = { |
202 | 0 | .allowed_ntlm_network_auth = "msDS-ServiceAllowedNTLMNetworkAuthentication", |
203 | 0 | .allowed_to_authenticate_from = "msDS-ServiceAllowedToAuthenticateFrom", |
204 | 0 | .allowed_to_authenticate_to = "msDS-ServiceAllowedToAuthenticateTo", |
205 | 0 | .tgt_lifetime = "msDS-ServiceTGTLifetime", |
206 | 0 | .attrs = { |
207 | 0 | COMMON_AUTHN_POLICY_ATTRS, |
208 | 0 | "msDS-ServiceAllowedNTLMNetworkAuthentication", |
209 | 0 | "msDS-ServiceAllowedToAuthenticateFrom", |
210 | 0 | "msDS-ServiceAllowedToAuthenticateTo", |
211 | 0 | "msDS-ServiceTGTLifetime", |
212 | 0 | NULL, |
213 | 0 | }, |
214 | 0 | }; |
215 | |
|
216 | 0 | return (struct authn_attrs) { |
217 | 0 | .silo = &service_authn_silo_attrs, |
218 | 0 | .policy = &service_authn_policy_attrs, |
219 | 0 | }; |
220 | 0 | } |
221 | 0 | } |
222 | | |
223 | 0 | #undef COMMON_AUTHN_SILO_ATTRS |
224 | 0 | #undef COMMON_AUTHN_POLICY_ATTRS |
225 | | |
226 | | /* No match — this object is not a user. */ |
227 | 0 | return null_authn_attrs; |
228 | 0 | } |
229 | | |
230 | | /* |
231 | | * Look up the silo assigned to an account. If one exists, returns its details |
232 | | * and whether it is enforced or not. ‘silo_attrs’ comprises the attributes to |
233 | | * include in the search result, the relevant set of which can differ depending |
234 | | * on the account’s objectClass. |
235 | | */ |
236 | | int authn_policy_get_assigned_silo(struct ldb_context *samdb, |
237 | | TALLOC_CTX *mem_ctx, |
238 | | const struct ldb_message *msg, |
239 | | const char * const *silo_attrs, |
240 | | const struct ldb_message **silo_msg_out, |
241 | | bool *is_enforced) |
242 | 0 | { |
243 | 0 | TALLOC_CTX *tmp_ctx = NULL; |
244 | 0 | int ret = 0; |
245 | 0 | const struct ldb_message_element *authn_silo = NULL; |
246 | 0 | struct ldb_dn *authn_silo_dn = NULL; |
247 | 0 | struct ldb_message *authn_silo_msg = NULL; |
248 | 0 | const struct ldb_message_element *members = NULL; |
249 | 0 | const char *linearized_dn = NULL; |
250 | 0 | struct ldb_val linearized_dn_val; |
251 | |
|
252 | 0 | *silo_msg_out = NULL; |
253 | 0 | *is_enforced = true; |
254 | |
|
255 | 0 | if (!authn_policy_silos_and_policies_in_effect(samdb)) { |
256 | 0 | return 0; |
257 | 0 | } |
258 | | |
259 | 0 | tmp_ctx = talloc_new(mem_ctx); |
260 | 0 | if (tmp_ctx == NULL) { |
261 | 0 | ret = ENOMEM; |
262 | 0 | goto out; |
263 | 0 | } |
264 | | |
265 | 0 | authn_silo = ldb_msg_find_element(msg, "msDS-AssignedAuthNPolicySilo"); |
266 | | /* Is the account assigned to a silo? */ |
267 | 0 | if (authn_silo == NULL || !authn_silo->num_values) { |
268 | 0 | goto out; |
269 | 0 | } |
270 | | |
271 | 0 | authn_silo_dn = ldb_dn_from_ldb_val(tmp_ctx, samdb, &authn_silo->values[0]); |
272 | 0 | if (authn_silo_dn == NULL) { |
273 | 0 | ret = ENOMEM; |
274 | 0 | goto out; |
275 | 0 | } |
276 | | |
277 | 0 | ret = dsdb_search_one(samdb, |
278 | 0 | tmp_ctx, |
279 | 0 | &authn_silo_msg, |
280 | 0 | authn_silo_dn, |
281 | 0 | LDB_SCOPE_BASE, |
282 | 0 | silo_attrs, |
283 | 0 | 0, NULL); |
284 | 0 | if (ret == LDB_ERR_NO_SUCH_OBJECT) { |
285 | | /* Not found. */ |
286 | 0 | ret = 0; |
287 | 0 | goto out; |
288 | 0 | } |
289 | 0 | if (ret) { |
290 | 0 | goto out; |
291 | 0 | } |
292 | | |
293 | 0 | members = ldb_msg_find_element(authn_silo_msg, |
294 | 0 | "msDS-AuthNPolicySiloMembers"); |
295 | 0 | if (members == NULL) { |
296 | 0 | goto out; |
297 | 0 | } |
298 | | |
299 | 0 | linearized_dn = ldb_dn_get_linearized(msg->dn); |
300 | 0 | if (linearized_dn == NULL) { |
301 | 0 | ret = ENOMEM; |
302 | 0 | goto out; |
303 | 0 | } |
304 | | |
305 | 0 | linearized_dn_val = data_blob_string_const(linearized_dn); |
306 | | /* Is the account a member of the silo? */ |
307 | 0 | if (!ldb_msg_find_val(members, &linearized_dn_val)) { |
308 | 0 | goto out; |
309 | 0 | } |
310 | | |
311 | | /* Is the silo actually enforced? */ |
312 | 0 | *is_enforced = ldb_msg_find_attr_as_bool( |
313 | 0 | authn_silo_msg, |
314 | 0 | "msDS-AuthNPolicySiloEnforced", |
315 | 0 | false); |
316 | |
|
317 | 0 | *silo_msg_out = talloc_move(mem_ctx, &authn_silo_msg); |
318 | |
|
319 | 0 | out: |
320 | 0 | talloc_free(tmp_ctx); |
321 | 0 | return ret; |
322 | 0 | } |
323 | | |
324 | | /* |
325 | | * Look up the authentication policy assigned to an account, returning its |
326 | | * details if it exists. ‘authn_attrs’ specifies which attributes are relevant, |
327 | | * and should be chosen based on the account’s objectClass. |
328 | | */ |
329 | | static int samba_kdc_authn_policy_msg(struct ldb_context *samdb, |
330 | | TALLOC_CTX *mem_ctx, |
331 | | const struct ldb_message *msg, |
332 | | const struct authn_attrs authn_attrs, |
333 | | struct ldb_message **authn_policy_msg_out, |
334 | | struct authn_policy *authn_policy_out) |
335 | 0 | { |
336 | 0 | TALLOC_CTX *tmp_ctx = NULL; |
337 | 0 | int ret = 0; |
338 | 0 | const struct ldb_message *authn_silo_msg = NULL; |
339 | 0 | const struct ldb_message_element *authn_policy = NULL; |
