nssswitch: Log user access to kerberos

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 18 13:01:12 CET 2019 on sn-devel-144

1 files changed, 16 insertions, 5 deletions

diff --git a/nsswitch/krb5_plugin/winbind_krb5_localauth.c b/nsswitch/krb5_plugin/winbind_krb5_localauth.c
index f87b19abed6..293f5297ca8 100644
--- a/nsswitch/krb5_plugin/winbind_krb5_localauth.c
+++ b/nsswitch/krb5_plugin/winbind_krb5_localauth.c
@@ -98,14 +98,12 @@ static krb5_error_code winbind_userok(krb5_context context,
 
 	cmp = strcasecmp(princ_str, lname);
 	if (cmp == 0) {
-		krb5_free_unparsed_name(context, princ_str);
-		return 0;
+		goto out;
 	}
 
 	wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
 				    princ_str,
 				    &pwd);
-	krb5_free_unparsed_name(context, princ_str);
 	switch (wbc_status) {
 	case WBC_ERR_SUCCESS:
 		princ_uid = pwd->pw_uid;
@@ -123,7 +121,7 @@ static krb5_error_code winbind_userok(krb5_context context,
 	}
 	wbcFreeMemory(pwd);
 	if (code != 0) {
-		return code;
+		goto out;
 	}
 
 	wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
@@ -145,13 +143,26 @@ static krb5_error_code winbind_userok(krb5_context context,
 	}
 	wbcFreeMemory(pwd);
 	if (code != 0) {
-		return code;
+		goto out;
 	}
 
 	if (princ_uid != lname_uid) {
 		code = EPERM;
 	}
 
+	com_err("winbind_localauth",
+		code,
+		"Access %s: %s (uid=%u) %sequal to %s (uid=%u)",
+		code == 0 ? "granted" : "denied",
+		princ_str,
+		(unsigned int)princ_uid,
+		code == 0 ? "" : "not ",
+		lname,
+		(unsigned int)lname_uid);
+
+out:
+	krb5_free_unparsed_name(context, princ_str);
+
 	return code;
 }