From 5294dc80090482d5669126802672eb2c89e269cf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Mar 2022 09:21:03 +0100
Subject: [PATCH] s4:kdc: tunnel the check_client_access status to
 hdb_samba4_audit()

Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/hdb-samba4.c | 4 ++++
 source4/kdc/pac-glue.c   | 1 +
 source4/kdc/samba_kdc.h  | 1 +
 3 files changed, 6 insertions(+)

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index ceb3a292160..e82ebbe7daa 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -627,6 +627,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 				status = NT_STATUS_INTERNAL_ERROR;
 				final_ret = KRB5KRB_ERR_GENERIC;
 				r->error_code = final_ret;
+			} else if (!NT_STATUS_IS_OK(p->reject_status)) {
+				status = p->reject_status;
 			} else {
 				status = krb5_to_nt_status(r->error_code);
 			}
@@ -643,6 +645,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 				status = NT_STATUS_INTERNAL_ERROR;
 				final_ret = KRB5KRB_ERR_GENERIC;
 				r->error_code = final_ret;
+			} else if (!NT_STATUS_IS_OK(p->reject_status)) {
+				status = p->reject_status;
 			} else {
 				status = krb5_to_nt_status(r->error_code);
 			}
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index dc6db122865..f0181d2e676 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1143,6 +1143,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 				       workstation, client_name,
 				       true, password_change);
 
+	kdc_entry->reject_status = nt_status;
 	talloc_free(tmp_ctx);
 	return nt_status;
 }
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index a354f3e8db3..9b16fcc3b92 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -61,6 +61,7 @@ struct samba_kdc_entry {
 	bool is_trust;
 	void *entry_ex;
 	uint32_t supported_enctypes;
+	NTSTATUS reject_status;
 };
 
 extern struct hdb_method hdb_samba4_interface;