diff options
author | Andreas Schneider <asn@samba.org> | 2015-05-20 17:20:13 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-03-17 04:32:29 +0100 |
commit | b0f21659015875231b382b7f30d44f5b81d8ad58 (patch) | |
tree | 83645d4d828372200137d730d80c842e65619b6d /source4/kdc | |
parent | 05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6 (diff) | |
download | samba-b0f21659015875231b382b7f30d44f5b81d8ad58.tar.gz |
mit-kdb: Add support for bad password count
This fixes the samba4.ldap.password_lockout.python test.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/kdc')
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba.c | 2 | ||||
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba.h | 8 | ||||
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba_policies.c | 25 |
3 files changed, 34 insertions, 1 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c index dc80a2291c1..b7f802c8c66 100644 --- a/source4/kdc/mit-kdb/kdb_samba.c +++ b/source4/kdc/mit-kdb/kdb_samba.c @@ -179,7 +179,7 @@ kdb_vftabl kdb_function_table = { NULL, /* check_transited_realms */ kdb_samba_db_check_policy_as, /* check_policy_as */ NULL, /* check_policy_tgs */ - NULL, /* audit_as_req */ + kdb_samba_db_audit_as_req, /* audit_as_req */ NULL, /* refresh_config */ kdb_samba_db_check_allowed_to_delegate }; diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h index b2273c3efcc..b29cff97da7 100644 --- a/source4/kdc/mit-kdb/kdb_samba.h +++ b/source4/kdc/mit-kdb/kdb_samba.h @@ -145,6 +145,14 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, krb5_const_principal client, const krb5_db_entry *server, krb5_const_principal proxy); + +void kdb_samba_db_audit_as_req(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp authtime, + krb5_error_code error_code); + /* from kdb_samba_change_pwd.c */ krb5_error_code kdb_samba_change_pwd(krb5_context context, diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 17fb984a794..396e6fe9d31 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -441,3 +441,28 @@ done: free(target_name); return code; } + +void kdb_samba_db_audit_as_req(krb5_context context, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp authtime, + krb5_error_code error_code) +{ + struct mit_samba_context *mit_ctx; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { + return; + } + + switch (error_code) { + case 0: + mit_samba_zero_bad_password_count(client); + break; + case KRB5KDC_ERR_PREAUTH_FAILED: + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + mit_samba_update_bad_password_count(client); + break; + } +} |