340 | 0 | const char *silo_name = NULL; |
341 | 0 | const char *policy_name = NULL; |
342 | 0 | struct ldb_dn *authn_policy_dn = NULL; |
343 | 0 | struct ldb_message *authn_policy_msg = NULL; |
344 | 0 | bool belongs_to_silo = false; |
345 | 0 | bool is_enforced = true; |
346 | |
|
347 | 0 | *authn_policy_msg_out = NULL; |
348 | 0 | *authn_policy_out = (struct authn_policy) {}; |
349 | |
|
350 | 0 | tmp_ctx = talloc_new(mem_ctx); |
351 | 0 | if (tmp_ctx == NULL) { |
352 | 0 | ret = ENOMEM; |
353 | 0 | goto out; |
354 | 0 | } |
355 | | |
356 | | /* See whether the account is assigned to a silo. */ |
357 | 0 | ret = authn_policy_get_assigned_silo(samdb, |
358 | 0 | tmp_ctx, |
359 | 0 | msg, |
360 | 0 | authn_attrs.silo->attrs, |
361 | 0 | &authn_silo_msg, |
362 | 0 | &is_enforced); |
363 | 0 | if (ret) { |
364 | 0 | goto out; |
365 | 0 | } |
366 | | |
367 | 0 | if (authn_silo_msg != NULL) { |
368 | 0 | belongs_to_silo = true; |
369 | |
|
370 | 0 | silo_name = ldb_msg_find_attr_as_string(authn_silo_msg, "name", NULL); |
371 | | |
372 | | /* Get the applicable authentication policy. */ |
373 | 0 | authn_policy = ldb_msg_find_element( |
374 | 0 | authn_silo_msg, |
375 | 0 | authn_attrs.silo->policy); |
376 | 0 | } else { |
377 | | /* |
378 | | * If no silo is assigned, take the policy that is directly |
379 | | * assigned to the account. |
380 | | */ |
381 | 0 | authn_policy = ldb_msg_find_element(msg, "msDS-AssignedAuthNPolicy"); |
382 | 0 | } |
383 | |
|
384 | 0 | if (authn_policy == NULL || !authn_policy->num_values) { |
385 | | /* No policy applies; we’re done. */ |
386 | 0 | goto out; |
387 | 0 | } |
388 | | |
389 | 0 | authn_policy_dn = ldb_dn_from_ldb_val(tmp_ctx, samdb, &authn_policy->values[0]); |
390 | 0 | if (authn_policy_dn == NULL) { |
391 | 0 | ret = ENOMEM; |
392 | 0 | goto out; |
393 | 0 | } |
394 | | |
395 | | /* Look up the policy object. */ |
396 | 0 | ret = dsdb_search_one(samdb, |
397 | 0 | tmp_ctx, |
398 | 0 | &authn_policy_msg, |
399 | 0 | authn_policy_dn, |
400 | 0 | LDB_SCOPE_BASE, |
401 | 0 | authn_attrs.policy->attrs, |
402 | 0 | 0, NULL); |
403 | 0 | if (ret == LDB_ERR_NO_SUCH_OBJECT) { |
404 | | /* Not found. */ |
405 | 0 | ret = 0; |
406 | 0 | goto out; |
407 | 0 | } |
408 | 0 | if (ret) { |
409 | 0 | goto out; |
410 | 0 | } |
411 | | |
412 | 0 | policy_name = ldb_msg_find_attr_as_string(authn_policy_msg, "name", NULL); |
413 | |
|
414 | 0 | if (!belongs_to_silo) { |
415 | 0 | is_enforced = ldb_msg_find_attr_as_bool( |
416 | 0 | authn_policy_msg, |
417 | 0 | "msDS-AuthNPolicyEnforced", |
418 | 0 | false); |
419 | 0 | } |
420 | |
|
421 | 0 | authn_policy_out->silo_name = talloc_move(mem_ctx, &silo_name); |
422 | 0 | authn_policy_out->policy_name = talloc_move(mem_ctx, &policy_name); |
423 | 0 | authn_policy_out->enforced = is_enforced; |
424 | |
|
425 | 0 | *authn_policy_msg_out = talloc_move(mem_ctx, &authn_policy_msg); |
426 | |
|
427 | 0 | out: |
428 | 0 | talloc_free(tmp_ctx); |
429 | 0 | return ret; |
430 | 0 | } |
431 | | |
432 | | /* |
433 | | * Reference an existing authentication policy onto a talloc context, returning |
434 | | * ‘true’ on success. |
435 | | */ |
436 | | static bool authn_policy_ref(TALLOC_CTX *mem_ctx, |
437 | | struct authn_policy *policy_out, |
438 | | const struct authn_policy *policy) |
439 | 0 | { |
440 | 0 | const char *silo_name = NULL; |
441 | 0 | const char *policy_name = NULL; |
442 | |
|
443 | 0 | if (policy->silo_name != NULL) { |
444 | 0 | silo_name = talloc_strdup(mem_ctx, policy->silo_name); |
445 | 0 | if (silo_name == NULL) { |
446 | 0 | return false; |
447 | 0 | } |
448 | 0 | } |
449 | | |
450 | 0 | if (policy->policy_name != NULL) { |
451 | 0 | policy_name = talloc_strdup(mem_ctx, policy->policy_name); |
452 | 0 | if (policy_name == NULL) { |
453 | | /* |
454 | | * We can’t free ‘silo_name’ here, as it is declared |
455 | | * const. It will be freed with the parent context. |
456 | | */ |
457 | 0 | return false; |
458 | 0 | } |
459 | 0 | } |
460 | | |
461 | 0 | *policy_out = (struct authn_policy) { |
462 | 0 | .silo_name = silo_name, |
463 | 0 | .policy_name = policy_name, |
464 | 0 | .enforced = policy->enforced, |
465 | 0 | }; |
466 | |
|
467 | 0 | return true; |
468 | 0 | } |
469 | | |
470 | | /* Create a structure containing auditing information. */ |
471 | | static NTSTATUS _authn_policy_audit_info(TALLOC_CTX *mem_ctx, |
472 | | const struct authn_policy *policy, |
473 | | const struct authn_int64_optional tgt_lifetime_raw, |
474 | | const struct auth_user_info_dc *client_info, |
475 | | const enum authn_audit_event event, |
476 | | const enum authn_audit_reason reason, |
477 | | const NTSTATUS policy_status, |
478 | | const char *location, |
479 | | struct authn_audit_info **audit_info_out) |
480 | 0 | { |
481 | 0 | struct authn_audit_info *audit_info = NULL; |
482 | 0 | bool ok; |
483 | |
|
484 | 0 | if (audit_info_out == NULL) { |
485 | 0 | return NT_STATUS_OK; |
486 | 0 | } |
487 | | |
