diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-02-22 15:48:12 +1300 |
---|---|---|
committer | Joseph Sutton <jsutton@samba.org> | 2022-03-01 22:34:34 +0000 |
commit | f234361abea4166ce4e10cfa4e7f4096b83480a9 (patch) | |
tree | 060e9f91c1365efaa717428d7d1c08c1fa23f0c1 /source4/kdc/hdb-samba4.c | |
parent | 83586e8f5846fff7a8bbe47e743e03166b559584 (diff) | |
download | samba-f234361abea4166ce4e10cfa4e7f4096b83480a9.tar.gz |
s4:kdc: Adapt to removal of auth audit event types
This is an adaptation to Heimdal:
commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date: Wed Jan 5 09:42:03 2022 +1100
hdb: consolidate preauth audit event types
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/kdc/hdb-samba4.c')
-rw-r--r-- | source4/kdc/hdb-samba4.c | 71 |
1 files changed, 28 insertions, 43 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 1d273bf8da0..94809b9c914 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -540,40 +540,27 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, pa_type = heim_string_get_utf8(pa_type_obj); } - switch (hdb_auth_status) { - case HDB_AUTH_EVENT_PKINIT_SUCCEEDED: - case HDB_AUTH_EVENT_PKINIT_FAILED: - case HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED: - auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT); - if (auth_details_obj != NULL) { - auth_details = heim_string_get_utf8(auth_details_obj); - } - break; - - case HDB_AUTH_EVENT_GSS_PA_SUCCEEDED: - case HDB_AUTH_EVENT_GSS_PA_FAILED: - case HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED: + auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT); + if (auth_details_obj != NULL) { + auth_details = heim_string_get_utf8(auth_details_obj); + } else { auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR); if (auth_details_obj != NULL) { auth_details = heim_string_get_utf8(auth_details_obj); - } - break; - - default: - { - heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE); - if (etype_obj != NULL) { - int etype = heim_number_get_int(etype_obj); - - krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str); - if (ret == 0) { - auth_details = etype_str; - } else { - auth_details = "unknown enctype"; + } else { + heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE); + if (etype_obj != NULL) { + int etype = heim_number_get_int(etype_obj); + + krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str); + if (ret == 0) { + auth_details = etype_str; + } else { + auth_details = "unknown enctype"; + } } } } - } /* * Forcing this via the NTLM auth structure is not ideal, but @@ -626,12 +613,10 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, break; } case HDB_AUTH_EVENT_CLIENT_LOCKED_OUT: - case HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED: - case HDB_AUTH_EVENT_LTK_PREAUTH_FAILED: - case HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED: - case HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED: - case HDB_AUTH_EVENT_PKINIT_SUCCEEDED: - case HDB_AUTH_EVENT_PKINIT_FAILED: + case HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY: + case HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY: + case HDB_AUTH_EVENT_PREAUTH_SUCCEEDED: + case HDB_AUTH_EVENT_PREAUTH_FAILED: { TALLOC_CTX *frame = talloc_stackframe(); struct samba_kdc_entry *p = talloc_get_type(entry->ctx, @@ -670,7 +655,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, } ui.auth_description = auth_description; - if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_FAILED) { + if (hdb_auth_status == HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY) { authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); status = NT_STATUS_WRONG_PASSWORD; /* @@ -683,16 +668,16 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, } } else if (hdb_auth_status == HDB_AUTH_EVENT_CLIENT_LOCKED_OUT) { status = NT_STATUS_ACCOUNT_LOCKED_OUT; - } else if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED) { - status = NT_STATUS_OK; - } else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED) { + } else if (hdb_auth_status == HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { status = NT_STATUS_OK; - } else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED) { - status = NT_STATUS_GENERIC_COMMAND_FAILED; - } else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_SUCCEEDED) { + } else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_SUCCEEDED) { status = NT_STATUS_OK; - } else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_FAILED) { - status = NT_STATUS_PKINIT_FAILURE; + } else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_FAILED) { + if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { + status = NT_STATUS_PKINIT_FAILURE; + } else { + status = NT_STATUS_GENERIC_COMMAND_FAILED; + } } else { status = NT_STATUS_INTERNAL_ERROR; } |