s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()

Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/kdc/hdb-samba4.c

@@ -627,6 +627,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 				status = NT_STATUS_INTERNAL_ERROR;
 				final_ret = KRB5KRB_ERR_GENERIC;
 				r->error_code = final_ret;
+			} else if (!NT_STATUS_IS_OK(p->reject_status)) {
+				status = p->reject_status;
 			} else {
 				status = krb5_to_nt_status(r->error_code);
 			}
@@ -643,6 +645,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 				status = NT_STATUS_INTERNAL_ERROR;
 				final_ret = KRB5KRB_ERR_GENERIC;
 				r->error_code = final_ret;
+			} else if (!NT_STATUS_IS_OK(p->reject_status)) {
+				status = p->reject_status;
 			} else {
 				status = krb5_to_nt_status(r->error_code);
 			}

source4/kdc/pac-glue.c

@@ -1143,6 +1143,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 				       workstation, client_name,
 				       true, password_change);
 
+	kdc_entry->reject_status = nt_status;
 	talloc_free(tmp_ctx);
 	return nt_status;
 }

source4/kdc/samba_kdc.h

@@ -61,6 +61,7 @@ struct samba_kdc_entry {
 	bool is_trust;
 	void *entry_ex;
 	uint32_t supported_enctypes;
+	NTSTATUS reject_status;
 };
 
 extern struct hdb_method hdb_samba4_interface;