488 | 0 | audit_info = talloc_zero(mem_ctx, struct authn_audit_info); |
489 | 0 | if (audit_info == NULL) { |
490 | 0 | return NT_STATUS_NO_MEMORY; |
491 | 0 | } |
492 | | |
493 | 0 | if (client_info != NULL) { |
494 | | /* |
495 | | * Keep a reference to the client’s user information so that it |
496 | | * is available to be logged later. |
497 | | */ |
498 | 0 | audit_info->client_info = talloc_reference(audit_info, client_info); |
499 | 0 | if (audit_info->client_info == NULL) { |
500 | 0 | talloc_free(audit_info); |
501 | 0 | return NT_STATUS_NO_MEMORY; |
502 | 0 | } |
503 | 0 | } |
504 | | |
505 | 0 | if (policy != NULL) { |
506 | 0 | audit_info->policy = talloc_zero(audit_info, struct authn_policy); |
507 | 0 | if (audit_info->policy == NULL) { |
508 | 0 | talloc_free(audit_info); |
509 | 0 | return NT_STATUS_NO_MEMORY; |
510 | 0 | } |
511 | | |
512 | 0 | ok = authn_policy_ref(audit_info, audit_info->policy, policy); |
513 | 0 | if (!ok) { |
514 | 0 | talloc_free(audit_info); |
515 | 0 | return NT_STATUS_NO_MEMORY; |
516 | 0 | } |
517 | 0 | } |
518 | | |
519 | 0 | audit_info->event = event; |
520 | 0 | audit_info->reason = reason; |
521 | 0 | audit_info->policy_status = policy_status; |
522 | 0 | audit_info->location = location; |
523 | 0 | audit_info->tgt_lifetime_raw = tgt_lifetime_raw; |
524 | |
|
525 | 0 | *audit_info_out = audit_info; |
526 | 0 | return NT_STATUS_OK; |
527 | 0 | } |
528 | | |
529 | | /* Create a structure containing auditing information. */ |
530 | | #define authn_policy_audit_info( \ |
531 | | mem_ctx, \ |
532 | | policy, \ |
533 | | tgt_lifetime_raw, \ |
534 | | client_info, \ |
535 | | event, \ |
536 | | reason, \ |
537 | | policy_status, \ |
538 | | audit_info_out) \ |
539 | 0 | _authn_policy_audit_info( \ |
540 | 0 | mem_ctx, \ |
541 | 0 | policy, \ |
542 | 0 | tgt_lifetime_raw, \ |
543 | 0 | client_info, \ |
544 | 0 | event, \ |
545 | 0 | reason, \ |
546 | 0 | policy_status, \ |
547 | 0 | __location__, \ |
548 | 0 | audit_info_out) |
549 | | |
550 | | /* |
551 | | * Perform an access check against the security descriptor set in an |
552 | | * authentication policy. ‘client_info’ must be talloc-allocated so that we can |
553 | | * make a reference to it. |
554 | | */ |
555 | | static NTSTATUS _authn_policy_access_check(TALLOC_CTX *mem_ctx, |
556 | | struct ldb_context *samdb, |
557 | | struct loadparm_context* lp_ctx, |
558 | | const struct auth_user_info_dc *client_info, |
559 | | const struct auth_user_info_dc *device_info, |
560 | | const struct auth_claims auth_claims, |
561 | | const struct authn_policy *policy, |
562 | | const struct authn_int64_optional tgt_lifetime_raw, |
563 | | const enum authn_audit_event restriction_event, |
564 | | const struct authn_policy_flags authn_policy_flags, |
565 | | const DATA_BLOB *descriptor_blob, |
566 | | const char *location, |
567 | | struct authn_audit_info **audit_info_out) |
568 | 0 | { |
569 | 0 | TALLOC_CTX *tmp_ctx = NULL; |
570 | 0 | NTSTATUS status = NT_STATUS_OK; |
571 | 0 | NTSTATUS status2; |
572 | 0 | enum ndr_err_code ndr_err; |
573 | 0 | struct security_descriptor *descriptor = NULL; |
574 | 0 | struct security_token *security_token = NULL; |
575 | 0 | uint32_t session_info_flags = |
576 | 0 | AUTH_SESSION_INFO_DEFAULT_GROUPS | |
577 | 0 | AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS | |
578 | 0 | AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; |
579 | 0 | const uint32_t access_desired = SEC_ADS_CONTROL_ACCESS; |
580 | 0 | uint32_t access_granted; |
581 | 0 | enum authn_audit_event event = restriction_event; |
582 | 0 | enum authn_audit_reason reason = AUTHN_AUDIT_REASON_NONE; |
583 | |
|
584 | 0 | if (audit_info_out != NULL) { |
585 | 0 | *audit_info_out = NULL; |
586 | 0 | } |
587 | |
|
588 | 0 | tmp_ctx = talloc_new(mem_ctx); |
589 | 0 | if (tmp_ctx == NULL) { |
590 | 0 | status = NT_STATUS_NO_MEMORY; |
591 | 0 | goto out; |
592 | 0 | } |
593 | | |
594 | 0 | if (!(client_info->info->user_flags & NETLOGON_GUEST)) { |
595 | 0 | session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; |
596 | 0 | } |
597 | |
|
598 | 0 | if (device_info != NULL && !(device_info->info->user_flags & NETLOGON_GUEST)) { |
599 | 0 | session_info_flags |= AUTH_SESSION_INFO_DEVICE_AUTHENTICATED; |
600 | 0 | } |
601 | |
|
602 | 0 | if (authn_policy_flags.force_compounded_authentication) { |
603 | 0 | session_info_flags |= AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION; |
604 | 0 | } |
605 | |
|
606 | 0 | descriptor = talloc(tmp_ctx, struct security_descriptor); |
607 | 0 | if (descriptor == NULL) { |
608 | 0 | status = NT_STATUS_NO_MEMORY; |
609 | 0 | goto out; |
610 | 0 | } |
611 | | |
612 | 0 | ndr_err = ndr_pull_struct_blob(descriptor_blob, |
613 | 0 | tmp_ctx, |
614 | 0 | descriptor, |
615 | 0 | (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); |
616 | 0 | if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { |
617 | 0 | status = ndr_map_error2ntstatus(ndr_err); |
