1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s4:kdc: Adapt to removal of auth audit event types

This is an adaptation to Heimdal:

commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 09:42:03 2022 +1100

    hdb: consolidate preauth audit event types

    Instead of having distinct preauth success/failure events for different
    mechanisms, have a single event; the mechanism can be disambiguated by querying
    the HDB_REQUEST_KV_PA_NAME key.

    Note: there is still an explicit event for long-term key-based success/failure
    in order to help the backend implement lockout.

    Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
    than in each mechanism. Success is still audited in the mechanism to allow
    client pre-authentication success to be noted even if something subsequent
    (e.g. encoding a reply, memory allocation) fails. The generic catch-all for
    success remains.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f234361abe)
This commit is contained in:
Joseph Sutton 2022-02-22 15:48:12 +13:00 committed by Jule Anger
parent 9e76300526
commit b6e2028f27

View File

@ -540,40 +540,27 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
pa_type = heim_string_get_utf8(pa_type_obj);
}
switch (hdb_auth_status) {
case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
case HDB_AUTH_EVENT_PKINIT_FAILED:
case HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED:
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
if (auth_details_obj != NULL) {
auth_details = heim_string_get_utf8(auth_details_obj);
}
break;
case HDB_AUTH_EVENT_GSS_PA_SUCCEEDED:
case HDB_AUTH_EVENT_GSS_PA_FAILED:
case HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED:
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
if (auth_details_obj != NULL) {
auth_details = heim_string_get_utf8(auth_details_obj);
} else {
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR);
if (auth_details_obj != NULL) {
auth_details = heim_string_get_utf8(auth_details_obj);
}
break;
} else {
heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
if (etype_obj != NULL) {
int etype = heim_number_get_int(etype_obj);
default:
{
heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
if (etype_obj != NULL) {
int etype = heim_number_get_int(etype_obj);
krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
if (ret == 0) {
auth_details = etype_str;
} else {
auth_details = "unknown enctype";
krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
if (ret == 0) {
auth_details = etype_str;
} else {
auth_details = "unknown enctype";
}
}
}
}
}
/*
* Forcing this via the NTLM auth structure is not ideal, but
@ -626,12 +613,10 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
break;
}
case HDB_AUTH_EVENT_CLIENT_LOCKED_OUT:
case HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED:
case HDB_AUTH_EVENT_LTK_PREAUTH_FAILED:
case HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED:
case HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED:
case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
case HDB_AUTH_EVENT_PKINIT_FAILED:
case HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
case HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY:
case HDB_AUTH_EVENT_PREAUTH_SUCCEEDED:
case HDB_AUTH_EVENT_PREAUTH_FAILED:
{
TALLOC_CTX *frame = talloc_stackframe();
struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
@ -670,7 +655,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
}
ui.auth_description = auth_description;
if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_FAILED) {
if (hdb_auth_status == HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
status = NT_STATUS_WRONG_PASSWORD;
/*
@ -683,16 +668,16 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
}
} else if (hdb_auth_status == HDB_AUTH_EVENT_CLIENT_LOCKED_OUT) {
status = NT_STATUS_ACCOUNT_LOCKED_OUT;
} else if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED) {
} else if (hdb_auth_status == HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
status = NT_STATUS_OK;
} else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED) {
} else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_SUCCEEDED) {
status = NT_STATUS_OK;
} else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED) {
status = NT_STATUS_GENERIC_COMMAND_FAILED;
} else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_SUCCEEDED) {
status = NT_STATUS_OK;
} else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_FAILED) {
status = NT_STATUS_PKINIT_FAILURE;
} else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_FAILED) {
if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
status = NT_STATUS_PKINIT_FAILURE;
} else {
status = NT_STATUS_GENERIC_COMMAND_FAILED;
}
} else {
status = NT_STATUS_INTERNAL_ERROR;
}