mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s4:kdc: Adapt to removal of auth audit event types
This is an adaptation to Heimdal:
commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date: Wed Jan 5 09:42:03 2022 +1100
hdb: consolidate preauth audit event types
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f234361abe
)
This commit is contained in:
parent
9e76300526
commit
b6e2028f27
@ -540,40 +540,27 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
|
||||
pa_type = heim_string_get_utf8(pa_type_obj);
|
||||
}
|
||||
|
||||
switch (hdb_auth_status) {
|
||||
case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
|
||||
case HDB_AUTH_EVENT_PKINIT_FAILED:
|
||||
case HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED:
|
||||
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
|
||||
if (auth_details_obj != NULL) {
|
||||
auth_details = heim_string_get_utf8(auth_details_obj);
|
||||
}
|
||||
break;
|
||||
|
||||
case HDB_AUTH_EVENT_GSS_PA_SUCCEEDED:
|
||||
case HDB_AUTH_EVENT_GSS_PA_FAILED:
|
||||
case HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED:
|
||||
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
|
||||
if (auth_details_obj != NULL) {
|
||||
auth_details = heim_string_get_utf8(auth_details_obj);
|
||||
} else {
|
||||
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR);
|
||||
if (auth_details_obj != NULL) {
|
||||
auth_details = heim_string_get_utf8(auth_details_obj);
|
||||
}
|
||||
break;
|
||||
} else {
|
||||
heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
|
||||
if (etype_obj != NULL) {
|
||||
int etype = heim_number_get_int(etype_obj);
|
||||
|
||||
default:
|
||||
{
|
||||
heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
|
||||
if (etype_obj != NULL) {
|
||||
int etype = heim_number_get_int(etype_obj);
|
||||
|
||||
krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
|
||||
if (ret == 0) {
|
||||
auth_details = etype_str;
|
||||
} else {
|
||||
auth_details = "unknown enctype";
|
||||
krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
|
||||
if (ret == 0) {
|
||||
auth_details = etype_str;
|
||||
} else {
|
||||
auth_details = "unknown enctype";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Forcing this via the NTLM auth structure is not ideal, but
|
||||
@ -626,12 +613,10 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
|
||||
break;
|
||||
}
|
||||
case HDB_AUTH_EVENT_CLIENT_LOCKED_OUT:
|
||||
case HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED:
|
||||
case HDB_AUTH_EVENT_LTK_PREAUTH_FAILED:
|
||||
case HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED:
|
||||
case HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED:
|
||||
case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
|
||||
case HDB_AUTH_EVENT_PKINIT_FAILED:
|
||||
case HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
|
||||
case HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY:
|
||||
case HDB_AUTH_EVENT_PREAUTH_SUCCEEDED:
|
||||
case HDB_AUTH_EVENT_PREAUTH_FAILED:
|
||||
{
|
||||
TALLOC_CTX *frame = talloc_stackframe();
|
||||
struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
|
||||
@ -670,7 +655,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
|
||||
}
|
||||
ui.auth_description = auth_description;
|
||||
|
||||
if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_FAILED) {
|
||||
if (hdb_auth_status == HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
|
||||
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
|
||||
status = NT_STATUS_WRONG_PASSWORD;
|
||||
/*
|
||||
@ -683,16 +668,16 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
|
||||
}
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_CLIENT_LOCKED_OUT) {
|
||||
status = NT_STATUS_ACCOUNT_LOCKED_OUT;
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED) {
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
|
||||
status = NT_STATUS_OK;
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED) {
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_SUCCEEDED) {
|
||||
status = NT_STATUS_OK;
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED) {
|
||||
status = NT_STATUS_GENERIC_COMMAND_FAILED;
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_SUCCEEDED) {
|
||||
status = NT_STATUS_OK;
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_FAILED) {
|
||||
status = NT_STATUS_PKINIT_FAILURE;
|
||||
} else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_FAILED) {
|
||||
if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
|
||||
status = NT_STATUS_PKINIT_FAILURE;
|
||||
} else {
|
||||
status = NT_STATUS_GENERIC_COMMAND_FAILED;
|
||||
}
|
||||
} else {
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user