618 | 0 | DBG_ERR("Failed to unmarshall " |
619 | 0 | "security descriptor for authentication policy: %s\n", |
620 | 0 | nt_errstr(status)); |
621 | 0 | reason = AUTHN_AUDIT_REASON_DESCRIPTOR_INVALID; |
622 | 0 | goto out; |
623 | 0 | } |
624 | | |
625 | | /* Require that the security descriptor has an owner set. */ |
626 | 0 | if (descriptor->owner_sid == NULL) { |
627 | 0 | status = NT_STATUS_INVALID_PARAMETER; |
628 | 0 | reason = AUTHN_AUDIT_REASON_DESCRIPTOR_NO_OWNER; |
629 | 0 | goto out; |
630 | 0 | } |
631 | | |
632 | 0 | status = auth_generate_security_token(tmp_ctx, |
633 | 0 | lp_ctx, |
634 | 0 | samdb, |
635 | 0 | client_info, |
636 | 0 | device_info, |
637 | 0 | auth_claims, |
638 | 0 | session_info_flags, |
639 | 0 | &security_token); |
640 | 0 | if (!NT_STATUS_IS_OK(status)) { |
641 | 0 | reason = AUTHN_AUDIT_REASON_SECURITY_TOKEN_FAILURE; |
642 | 0 | goto out; |
643 | 0 | } |
644 | | |
645 | 0 | status = sec_access_check_ds(descriptor, security_token, |
646 | 0 | access_desired, &access_granted, |
647 | 0 | NULL, NULL); |
648 | 0 | if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { |
649 | 0 | status = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; |
650 | 0 | reason = AUTHN_AUDIT_REASON_ACCESS_DENIED; |
651 | 0 | goto out; |
652 | 0 | } |
653 | 0 | if (!NT_STATUS_IS_OK(status)) { |
654 | 0 | goto out; |
655 | 0 | } |
656 | | |
657 | 0 | event = AUTHN_AUDIT_EVENT_OK; |
658 | 0 | out: |
659 | | /* |
660 | | * Create the structure with auditing information here while we have all |
661 | | * the relevant information to hand. It will contain references to |
662 | | * information regarding the client and the policy, to be consulted |
663 | | * after the referents have possibly been freed. |
664 | | */ |
665 | 0 | status2 = _authn_policy_audit_info(mem_ctx, |
666 | 0 | policy, |
667 | 0 | tgt_lifetime_raw, |
668 | 0 | client_info, |
669 | 0 | event, |
670 | 0 | reason, |
671 | 0 | status, |
672 | 0 | location, |
673 | 0 | audit_info_out); |
674 | 0 | if (!NT_STATUS_IS_OK(status2)) { |
675 | 0 | status = status2; |
676 | 0 | } else if (!authn_policy_is_enforced(policy)) { |
677 | 0 | status = NT_STATUS_OK; |
678 | 0 | } |
679 | |
|
680 | 0 | talloc_free(tmp_ctx); |
681 | 0 | return status; |
682 | 0 | } |
683 | | |
684 | | #define authn_policy_access_check(mem_ctx, \ |
685 | | samdb, \ |
686 | | lp_ctx, \ |
687 | | client_info, \ |
688 | | device_info, \ |
689 | | auth_claims, \ |
690 | | policy, \ |
691 | | tgt_lifetime_raw, \ |
692 | | restriction_event, \ |
693 | | authn_policy_flags, \ |
694 | | descriptor_blob, \ |
695 | | audit_info_out) \ |
696 | 0 | _authn_policy_access_check(mem_ctx, \ |
697 | 0 | samdb, \ |
698 | 0 | lp_ctx, \ |
699 | 0 | client_info, \ |
700 | 0 | device_info, \ |
701 | 0 | auth_claims, \ |
702 | 0 | policy, \ |
703 | 0 | tgt_lifetime_raw, \ |
704 | 0 | restriction_event, \ |
705 | 0 | authn_policy_flags, \ |
706 | 0 | descriptor_blob, \ |
707 | 0 | __location__, \ |
708 | 0 | audit_info_out) |
709 | | |
710 | | /* Return an authentication policy moved onto a talloc context. */ |
711 | | static struct authn_policy authn_policy_move(TALLOC_CTX *mem_ctx, |
712 | | struct authn_policy *policy) |
713 | 0 | { |
714 | 0 | return (struct authn_policy) { |
715 | 0 | .silo_name = talloc_move(mem_ctx, &policy->silo_name), |
716 | 0 | .policy_name = talloc_move(mem_ctx, &policy->policy_name), |
717 | 0 | .enforced = policy->enforced, |
718 | 0 | }; |
719 | 0 | } |
720 | | |
721 | | /* Authentication policies for Kerberos clients. */ |
722 | | |
723 | | /* |
724 | | * Get the applicable authentication policy for an account acting as a Kerberos |
725 | | * client. |
726 | | */ |
727 | | int authn_policy_kerberos_client(struct ldb_context *samdb, |
728 | | TALLOC_CTX *mem_ctx, |
729 | | const struct ldb_message *msg, |
730 | | const struct authn_kerberos_client_policy **policy_out) |
731 | 0 | { |
732 | 0 | TALLOC_CTX *tmp_ctx = NULL; |
733 | 0 | int ret = 0; |
734 | 0 | struct authn_attrs authn_attrs; |
735 | 0 | struct ldb_message *authn_policy_msg = NULL; |
736 | 0 | struct authn_kerberos_client_policy *client_policy = NULL; |
737 | 0 | struct authn_policy policy; |
738 | |
|
739 | 0 | *policy_out = NULL; |
740 | |
|
741 | 0 | if (!authn_policy_silos_and_policies_in_effect(samdb)) { |
742 | 0 | return 0; |
743 | 0 | } |
744 | | |
745 | | /* |
746 | | * Get the silo and policy attributes that apply to objects of this |
747 | | * account’s objectclass. |
748 | | */ |
749 | 0 | authn_attrs = authn_policy_get_attrs(msg); |
750 | 0 | if (authn_attrs.silo == NULL || authn_attrs.policy == NULL) { |
751 | | /* |
752 | | * No applicable silo or policy attributes (somehow). Either |
753 | | * this account isn’t derived from ‘user’, or the message is |
754 | | * missing an objectClass element. |
755 | | */ |
756 | 0 | goto out; |
757 | 0 | } |
758 | | |
759 | 0 | if (authn_attrs.policy->allowed_to_authenticate_from == NULL && |
760 | 0 | authn_attrs.policy->tgt_lifetime == NULL) |
