void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry) { struct samba_kdc_entry *p; struct ldb_dn *domain_dn; p = (struct samba_kdc_entry *)db_entry->e_data; domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb); authsam_logon_success_accounting(p->kdc_db_ctx->samdb, p->msg, domain_dn, true); }
static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, hdb_entry_ex *entry, int hdb_auth_status) { struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry); struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) { authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); } else if (hdb_auth_status == HDB_AUTH_SUCCESS) { authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg, domain_dn, true); } return 0; }
static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, hdb_entry_ex *entry, struct sockaddr *from_addr, const char *original_client_name, const char *auth_type, int hdb_auth_status) { struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); /* * Forcing this via the NTLM auth structure is not ideal, but * it is the most practical option right now, and ensures the * logs are consistent, even if some elements are always NULL. */ struct auth_usersupplied_info ui = { .mapped_state = true, .was_mapped = true, .client = { .account_name = original_client_name, .domain_name = NULL, }, .service_description = "Kerberos KDC", .auth_description = "ENC-TS Pre-authentication", .password_type = auth_type }; size_t sa_socklen = 0; switch (from_addr->sa_family) { case AF_INET: sa_socklen = sizeof(struct sockaddr_in); break; #ifdef HAVE_IPV6 case AF_INET6: sa_socklen = sizeof(struct sockaddr_in6); break; #endif } switch (hdb_auth_status) { case HDB_AUTHZ_SUCCESS: { struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry); /* * TODO: We could log the AS-REQ authorization success here as * well. However before we do that, we need to pass * in the PAC here or re-calculate it. */ authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg, domain_dn, true); break; } case HDB_AUTH_INVALID_SIGNATURE: break; case HDB_AUTH_CORRECT_PASSWORD: case HDB_AUTH_WRONG_PASSWORD: { TALLOC_CTX *frame = talloc_stackframe(); struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry); struct dom_sid *sid = samdb_result_dom_sid(frame, p->msg, "objectSid"); const char *account_name = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL); const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx); struct tsocket_address *remote_host; NTSTATUS status; int ret; if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) { authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); status = NT_STATUS_WRONG_PASSWORD; } else { status = NT_STATUS_OK; } ret = tsocket_address_bsd_from_sockaddr(frame, from_addr, sa_socklen, &remote_host); if (ret != 0) { ui.remote_host = NULL; } else { ui.remote_host = remote_host; } ui.mapped.account_name = account_name; ui.mapped.domain_name = domain_name; log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, &ui, status, domain_name, account_name, NULL, sid); TALLOC_FREE(frame); break; } case HDB_AUTH_CLIENT_UNKNOWN: { struct tsocket_address *remote_host; int ret; TALLOC_CTX *frame = talloc_stackframe(); ret = tsocket_address_bsd_from_sockaddr(frame, from_addr, sa_socklen, &remote_host); if (ret != 0) { ui.remote_host = NULL; } else { ui.remote_host = remote_host; } log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, &ui, NT_STATUS_NO_SUCH_USER, NULL, NULL, NULL, NULL); TALLOC_FREE(frame); break; } } return 0; }
static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, struct ldb_dn *domain_dn, struct ldb_message *msg, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key, bool *authoritative) { NTSTATUS nt_status; bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH); uint32_t acct_flags = samdb_result_acct_flags(msg, NULL); struct netr_SendToSamBase *send_to_sam = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } /* You can only do an interactive login to normal accounts */ if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { if (!(acct_flags & ACB_NORMAL)) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_SUCH_USER; } if (acct_flags & ACB_SMARTCARD_REQUIRED) { if (acct_flags & ACB_DISABLED) { DEBUG(2,("authsam_authenticate: Account for user '%s' " "was disabled.\n", user_info->mapped.account_name)); TALLOC_FREE(tmp_ctx); return NT_STATUS_ACCOUNT_DISABLED; } DEBUG(2,("authsam_authenticate: Account for user '%s' " "requires interactive smartcard logon.\n", user_info->mapped.account_name)); TALLOC_FREE(tmp_ctx); return NT_STATUS_SMARTCARD_LOGON_REQUIRED; } } nt_status = authsam_password_check_and_record(auth_context, tmp_ctx, domain_dn, msg, acct_flags, user_info, user_sess_key, lm_sess_key, authoritative); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; } nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx, user_info->logon_parameters, domain_dn, msg, user_info->workstation_name, user_info->mapped.account_name, false, false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; } nt_status = authsam_logon_success_accounting(auth_context->sam_ctx, msg, domain_dn, interactive, &send_to_sam); if (send_to_sam != NULL) { auth_sam_trigger_zero_password(tmp_ctx, auth_context->msg_ctx, auth_context->event_ctx, send_to_sam); } if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; } if (user_sess_key && user_sess_key->data) { talloc_steal(mem_ctx, user_sess_key->data); } if (lm_sess_key && lm_sess_key->data) { talloc_steal(mem_ctx, lm_sess_key->data); } TALLOC_FREE(tmp_ctx); return nt_status; }