diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-03-15 15:34:34 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-03-17 09:14:56 +0000 |
commit | 507ececf03d8644b93a9ea953f6ab1c4aefb8e47 (patch) | |
tree | e53f3e1761cdcb9a01414d99afe066a497d8c972 | |
parent | 9272ec1a2452ecea60b894f649c18d870cf9e2aa (diff) | |
download | samba-507ececf03d8644b93a9ea953f6ab1c4aefb8e47.tar.gz |
s4-kdc: Handle previously unhandled auth event types
Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:
commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300
s4:kdc: hdb_samba4_audit() is only called once per request
Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR
To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.
For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b01388da8a72c11c46bb27e773b354520bc6ac88)
-rw-r--r-- | source4/kdc/hdb-samba4.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 5720dfadc1f..ceb3a292160 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -612,7 +612,40 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, ui.auth_description = auth_description; if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) { + /* This is the final sucess */ status = NT_STATUS_OK; + } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { + /* + * This was only a pre-authentication success, + * but we didn't reach the final + * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, + * so consult the error code. + */ + if (r->error_code == 0) { + DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY " + "with error=0 => INTERNAL_ERROR\n"); + status = NT_STATUS_INTERNAL_ERROR; + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; + } else { + status = krb5_to_nt_status(r->error_code); + } + } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) { + /* + * This was only a pre-authentication success, + * but we didn't reach the final + * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, + * so consult the error code. + */ + if (r->error_code == 0) { + DBG_ERR("ERROR: PREAUTH_SUCCEEDED " + "with error=0 => INTERNAL_ERROR\n"); + status = NT_STATUS_INTERNAL_ERROR; + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; + } else { + status = krb5_to_nt_status(r->error_code); + } } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) { status = NT_STATUS_TIME_DIFFERENCE_AT_DC; } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) { @@ -640,6 +673,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n", hdb_auth_status); status = NT_STATUS_INTERNAL_ERROR; + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; } if (rwdc_fallback) { @@ -664,6 +699,14 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, domain_name, account_name, sid); + if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) { + /* + * If we're running under make test + * just panic + */ + DBG_ERR("Unexpected situation => PANIC\n"); + smb_panic("hdb_samba4_audit: Unexpected situation"); + } TALLOC_FREE(frame); break; } |