s4-kdc: Handle previously unhandled auth event types

Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:

commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze@samba.org>
Date:   Wed Mar 2 10:10:08 2022 +1300

    s4:kdc: hdb_samba4_audit() is only called once per request

Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR

To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.

For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b01388da8a72c11c46bb27e773b354520bc6ac88)

1 files changed, 43 insertions, 0 deletions

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 5720dfadc1f..ceb3a292160 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -612,7 +612,40 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 		ui.auth_description = auth_description;
 
 		if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+			/* This is the final sucess */
 			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+			/*
+			 * This was only a pre-authentication success,
+			 * but we didn't reach the final
+			 * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+			 * so consult the error code.
+			 */
+			if (r->error_code == 0) {
+				DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
+					"with error=0 => INTERNAL_ERROR\n");
+				status = NT_STATUS_INTERNAL_ERROR;
+				final_ret = KRB5KRB_ERR_GENERIC;
+				r->error_code = final_ret;
+			} else {
+				status = krb5_to_nt_status(r->error_code);
+			}
+		} else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
+			/*
+			 * This was only a pre-authentication success,
+			 * but we didn't reach the final
+			 * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+			 * so consult the error code.
+			 */
+			if (r->error_code == 0) {
+				DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
+					"with error=0 => INTERNAL_ERROR\n");
+				status = NT_STATUS_INTERNAL_ERROR;
+				final_ret = KRB5KRB_ERR_GENERIC;
+				r->error_code = final_ret;
+			} else {
+				status = krb5_to_nt_status(r->error_code);
+			}
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
 			status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
@@ -640,6 +673,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 			DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
 				hdb_auth_status);
 			status = NT_STATUS_INTERNAL_ERROR;
+			final_ret = KRB5KRB_ERR_GENERIC;
+			r->error_code = final_ret;
 		}
 
 		if (rwdc_fallback) {
@@ -664,6 +699,14 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 					 domain_name,
 					 account_name,
 					 sid);
+		if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
+			/*
+			 * If we're running under make test
+			 * just panic
+			 */
+			DBG_ERR("Unexpected situation => PANIC\n");
+			smb_panic("hdb_samba4_audit: Unexpected situation");
+		}
 		TALLOC_FREE(frame);
 		break;
 	}