mit-kdb: Add support for bad password count

This fixes the samba4.ldap.password_lockout.python test. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Andreas Schneider <asn@samba.org> 2015-05-20 17:20:13 +0200
committer: Andrew Bartlett <abartlet@samba.org> 2016-03-17 04:32:29 +0100
commit: b0f21659015875231b382b7f30d44f5b81d8ad58 (patch)
tree: 83645d4d828372200137d730d80c842e65619b6d /source4/kdc
parent: 05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6 (diff)
download: samba-b0f21659015875231b382b7f30d44f5b81d8ad58.tar.gz
3 files changed, 34 insertions, 1 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
index dc80a2291c1..b7f802c8c66 100644
--- a/source4/kdc/mit-kdb/kdb_samba.c
+++ b/source4/kdc/mit-kdb/kdb_samba.c
@@ -179,7 +179,7 @@ kdb_vftabl kdb_function_table = {
 	NULL,                              /* check_transited_realms */
 	kdb_samba_db_check_policy_as,      /* check_policy_as */
 	NULL,                              /* check_policy_tgs */
-	NULL,                              /* audit_as_req */
+	kdb_samba_db_audit_as_req,         /* audit_as_req */
 	NULL,                              /* refresh_config */
 	kdb_samba_db_check_allowed_to_delegate
 };
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index b2273c3efcc..b29cff97da7 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -145,6 +145,14 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
 						       krb5_const_principal client,
 						       const krb5_db_entry *server,
 						       krb5_const_principal proxy);
+
+void kdb_samba_db_audit_as_req(krb5_context kcontext,
+			       krb5_kdc_req *request,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code);
+
 /* from kdb_samba_change_pwd.c */
 
 krb5_error_code kdb_samba_change_pwd(krb5_context context,
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 17fb984a794..396e6fe9d31 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -441,3 +441,28 @@ done:
 	free(target_name);
 	return code;
 }
+
+void kdb_samba_db_audit_as_req(krb5_context context,
+			       krb5_kdc_req *request,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code)
+{
+	struct mit_samba_context *mit_ctx;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return;
+	}
+
+	switch (error_code) {
+	case 0:
+		mit_samba_zero_bad_password_count(client);
+		break;
+	case KRB5KDC_ERR_PREAUTH_FAILED:
+	case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+		mit_samba_update_bad_password_count(client);
+		break;
+	}
+}
author	Andreas Schneider <asn@samba.org>	2015-05-20 17:20:13 +0200
committer	Andrew Bartlett <abartlet@samba.org>	2016-03-17 04:32:29 +0100
commit	b0f21659015875231b382b7f30d44f5b81d8ad58 (patch)
tree	83645d4d828372200137d730d80c842e65619b6d /source4/kdc
parent	05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6 (diff)
download	samba-b0f21659015875231b382b7f30d44f5b81d8ad58.tar.gz