diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-02-23 11:54:21 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2017-02-28 09:38:24 +0100 |
commit | fa1846cb67b8d7373fd19af3722abd3ebf806696 (patch) | |
tree | b2be58dd4eda5b2e431c7c912caaf50b3b784f31 | |
parent | ba39080cbe3443ff08d231e30a99bb754f83edc2 (diff) | |
download | samba-fa1846cb67b8d7373fd19af3722abd3ebf806696.tar.gz |
s3:libads: add more debugging to ads_sasl_spnego_bind()
Any fallbacks to other authentication methods should be logged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86)
-rw-r--r-- | source3/libads/sasl.c | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 39c60c3e14d..c2564cbc886 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) #ifdef HAVE_KRB5 bool got_kerberos_mechanism = False; #endif + const char *mech = NULL; rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); @@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && got_kerberos_mechanism) { + mech = "KRB5"; + if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { @@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) blob); if (!ADS_ERR_OK(status)) { DEBUG(0,("kinit succeeded but " - "ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n", + "ads_sasl_spnego_gensec_bind(KRB5) failed: " + "for %s/%s user[%s] realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, ads_errstr(status))); } } @@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { goto done; } + + DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s " + "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); } #endif /* lets do NTLMSSP ... this has the big advantage that we don't need to sync clocks, and we don't rely on special versions of the krb5 library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", CRED_DONT_USE_KERBEROS, p.service, p.hostname, data_blob_null); done: + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s " + "with user[%s] realm=[%s]: %s\n", mech, + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); + } ads_free_service_principal(&p); TALLOC_FREE(frame); if (blob.data != NULL) { |