Project

General

Profile

Actions

Bug #14647

closed

SMB: Kerberos and NTLM auth should do the same post-work

Added by Matt Barden 4 months ago. Updated 22 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
smb - SMB server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

smbd_user_auth_logon() handles NTLM authentication for the SMB server. However, it also handles adding the autohome share for the user (if it exists), as well as logon auditing.
smbd_krb5ssp_work() handles Kerberos authentication for the SMB server. It does not, however, currently handle adding the autohome share or logon auditing, though it should.

Since this work is common to all forms of SMB authentication, both Kerberos and NTLM should do the same post-authentication work.

This can be reproduced by the following:
  1. auditconfig -setflags lo -setnaflags lo
  2. audit -s
  3. Authenticate a client to the SMB server over NTLM (e.g. via IP address)
  4. Check audit records for an AUE_smbd_session event
  5. Authenticate a client via Kerberos (e.g. via FQDN)
  6. Check audit records for a new AUE_smbd_session event

or:

  1. set up an autohome share for a user in /etc/smbautohome
  2. connect that user to their autohome share via Kerberos (it should fail)
  3. logoff that user
  4. connect that same user to their autohome share via NTLM (it should succeed)

Testing was done by following the reproduction steps, verifying that logon and logoff records are correctly generated, as well as verifying that the autohome share is created when the user logs on, and is destroyed when the user logs off.

Actions #1

Updated by Electric Monk 2 months ago

  • Gerrit CR set to 2181
Actions #2

Updated by Electric Monk 22 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit ba5ca68405ba4441c86a6cfc87f4ddcb3565c81d

commit  ba5ca68405ba4441c86a6cfc87f4ddcb3565c81d
Author: Matt Barden <mbarden@tintri.com>
Date:   2022-07-20T21:25:37.000Z

    14647 SMB: Kerberos and NTLM auth should do the same post-work
    Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: C Fraire <cfraire@me.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF