diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-02-21 14:07:54 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-03-29 02:37:28 +0200 |
commit | f498ba77df2313e78863e5f2706840c43e232a96 (patch) | |
tree | f9946b6f23308cb8288ed363658fbc5207f94aa6 /source4/heimdal | |
parent | 7cbe1c844ea359b6d5386b3986aa16152e975f3d (diff) | |
download | samba-f498ba77df2313e78863e5f2706840c43e232a96.tar.gz |
heimdal: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/heimdal')
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 39 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.h | 11 |
2 files changed, 44 insertions, 6 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index bd339b343a5..4baf90e41d8 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1090,6 +1090,13 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg); krb5_free_error_message(context, msg); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + + if (config->db[0] && config->db[0]->hdb_auth_status) + (config->db[0]->hdb_auth_status)(context, config->db[0], NULL, + from_addr, + client_name, + NULL, + HDB_AUTH_CLIENT_UNKNOWN); goto out; } ret = _kdc_db_fetch(context, config, server_princ, @@ -1194,6 +1201,12 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 0, "PKINIT pre-authentication succeeded -- %s using %s", client_name, client_cert); + if (clientdb->hdb_auth_status) + (clientdb->hdb_auth_status)(context, clientdb, client, + from_addr, + client_name, + "PKINIT", + HDB_AUTH_PKINIT_SUCCESS); free(client_cert); if (pkp) goto preauth_done; @@ -1291,22 +1304,30 @@ _kdc_as_rep(krb5_context context, pa_key->key.keytype, &str); if (ret2) str = NULL; + kdc_log(context, config, 5, "Failed to decrypt PA-DATA -- %s " "(enctype %s) error %s", client_name, str ? str : "unknown enctype", msg); krb5_free_error_message(context, msg); - free(str); if(hdb_next_enctype2key(context, &client->entry, - enc_data.etype, &pa_key) == 0) + enc_data.etype, &pa_key) == 0) { + free(str); goto try_next_key; + } e_text = "Failed to decrypt PA-DATA"; free_EncryptedData(&enc_data); if (clientdb->hdb_auth_status) - (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD); + (clientdb->hdb_auth_status)(context, clientdb, client, + from_addr, + client_name, + str ? str : "unknown enctype", + HDB_AUTH_WRONG_PASSWORD); + + free(str); ret = KRB5KDC_ERR_PREAUTH_FAILED; continue; @@ -1362,6 +1383,13 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 2, "ENC-TS Pre-authentication succeeded -- %s using %s", client_name, str ? str : "unknown enctype"); + if (clientdb->hdb_auth_status) + (clientdb->hdb_auth_status)(context, clientdb, client, + from_addr, + client_name, + str ? str : "unknown enctype", + HDB_AUTH_CORRECT_PASSWORD); + free(str); break; } @@ -1414,7 +1442,10 @@ _kdc_as_rep(krb5_context context, if (clientdb->hdb_auth_status) (clientdb->hdb_auth_status)(context, clientdb, client, - HDB_AUTH_SUCCESS); + from_addr, + client_name, + NULL, + HDB_AUTHZ_SUCCESS); /* * Selelct the best encryption type for the KDC with out regard to diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index 75d18770f01..1af798d3512 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -70,9 +70,12 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_CAP_F_PASSWORD_UPDATE_KEYS 4 /* auth status values */ -#define HDB_AUTH_SUCCESS 0 +#define HDB_AUTHZ_SUCCESS 0 #define HDB_AUTH_WRONG_PASSWORD 1 #define HDB_AUTH_INVALID_SIGNATURE 2 +#define HDB_AUTH_CORRECT_PASSWORD 3 +#define HDB_AUTH_PKINIT_SUCCESS 4 +#define HDB_AUTH_CLIENT_UNKNOWN 5 /* key usage for master key */ #define HDB_KU_MKEY 0x484442 @@ -244,7 +247,11 @@ typedef struct HDB{ * In case the entry is locked out, the backend should set the * hdb_entry.flags.locked-out flag. */ - krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int); + krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, + hdb_entry_ex *, struct sockaddr *from_addr, + const char *original_client_name, + const char *auth_type, + int); /** * Check if delegation is allowed. */ |