761 | 0 | { |
762 | | /* No relevant policy attributes apply. */ |
763 | 0 | goto out; |
764 | 0 | } |
765 | | |
766 | 0 | tmp_ctx = talloc_new(mem_ctx); |
767 | 0 | if (tmp_ctx == NULL) { |
768 | 0 | ret = ENOMEM; |
769 | 0 | goto out; |
770 | 0 | } |
771 | | |
772 | 0 | ret = samba_kdc_authn_policy_msg(samdb, |
773 | 0 | tmp_ctx, |
774 | 0 | msg, |
775 | 0 | authn_attrs, |
776 | 0 | &authn_policy_msg, |
777 | 0 | &policy); |
778 | 0 | if (ret) { |
779 | 0 | goto out; |
780 | 0 | } |
781 | | |
782 | 0 | if (authn_policy_msg == NULL) { |
783 | | /* No policy applies. */ |
784 | 0 | goto out; |
785 | 0 | } |
786 | | |
787 | 0 | client_policy = talloc_zero(tmp_ctx, struct authn_kerberos_client_policy); |
788 | 0 | if (client_policy == NULL) { |
789 | 0 | ret = ENOMEM; |
790 | 0 | goto out; |
791 | 0 | } |
792 | | |
793 | 0 | client_policy->policy = authn_policy_move(client_policy, &policy); |
794 | |
|
795 | 0 | if (authn_attrs.policy->allowed_to_authenticate_from != NULL) { |
796 | 0 | const struct ldb_val *allowed_from = ldb_msg_find_ldb_val( |
797 | 0 | authn_policy_msg, |
798 | 0 | authn_attrs.policy->allowed_to_authenticate_from); |
799 | |
|
800 | 0 | if (allowed_from != NULL && allowed_from->data != NULL) { |
801 | 0 | client_policy->allowed_to_authenticate_from = data_blob_const( |
802 | 0 | talloc_steal(client_policy, allowed_from->data), |
803 | 0 | allowed_from->length); |
804 | 0 | } |
805 | 0 | } |
806 | |
|
807 | 0 | if (authn_attrs.policy->tgt_lifetime != NULL) { |
808 | 0 | client_policy->tgt_lifetime_raw = ldb_msg_find_attr_as_int64( |
809 | 0 | authn_policy_msg, |
810 | 0 | authn_attrs.policy->tgt_lifetime, |
811 | 0 | 0); |
812 | 0 | } |
813 | |
|
814 | 0 | *policy_out = talloc_move(mem_ctx, &client_policy); |
815 | |
|
816 | 0 | out: |
817 | 0 | talloc_free(tmp_ctx); |
818 | 0 | return ret; |
819 | 0 | } |
820 | | |
821 | | /* Get device restrictions enforced by an authentication policy. */ |
822 | | static const DATA_BLOB *authn_policy_kerberos_device_restrictions(const struct authn_kerberos_client_policy *policy) |
823 | 0 | { |
824 | 0 | const DATA_BLOB *restrictions = NULL; |
825 | |
|
826 | 0 | if (policy == NULL) { |
827 | 0 | return NULL; |
828 | 0 | } |
829 | | |
830 | 0 | restrictions = &policy->allowed_to_authenticate_from; |
831 | 0 | if (restrictions->data == NULL) { |
832 | 0 | return NULL; |
833 | 0 | } |
834 | | |
835 | 0 | return restrictions; |
836 | 0 | } |
837 | | |
838 | | /* Return whether an authentication policy enforces device restrictions. */ |
839 | | bool authn_policy_device_restrictions_present(const struct authn_kerberos_client_policy *policy) |
840 | 0 | { |
841 | 0 | return authn_policy_kerberos_device_restrictions(policy) != NULL; |
842 | 0 | } |
843 | | |
844 | | /* |
845 | | * Perform an access check for the device with which the client is |
846 | | * authenticating. ‘device_info’ must be talloc-allocated so that we can make a |
847 | | * reference to it. |
848 | | */ |
849 | | NTSTATUS authn_policy_authenticate_from_device(TALLOC_CTX *mem_ctx, |
850 | | struct ldb_context *samdb, |
851 | | struct loadparm_context* lp_ctx, |
852 | | const struct auth_user_info_dc *device_info, |
853 | | const struct auth_claims auth_claims, |
854 | | const struct authn_kerberos_client_policy *client_policy, |
855 | | struct authn_audit_info **client_audit_info_out) |
856 | 0 | { |
857 | 0 | NTSTATUS status = NT_STATUS_OK; |
858 | 0 | const DATA_BLOB *restrictions = NULL; |
859 | |
|
860 | 0 | restrictions = authn_policy_kerberos_device_restrictions(client_policy); |
861 | 0 | if (restrictions == NULL) { |
862 | 0 | goto out; |
863 | 0 | } |
864 | | |
865 | 0 | status = authn_policy_access_check(mem_ctx, |
866 | 0 | samdb, |
867 | 0 | lp_ctx, |
868 | 0 | device_info, |
869 | | /* The device itself has no device. */ |
870 | 0 | NULL /* device_info */, |
871 | 0 | auth_claims, |
872 | 0 | &client_policy->policy, |
873 | 0 | authn_int64_some(client_policy->tgt_lifetime_raw), |
874 | 0 | AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION, |
875 | 0 | (struct authn_policy_flags) {}, |
876 | 0 | restrictions, |
877 | 0 | client_audit_info_out); |
878 | 0 | out: |
879 | 0 | return status; |
880 | 0 | } |
881 | | |
882 | | /* Authentication policies for NTLM clients. */ |
883 | | |
884 | | /* |
885 | | * Get the applicable authentication policy for an account acting as an NTLM |
886 | | * client. |
887 | | */ |
888 | | int authn_policy_ntlm_client(struct ldb_context *samdb, |
889 | | TALLOC_CTX *mem_ctx, |
890 | | const struct ldb_message *msg, |
891 | | const struct authn_ntlm_client_policy **policy_out) |
892 | 0 | { |
893 | 0 | TALLOC_CTX *tmp_ctx = NULL; |
894 | 0 | int ret = 0; |
895 | 0 | struct authn_attrs authn_attrs; |
896 | 0 | struct ldb_message *authn_policy_msg = NULL; |
897 | 0 | struct authn_ntlm_client_policy *client_policy = NULL; |
898 | 0 | struct authn_policy policy; |
899 | |
|
900 | 0 | *policy_out = NULL; |
