1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4-kdc: Adapt to move from HDB auditing to KDC auditing constants

This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2022-03-02 10:00:17 +13:00 committed by Joseph Sutton
parent 9399a15fab
commit c9b0b4bfc4
2 changed files with 18 additions and 17 deletions

View File

@ -46,6 +46,7 @@
#include "librpc/gen_ndr/ndr_winbind_c.h" #include "librpc/gen_ndr/ndr_winbind_c.h"
#include "lib/messaging/irpc.h" #include "lib/messaging/irpc.h"
#include "hdb.h" #include "hdb.h"
#include <kdc-audit.h>
static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode) static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
{ {
@ -545,7 +546,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
size_t sa_socklen = 0; size_t sa_socklen = 0;
hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_AUTH_EVENT); hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
if (hdb_auth_status_obj == NULL) { if (hdb_auth_status_obj == NULL) {
/* No status code found, so just return. */ /* No status code found, so just return. */
return 0; return 0;
@ -558,15 +559,15 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
pa_type = heim_string_get_utf8(pa_type_obj); pa_type = heim_string_get_utf8(pa_type_obj);
} }
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT); auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
if (auth_details_obj != NULL) { if (auth_details_obj != NULL) {
auth_details = heim_string_get_utf8(auth_details_obj); auth_details = heim_string_get_utf8(auth_details_obj);
} else { } else {
auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR); auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
if (auth_details_obj != NULL) { if (auth_details_obj != NULL) {
auth_details = heim_string_get_utf8(auth_details_obj); auth_details = heim_string_get_utf8(auth_details_obj);
} else { } else {
heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE); heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
if (etype_obj != NULL) { if (etype_obj != NULL) {
int etype = heim_number_get_int(etype_obj); int etype = heim_number_get_int(etype_obj);
@ -610,7 +611,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
} }
switch (hdb_auth_status) { switch (hdb_auth_status) {
case HDB_AUTH_EVENT_CLIENT_AUTHORIZED: case KDC_AUTH_EVENT_CLIENT_AUTHORIZED:
{ {
TALLOC_CTX *frame = talloc_stackframe(); TALLOC_CTX *frame = talloc_stackframe();
struct samba_kdc_entry *p = talloc_get_type(entry->context, struct samba_kdc_entry *p = talloc_get_type(entry->context,
@ -630,11 +631,11 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
talloc_free(frame); talloc_free(frame);
break; break;
} }
case HDB_AUTH_EVENT_CLIENT_LOCKED_OUT: case KDC_AUTH_EVENT_CLIENT_LOCKED_OUT:
case HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY: case KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
case HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY: case KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY:
case HDB_AUTH_EVENT_PREAUTH_SUCCEEDED: case KDC_AUTH_EVENT_PREAUTH_SUCCEEDED:
case HDB_AUTH_EVENT_PREAUTH_FAILED: case KDC_AUTH_EVENT_PREAUTH_FAILED:
{ {
TALLOC_CTX *frame = talloc_stackframe(); TALLOC_CTX *frame = talloc_stackframe();
struct samba_kdc_entry *p = talloc_get_type(entry->context, struct samba_kdc_entry *p = talloc_get_type(entry->context,
@ -673,7 +674,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
} }
ui.auth_description = auth_description; ui.auth_description = auth_description;
if (hdb_auth_status == HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY) { if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
status = NT_STATUS_WRONG_PASSWORD; status = NT_STATUS_WRONG_PASSWORD;
/* /*
@ -684,13 +685,13 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
if (kdc_db_ctx->rodc) { if (kdc_db_ctx->rodc) {
send_bad_password_netlogon(frame, kdc_db_ctx, &ui); send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
} }
} else if (hdb_auth_status == HDB_AUTH_EVENT_CLIENT_LOCKED_OUT) { } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
status = NT_STATUS_ACCOUNT_LOCKED_OUT; status = NT_STATUS_ACCOUNT_LOCKED_OUT;
} else if (hdb_auth_status == HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
status = NT_STATUS_OK; status = NT_STATUS_OK;
} else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_SUCCEEDED) { } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
status = NT_STATUS_OK; status = NT_STATUS_OK;
} else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_FAILED) { } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
status = NT_STATUS_PKINIT_FAILURE; status = NT_STATUS_PKINIT_FAILURE;
} else { } else {
@ -711,7 +712,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
TALLOC_FREE(frame); TALLOC_FREE(frame);
break; break;
} }
case HDB_AUTH_EVENT_CLIENT_UNKNOWN: case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
{ {
struct tsocket_address *remote_host; struct tsocket_address *remote_host;
int ret; int ret;

View File

@ -48,7 +48,7 @@ if bld.CONFIG_GET('SAMBA_USES_MITKDC'):
bld.SAMBA_LIBRARY('HDB_SAMBA4', bld.SAMBA_LIBRARY('HDB_SAMBA4',
source='hdb-samba4.c hdb-samba4-plugin.c', source='hdb-samba4.c hdb-samba4-plugin.c',
deps='ldb auth4_sam common_auth samba-credentials hdb db-glue samba-hostconfig com_err sdb_hdb RPC_NDR_WINBIND', deps='ldb auth4_sam common_auth samba-credentials hdb kdc db-glue samba-hostconfig com_err sdb_hdb RPC_NDR_WINBIND',
includes=kdc_include, includes=kdc_include,
private_library=True, private_library=True,
enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')