SMB: Kerberos and NTLM auth should do the same post-work
smbd_user_auth_logon() handles NTLM authentication for the SMB server. However, it also handles adding the autohome share for the user (if it exists), as well as logon auditing.
smbd_krb5ssp_work() handles Kerberos authentication for the SMB server. It does not, however, currently handle adding the autohome share or logon auditing, though it should.
Since this work is common to all forms of SMB authentication, both Kerberos and NTLM should do the same post-authentication work.This can be reproduced by the following:
- auditconfig -setflags lo -setnaflags lo
- audit -s
- Authenticate a client to the SMB server over NTLM (e.g. via IP address)
- Check audit records for an AUE_smbd_session event
- Authenticate a client via Kerberos (e.g. via FQDN)
- Check audit records for a new AUE_smbd_session event
- set up an autohome share for a user in /etc/smbautohome
- connect that user to their autohome share via Kerberos (it should fail)
- logoff that user
- connect that same user to their autohome share via NTLM (it should succeed)
Testing was done by following the reproduction steps, verifying that logon and logoff records are correctly generated, as well as verifying that the autohome share is created when the user logs on, and is destroyed when the user logs off.
Updated by Electric Monk 22 days ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit ba5ca68405ba4441c86a6cfc87f4ddcb3565c81d Author: Matt Barden <firstname.lastname@example.org> Date: 2022-07-20T21:25:37.000Z 14647 SMB: Kerberos and NTLM auth should do the same post-work Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com> Reviewed by: Toomas Soome <email@example.com> Reviewed by: C Fraire <firstname.lastname@example.org> Approved by: Robert Mustacchi <email@example.com>