heimdal: Pass extra information to hdb_auth_status() to log success and failures

We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2017-02-21 14:07:54 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2017-03-29 02:37:28 +0200
commit: f498ba77df2313e78863e5f2706840c43e232a96 (patch)
tree: f9946b6f23308cb8288ed363658fbc5207f94aa6 /source4/heimdal
parent: 7cbe1c844ea359b6d5386b3986aa16152e975f3d (diff)
download: samba-f498ba77df2313e78863e5f2706840c43e232a96.tar.gz
2 files changed, 44 insertions, 6 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index bd339b343a5..4baf90e41d8 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1090,6 +1090,13 @@ _kdc_as_rep(krb5_context context,
 	kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
 	krb5_free_error_message(context, msg);
 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+
+	if (config->db[0] && config->db[0]->hdb_auth_status)
+		(config->db[0]->hdb_auth_status)(context, config->db[0], NULL,
+						 from_addr,
+						 client_name,
+						 NULL,
+						 HDB_AUTH_CLIENT_UNKNOWN);
 	goto out;
     }
     ret = _kdc_db_fetch(context, config, server_princ,
@@ -1194,6 +1201,12 @@ _kdc_as_rep(krb5_context context,
 	    kdc_log(context, config, 0,
 		    "PKINIT pre-authentication succeeded -- %s using %s",
 		    client_name, client_cert);
+	    if (clientdb->hdb_auth_status)
+		    (clientdb->hdb_auth_status)(context, clientdb, client,
+						from_addr,
+						client_name,
+						"PKINIT",
+						HDB_AUTH_PKINIT_SUCCESS);
 	    free(client_cert);
 	    if (pkp)
 		goto preauth_done;
@@ -1291,22 +1304,30 @@ _kdc_as_rep(krb5_context context,
 					      pa_key->key.keytype, &str);
 		if (ret2)
 		    str = NULL;
+
 		kdc_log(context, config, 5,
 			"Failed to decrypt PA-DATA -- %s "
 			"(enctype %s) error %s",
 			client_name, str ? str : "unknown enctype", msg);
 		krb5_free_error_message(context, msg);
-		free(str);
 
 		if(hdb_next_enctype2key(context, &client->entry,
-					enc_data.etype, &pa_key) == 0)
+					enc_data.etype, &pa_key) == 0) {
+		    free(str);
 		    goto try_next_key;
+		}
 		e_text = "Failed to decrypt PA-DATA";
 
 		free_EncryptedData(&enc_data);
 
 		if (clientdb->hdb_auth_status)
-		    (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD);
+		    (clientdb->hdb_auth_status)(context, clientdb, client,
+						from_addr,
+						client_name,
+						str ? str : "unknown enctype",
+						HDB_AUTH_WRONG_PASSWORD);
+
+		free(str);
 
 		ret = KRB5KDC_ERR_PREAUTH_FAILED;
 		continue;
@@ -1362,6 +1383,13 @@ _kdc_as_rep(krb5_context context,
 	    kdc_log(context, config, 2,
 		    "ENC-TS Pre-authentication succeeded -- %s using %s",
 		    client_name, str ? str : "unknown enctype");
+	    if (clientdb->hdb_auth_status)
+		    (clientdb->hdb_auth_status)(context, clientdb, client,
+						from_addr,
+						client_name,
+						str ? str : "unknown enctype",
+						HDB_AUTH_CORRECT_PASSWORD);
+
 	    free(str);
 	    break;
 	}
@@ -1414,7 +1442,10 @@ _kdc_as_rep(krb5_context context,
 
     if (clientdb->hdb_auth_status)
 	(clientdb->hdb_auth_status)(context, clientdb, client,
-				    HDB_AUTH_SUCCESS);
+				    from_addr,
+				    client_name,
+				    NULL,
+				    HDB_AUTHZ_SUCCESS);
 
     /*
      * Selelct the best encryption type for the KDC with out regard to
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 75d18770f01..1af798d3512 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -70,9 +70,12 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_CAP_F_PASSWORD_UPDATE_KEYS	4
 
 /* auth status values */
-#define HDB_AUTH_SUCCESS		0
+#define HDB_AUTHZ_SUCCESS		0
 #define HDB_AUTH_WRONG_PASSWORD		1
 #define HDB_AUTH_INVALID_SIGNATURE	2
+#define HDB_AUTH_CORRECT_PASSWORD	3
+#define HDB_AUTH_PKINIT_SUCCESS 	4
+#define HDB_AUTH_CLIENT_UNKNOWN		5
 
 /* key usage for master key */
 #define HDB_KU_MKEY	0x484442
@@ -244,7 +247,11 @@ typedef struct HDB{
      * In case the entry is locked out, the backend should set the
      * hdb_entry.flags.locked-out flag.
      */
-    krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int);
+    krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *,
+				       hdb_entry_ex *, struct sockaddr *from_addr,
+				       const char *original_client_name,
+				       const char *auth_type,
+				       int);
     /**
      * Check if delegation is allowed.
      */
author	Andrew Bartlett <abartlet@samba.org>	2017-02-21 14:07:54 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2017-03-29 02:37:28 +0200
commit	f498ba77df2313e78863e5f2706840c43e232a96 (patch)
tree	f9946b6f23308cb8288ed363658fbc5207f94aa6 /source4/heimdal
parent	7cbe1c844ea359b6d5386b3986aa16152e975f3d (diff)
download	samba-f498ba77df2313e78863e5f2706840c43e232a96.tar.gz