901 | |
|
902 | 0 | if (!authn_policy_silos_and_policies_in_effect(samdb)) { |
903 | 0 | return 0; |
904 | 0 | } |
905 | | |
906 | | /* |
907 | | * Get the silo and policy attributes that apply to objects of this |
908 | | * account’s objectclass. |
909 | | */ |
910 | 0 | authn_attrs = authn_policy_get_attrs(msg); |
911 | 0 | if (authn_attrs.silo == NULL || authn_attrs.policy == NULL) { |
912 | | /* |
913 | | * No applicable silo or policy attributes (somehow). Either |
914 | | * this account isn’t derived from ‘user’, or the message is |
915 | | * missing an objectClass element. |
916 | | */ |
917 | 0 | goto out; |
918 | 0 | } |
919 | | |
920 | 0 | if (authn_attrs.policy->allowed_to_authenticate_from == NULL && |
921 | 0 | authn_attrs.policy->allowed_ntlm_network_auth == NULL) |
922 | 0 | { |
923 | | /* No relevant policy attributes apply. */ |
924 | 0 | goto out; |
925 | 0 | } |
926 | | |
927 | 0 | tmp_ctx = talloc_new(mem_ctx); |
928 | 0 | if (tmp_ctx == NULL) { |
929 | 0 | ret = ENOMEM; |
930 | 0 | goto out; |
931 | 0 | } |
932 | | |
933 | 0 | ret = samba_kdc_authn_policy_msg(samdb, |
934 | 0 | tmp_ctx, |
935 | 0 | msg, |
936 | 0 | authn_attrs, |
937 | 0 | &authn_policy_msg, |
938 | 0 | &policy); |
939 | 0 | if (ret) { |
940 | 0 | goto out; |
941 | 0 | } |
942 | | |
943 | 0 | if (authn_policy_msg == NULL) { |
944 | | /* No policy applies. */ |
945 | 0 | goto out; |
946 | 0 | } |
947 | | |
948 | 0 | client_policy = talloc_zero(tmp_ctx, struct authn_ntlm_client_policy); |
949 | 0 | if (client_policy == NULL) { |
950 | 0 | ret = ENOMEM; |
951 | 0 | goto out; |
952 | 0 | } |
953 | | |
954 | 0 | client_policy->policy = authn_policy_move(client_policy, &policy); |
955 | |
|
956 | 0 | if (authn_attrs.policy->allowed_to_authenticate_from != NULL) { |
957 | 0 | const struct ldb_val *allowed_from = ldb_msg_find_ldb_val( |
958 | 0 | authn_policy_msg, |
959 | 0 | authn_attrs.policy->allowed_to_authenticate_from); |
960 | |
|
961 | 0 | if (allowed_from != NULL && allowed_from->data != NULL) { |
962 | 0 | client_policy->allowed_to_authenticate_from = data_blob_const( |
963 | 0 | talloc_steal(client_policy, allowed_from->data), |
964 | 0 | allowed_from->length); |
965 | 0 | } |
966 | 0 | } |
967 | |
|
968 | 0 | if (authn_attrs.policy->allowed_ntlm_network_auth != NULL && |
969 | 0 | authn_policy_allowed_ntlm_network_auth_in_effect(samdb)) |
970 | 0 | { |
971 | 0 | client_policy->allowed_ntlm_network_auth = ldb_msg_find_attr_as_bool( |
972 | 0 | authn_policy_msg, |
973 | 0 | authn_attrs.policy->allowed_ntlm_network_auth, |
974 | 0 | false); |
975 | 0 | } |
976 | |
|
977 | 0 | *policy_out = talloc_move(mem_ctx, &client_policy); |
978 | |
|
979 | 0 | out: |
980 | 0 | talloc_free(tmp_ctx); |
981 | 0 | return ret; |
982 | 0 | } |
983 | | |
984 | | /* Return whether an authentication policy enforces device restrictions. */ |
985 | | static bool authn_policy_ntlm_device_restrictions_present(const struct authn_ntlm_client_policy *policy) |
986 | 0 | { |
987 | 0 | if (policy == NULL) { |
988 | 0 | return false; |
989 | 0 | } |
990 | | |
991 | 0 | return policy->allowed_to_authenticate_from.data != NULL; |
992 | 0 | } |
993 | | |
994 | | /* Check whether the client is allowed to authenticate using NTLM. */ |
995 | | NTSTATUS authn_policy_ntlm_apply_device_restriction(TALLOC_CTX *mem_ctx, |
996 | | const struct authn_ntlm_client_policy *client_policy, |
997 | | struct authn_audit_info **client_audit_info_out) |
998 | 0 | { |
999 | 0 | NTSTATUS status; |
1000 | 0 | NTSTATUS status2; |
1001 | |
|
1002 | 0 | if (client_audit_info_out != NULL) { |
1003 | 0 | *client_audit_info_out = NULL; |
1004 | 0 | } |
1005 | |
|
1006 | 0 | if (client_policy == NULL) { |
1007 | 0 | return NT_STATUS_OK; |
1008 | 0 | } |
1009 | | |
1010 | | /* |
1011 | | * Access control restrictions cannot be applied to NTLM. |
1012 | | * |
1013 | | * If NTLM authentication is disallowed and the policy enforces a device |
1014 | | * restriction, deny the authentication. |
1015 | | */ |
1016 | | |
1017 | 0 | if (!authn_policy_ntlm_device_restrictions_present(client_policy)) { |
1018 | 0 | return authn_policy_audit_info(mem_ctx, |
1019 | 0 | &client_policy->policy, |
1020 | 0 | authn_int64_none() /* tgt_lifetime_raw */, |
1021 | 0 | NULL /* client_info */, |
1022 | 0 | AUTHN_AUDIT_EVENT_OK, |
1023 | 0 | AUTHN_AUDIT_REASON_NONE, |
1024 | 0 | NT_STATUS_OK, |
1025 | 0 | client_audit_info_out); |
1026 | 0 | } |
1027 | | |
1028 | | /* |
1029 | | * (Although MS-APDS doesn’t state it, AllowedNTLMNetworkAuthentication |
1030 | | * applies to interactive logons too.) |
1031 | | */ |
1032 | 0 | if (client_policy->allowed_ntlm_network_auth) { |
1033 | 0 | return authn_policy_audit_info(mem_ctx, |
1034 | 0 | &client_policy->policy, |
1035 | 0 | authn_int64_none() /* tgt_lifetime_raw */, |
1036 | 0 | NULL /* client_info */, |
1037 | 0 | AUTHN_AUDIT_EVENT_OK, |
1038 | 0 | AUTHN_AUDIT_REASON_NONE, |
1039 | 0 | NT_STATUS_OK, |
1040 | 0 | client_audit_info_out); |
