s4:kdc: Don’t log authentication failures as successes

If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail_heimdal_kdc

@@ -135,28 +135,3 @@
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_no_owner.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_deny.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_service_deny_to_self.ad_dc
-#
-# Authentication logging tests
-#
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_ldap.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_ldap.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns_connect.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns_connect.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns_seal.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns_seal.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns_sign.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_ip_tcp_krb5_dns_sign.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_dns.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_dns.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_dns_sign.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_dns_sign.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_dns_smb2.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_dns_smb2.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_srv.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_srv.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_srv_sign.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_rpc_ncacn_np_krb_srv_sign.ad_dc_smb1:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_smb.ad_dc_ntvfs:local
-^samba.tests.auth_log.samba.tests.auth_log.AuthLogTests.test_smb.ad_dc_smb1:local

source4/kdc/hdb-samba4.c

@@ -809,7 +809,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 				rwdc_fallback = kdc_db_ctx->rodc;
 			} else {
 				if (r->error_code == KRB5KDC_ERR_NEVER_VALID) {
-					edata_status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+					edata_status = status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+				} else {
+					status = krb5_to_nt_status(r->error_code);
 				}
 
 				if (kdc_db_ctx->rodc && send_to_sam != NULL) {