1041 | 0 | } |
1042 | | |
1043 | 0 | status = NT_STATUS_ACCOUNT_RESTRICTION; |
1044 | 0 | status2 = authn_policy_audit_info(mem_ctx, |
1045 | 0 | &client_policy->policy, |
1046 | 0 | authn_int64_none() /* tgt_lifetime_raw */, |
1047 | 0 | NULL /* client_info */, |
1048 | 0 | AUTHN_AUDIT_EVENT_NTLM_DEVICE_RESTRICTION, |
1049 | 0 | AUTHN_AUDIT_REASON_NONE, |
1050 | 0 | status, |
1051 | 0 | client_audit_info_out); |
1052 | 0 | if (!NT_STATUS_IS_OK(status2)) { |
1053 | 0 | status = status2; |
1054 | 0 | } else if (!authn_policy_is_enforced(&client_policy->policy)) { |
1055 | 0 | status = NT_STATUS_OK; |
1056 | 0 | } |
1057 | |
|
1058 | 0 | return status; |
1059 | 0 | } |
1060 | | |
1061 | | /* Authentication policies for servers. */ |
1062 | | |
1063 | | /* |
1064 | | * Get the applicable authentication policy for an account acting as a |
1065 | | * server. |
1066 | | */ |
1067 | | int authn_policy_server(struct ldb_context *samdb, |
1068 | | TALLOC_CTX *mem_ctx, |
1069 | | const struct ldb_message *msg, |
1070 | | const struct authn_server_policy **policy_out) |
1071 | 0 | { |
1072 | 0 | TALLOC_CTX *tmp_ctx = NULL; |
1073 | 0 | int ret = 0; |
1074 | 0 | struct authn_attrs authn_attrs; |
1075 | 0 | struct ldb_message *authn_policy_msg = NULL; |
1076 | 0 | struct authn_server_policy *server_policy = NULL; |
1077 | 0 | struct authn_policy policy; |
1078 | |
|
1079 | 0 | *policy_out = NULL; |
1080 | |
|
1081 | 0 | if (!authn_policy_silos_and_policies_in_effect(samdb)) { |
1082 | 0 | return 0; |
1083 | 0 | } |
1084 | | |
1085 | | /* |
1086 | | * Get the silo and policy attributes that apply to objects of this |
1087 | | * account’s objectclass. |
1088 | | */ |
1089 | 0 | authn_attrs = authn_policy_get_attrs(msg); |
1090 | 0 | if (authn_attrs.silo == NULL || authn_attrs.policy == NULL) { |
1091 | | /* |
1092 | | * No applicable silo or policy attributes (somehow). Either |
1093 | | * this account isn’t derived from ‘user’, or the message is |
1094 | | * missing an objectClass element. |
1095 | | */ |
1096 | 0 | goto out; |
1097 | 0 | } |
1098 | | |
1099 | 0 | if (authn_attrs.policy->allowed_to_authenticate_to == NULL) { |
1100 | | /* The relevant policy attribute doesn’t apply. */ |
1101 | 0 | goto out; |
1102 | 0 | } |
1103 | | |
1104 | 0 | tmp_ctx = talloc_new(mem_ctx); |
1105 | 0 | if (tmp_ctx == NULL) { |
1106 | 0 | ret = ENOMEM; |
1107 | 0 | goto out; |
1108 | 0 | } |
1109 | | |
1110 | 0 | ret = samba_kdc_authn_policy_msg(samdb, |
1111 | 0 | tmp_ctx, |
1112 | 0 | msg, |
1113 | 0 | authn_attrs, |
1114 | 0 | &authn_policy_msg, |
1115 | 0 | &policy); |
1116 | 0 | if (ret) { |
1117 | 0 | goto out; |
1118 | 0 | } |
1119 | | |
1120 | 0 | if (authn_policy_msg == NULL) { |
1121 | | /* No policy applies. */ |
1122 | 0 | goto out; |
1123 | 0 | } |
1124 | | |
1125 | 0 | server_policy = talloc_zero(tmp_ctx, struct authn_server_policy); |
1126 | 0 | if (server_policy == NULL) { |
1127 | 0 | ret = ENOMEM; |
1128 | 0 | goto out; |
1129 | 0 | } |
1130 | | |
1131 | 0 | server_policy->policy = authn_policy_move(server_policy, &policy); |
1132 | |
|
1133 | 0 | if (authn_attrs.policy->allowed_to_authenticate_to != NULL) { |
1134 | 0 | const struct ldb_val *allowed_to = ldb_msg_find_ldb_val( |
1135 | 0 | authn_policy_msg, |
1136 | 0 | authn_attrs.policy->allowed_to_authenticate_to); |
1137 | |
|
1138 | 0 | if (allowed_to != NULL && allowed_to->data != NULL) { |
1139 | 0 | server_policy->allowed_to_authenticate_to = data_blob_const( |
1140 | 0 | talloc_steal(server_policy, allowed_to->data), |
1141 | 0 | allowed_to->length); |
1142 | 0 | } |
1143 | 0 | } |
1144 | |
|
1145 | 0 | *policy_out = talloc_move(mem_ctx, &server_policy); |
1146 | |
|
1147 | 0 | out: |
1148 | 0 | talloc_free(tmp_ctx); |
1149 | 0 | return ret; |
1150 | 0 | } |
1151 | | |
1152 | | /* Get restrictions enforced by an authentication policy. */ |
1153 | | static const DATA_BLOB *authn_policy_restrictions(const struct authn_server_policy *policy) |
1154 | 0 | { |
1155 | 0 | const DATA_BLOB *restrictions = NULL; |
1156 | |
|
1157 | 0 | if (policy == NULL) { |
1158 | 0 | return NULL; |
1159 | 0 | } |
1160 | | |
1161 | 0 | restrictions = &policy->allowed_to_authenticate_to; |
1162 | 0 | if (restrictions->data == NULL) { |
1163 | 0 | return NULL; |
1164 | 0 | } |
1165 | | |
1166 | 0 | return restrictions; |
1167 | 0 | } |
1168 | | |
1169 | | /* Return whether an authentication policy enforces restrictions. */ |
1170 | | bool authn_policy_restrictions_present(const struct authn_server_policy *policy) |
1171 | 0 | { |
1172 | 0 | return authn_policy_restrictions(policy) != NULL; |
1173 | 0 | } |
1174 | | |
1175 | | /* |
1176 | | * Perform an access check for the client attempting to authenticate to the |
1177 | | * server. ‘user_info’ must be talloc-allocated so that we can make a reference |
1178 | | * to it. |
1179 | | */ |
1180 | | NTSTATUS authn_policy_authenticate_to_service(TALLOC_CTX *mem_ctx, |
1181 | | struct ldb_context *samdb, |
1182 | | struct loadparm_context* lp_ctx, |
1183 | | const enum authn_policy_auth_type auth_type, |
1184 | | const struct auth_user_info_dc *user_info, |
1185 | | const struct auth_user_info_dc *device_info, |
1186 | | const struct auth_claims auth_claims, |
1187 | | const struct authn_server_policy *server_policy, |
1188 | | const struct authn_policy_flags authn_policy_flags, |
1189 | | struct authn_audit_info **server_audit_info_out) |
1190 | 0 | { |
1191 | 0 | NTSTATUS status = NT_STATUS_OK; |
1192 | 0 | const DATA_BLOB *restrictions = NULL; |
1193 | 0 | enum authn_audit_event event; |
1194 | |
|
1195 | 0 | restrictions = authn_policy_restrictions(server_policy); |
1196 | 0 | if (restrictions == NULL) { |
1197 | 0 | return authn_server_policy_audit_info(mem_ctx, |
1198 | 0 | server_policy, |
1199 | 0 | user_info, |
1200 | 0 | AUTHN_AUDIT_EVENT_OK, |
1201 | 0 | AUTHN_AUDIT_REASON_NONE, |
1202 | 0 | NT_STATUS_OK, |
1203 | 0 | server_audit_info_out); |
1204 | 0 | } |
1205 | | |
1206 | 0 | switch (auth_type) { |
1207 | 0 | case AUTHN_POLICY_AUTH_TYPE_KERBEROS: |
1208 | 0 | event = AUTHN_AUDIT_EVENT_KERBEROS_SERVER_RESTRICTION; |
1209 | 0 | break; |
1210 | 0 | case AUTHN_POLICY_AUTH_TYPE_NTLM: |
1211 | 0 | event = AUTHN_AUDIT_EVENT_NTLM_SERVER_RESTRICTION; |
1212 | 0 | break; |
1213 | 0 | default: |
1214 | 0 | return NT_STATUS_INVALID_PARAMETER_4; |
1215 | 0 | } |
1216 | | |
1217 | 0 | status = authn_policy_access_check(mem_ctx, |
1218 | 0 | samdb, |
1219 | 0 | lp_ctx, |
1220 | 0 | user_info, |
1221 | 0 | device_info, |
1222 | 0 | auth_claims, |
1223 | 0 | &server_policy->policy, |
1224 | 0 | authn_int64_none() /* tgt_lifetime_raw */, |
1225 | 0 | event, |
1226 | 0 | authn_policy_flags, |
1227 | 0 | restrictions, |
1228 | 0 | server_audit_info_out); |
1229 | 0 | return status; |
1230 | 0 | } |
1231 | | |
1232 | | /* Create a structure containing auditing information. */ |
1233 | | NTSTATUS _authn_kerberos_client_policy_audit_info( |
1234 | | TALLOC_CTX *mem_ctx, |
1235 | | const struct authn_kerberos_client_policy *client_policy, |
1236 | | const struct auth_user_info_dc *client_info, |
1237 | | const enum authn_audit_event event, |
1238 | | const enum authn_audit_reason reason, |
1239 | | const NTSTATUS policy_status, |
1240 | | const char *location, |
1241 | | struct authn_audit_info **audit_info_out) |
1242 | 0 | { |
1243 | 0 | const struct authn_policy *policy = NULL; |
1244 | 0 | struct authn_int64_optional tgt_lifetime_raw = authn_int64_none(); |
1245 | |
|
1246 | 0 | if (client_policy != NULL) { |
1247 | 0 | policy = &client_policy->policy; |
1248 | 0 | tgt_lifetime_raw = authn_int64_some(client_policy->tgt_lifetime_raw); |
1249 | 0 | } |
1250 | |
|
1251 | 0 | return _authn_policy_audit_info(mem_ctx, |
1252 | 0 | policy, |
1253 | 0 | tgt_lifetime_raw, |
1254 | 0 | client_info, |
1255 | 0 | event, |
1256 | 0 | reason, |
1257 | 0 | policy_status, |
1258 | 0 | location, |
1259 | 0 | audit_info_out); |
1260 | 0 | } |
1261 | | |
1262 | | /* Create a structure containing auditing information. */ |
1263 | | NTSTATUS _authn_ntlm_client_policy_audit_info( |
1264 | | TALLOC_CTX *mem_ctx, |
1265 | | const struct authn_ntlm_client_policy *client_policy, |
1266 | | const struct auth_user_info_dc *client_info, |
1267 | | const enum authn_audit_event event, |
1268 | | const enum authn_audit_reason reason, |
1269 | | const NTSTATUS policy_status, |
1270 | | const char *location, |
1271 | | struct authn_audit_info **audit_info_out) |
1272 | 0 | { |
1273 | 0 | const struct authn_policy *policy = NULL; |
1274 | |
|
1275 | 0 | if (client_policy != NULL) { |
1276 | 0 | policy = &client_policy->policy; |
1277 | 0 | } |
1278 | |
|
1279 | 0 | return _authn_policy_audit_info(mem_ctx, |
1280 | 0 | policy, |
1281 | 0 | authn_int64_none() /* tgt_lifetime_raw */, |
1282 | 0 | client_info, |
1283 | 0 | event, |
1284 | 0 | reason, |
1285 | 0 | policy_status, |
1286 | 0 | location, |
1287 | 0 | audit_info_out); |
1288 | 0 | } |
1289 | | |
1290 | | /* Create a structure containing auditing information. */ |
1291 | | NTSTATUS _authn_server_policy_audit_info( |
1292 | | TALLOC_CTX *mem_ctx, |
1293 | | const struct authn_server_policy *server_policy, |
1294 | | const struct auth_user_info_dc *client_info, |
1295 | | const enum authn_audit_event event, |
1296 | | const enum authn_audit_reason reason, |
1297 | | const NTSTATUS policy_status, |
1298 | | const char *location, |
1299 | | struct authn_audit_info **audit_info_out) |
1300 | 0 | { |
1301 | 0 | const struct authn_policy *policy = NULL; |
1302 | |
|
1303 | 0 | if (server_policy != NULL) { |
1304 | 0 | policy = &server_policy->policy; |
1305 | 0 | } |
1306 | |
|
1307 | 0 | return _authn_policy_audit_info(mem_ctx, |
1308 | 0 | policy, |
1309 | 0 | authn_int64_none() /* tgt_lifetime_raw */, |
1310 | 0 | client_info, |
1311 | 0 | event, |
1312 | 0 | reason, |
1313 | 0 | policy_status, |
1314 | 0 | location, |
1315 | 0 | audit_info_out); |
1316 | 0 | } |