1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

128 Commits

Author SHA1 Message Date
Joseph Sutton
0f127875c8 s4:kdc: Correct error message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
84929c6855 s4:kdc: Return an error code if sdb_entry_to_hdb_entry() fails
This condition was written backwards — if samba_kdc_fetch() returned
zero, we would ignore any error code returned by
sdb_entry_to_hdb_entry().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
0182ddf97d s4:kdc: Use newer debugging macros
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Andreas Schneider
85c8222bdb s4:kdc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug  3 15:25:01 UTC 2023 on atb-devel-224
2023-08-03 15:25:01 +00:00
Joseph Sutton
34760dfc89 s4:kdc: Implement Heimdal hook for resource-based constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
0e43d11e39 s4:kdc: Remove useless sdb → hdb error code translation
samba_kdc_check_s4u2proxy() is never going to return an SDB_* error
code, so these conditions can never be hit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
7e76f36d91 s4:kdc: Initialize pointers with NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
67436de3e7 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event
NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
19f867bc54 s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors
Such errors were not logged in the past, either, but that was accidental
— a result of failing too early for an authentication event to be set —
rather than the auditing being deliberately designed that way.

Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to
ensure that PREAUTH_REQUIRED errors continue to go unlogged.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
af95ec0b3f s4:kdc: Add functionality to log client and server authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
ca9d27ae99 auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Stefan Metzmacher
370ba4ad52 s4:kdc: handle passwords from the history in hdb_samba4_auth_status()
This is important in order to prevent ACCOUNT_LOCKED_OUT
with cached credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:35 +00:00
Joseph Sutton
ad98643fbd s4:kdc: Replace FAST cookie with dummy string
All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224
2023-06-21 13:19:17 +00:00
Joseph Sutton
63fe986357 s4:kdc: Log TGS-REQs in the Heimdal KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
21d1f1ca99 s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
b859b3b67d s4:kdc: Consolidate assignments to r->error_code and final_ret
This makes it clearer that we are assigning a value to both together.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
868e114660 s4:kdc: Don’t log authentication failures as successes
If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
637fd961bd s4:kdc: Add NTSTATUS e-data to KDC reply
If an NTSTATUS code has been set in the KDC request structure, encode it
as KERB-ERROR-DATA and add it to the KDC reply.

hdb_samba4_set_ntstatus() adds the NTSTATUS code to the request
structure.

hdb_samba4_get_ntstatus() gets that status code back from the request
structure.

hdb_samba4_set_edata_from_ntstatus() encodes the status code and adds it
to the reply.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
041f70055c s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure
Our KDC plugin can use this to store NTSTATUS codes that can be added to
the final KDC reply later.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
28cffae4b2 s4:kdc: Use more suitable type for final_ret
This now matches the return type of the function.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
7266924b3d s4:kdc: Use talloc_get_type_abort()
We dereference this pointer immediately after this call, so we should be
sure it is not NULL.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
798be592f9 s4:kdc: Fix debugging strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
12fd8274ff s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Stefan Metzmacher
44192d5f2c s4:kdc: make sure reset_bad_password_netlogon() stops subreq before return
We pass the stack variable 'req' to dcerpc_winbind_SendToSam_r_send(),
so we need to make sure the runtime of the subreq in not longer
than the stack variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-24 11:01:37 +00:00
Stefan Metzmacher
1414269dcc CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by
commit 7b8e32efc3,
which has msg = current; which means the lifetime
of the 'msg' memory is no longer in the scope of th
caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-24 11:01:37 +00:00
Joseph Sutton
bdfc9d96f8 CVE-2021-20251 s4:kdc: Check badPwdCount update return status
If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:37 +00:00
Joseph Sutton
b1e740896e CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()
If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.

Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:37 +00:00
Joseph Sutton
2b593c34c4 CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch
This simplifies the code for the following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:37 +00:00
Andreas Schneider
66289ab678 s4:kdc: Set Kerberos debug class for all KDC files
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep 12 03:27:55 UTC 2022 on sn-devel-184
2022-09-12 03:27:55 +00:00
Joseph Sutton
484c6980be CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
This plugin is now only used by the kpasswd service. Thus, ensuring we
only look up the kadmin/changepw principal means we can't be fooled into
accepting tickets for other service principals. We make sure not to
specify a specific kvno, to ensure that we do not accept RODC-issued
tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andrew Bartlett
2d9fd3855f s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
57bf975231 s4:kdc: avoid using sdb_entry_ex in hdb_samba4_{first,next}key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
f917a20fce s4:kdc: avoid using sdb_entry_ex in hdb_samba4_fetch_kvno()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
14487c4027 s4:kdc: samba_kdc_{first,next}key() only need sdb_entry
sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
3cba1641fd s4:kdc: samba_kdc_fetch() only needs sdb_entry
sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
dceae1bb13 s4:kdc: use sdb_entry_to_hdb_entry() directly
We should avoid sdb_entry_ex, as it will be removed soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
a71b74b207 s4:kdc: hdb_samba4_fetch_fast_cookie() don't need sdb_entry_ex
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
35508449bf s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys()
This prepares the removal of sdb_entry_ex.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Stefan Metzmacher
c2eb50861d s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry
kdc_entry can be hdb_entry or krb5_db_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-24 09:19:33 +00:00
Joseph Sutton
402d5f59bc s4:kdc: Add KDC support for Protected Users group
Accounts in the Protected Users group acting as clients lack support for
the RC4 encryption type. TGTs issued to such accounts have a lifetime
restricted to four hours, and are unable to be proxied or forwarded.

To determine at lookup time whether a client account is a member of
Protected Users, we now also create an auth_user_info_dc structure when
creating the database entry for an AS-REQ, rather than only when
creating a PAC for a TGT, or when recreating the PAC from an RODC-issued
TGT.

This means that the user's groups are now expanded even for AS-REQs that
result in an error (such as a PREAUTH_REQUIRED error), but this is
required to be able to correctly determine the account's available
encryption types, which are needed soon after fetching the user account.

Currently, the TGT lifetime may exceed four hours (for Heimdal
specifically). This may happen if PKINIT is used, and either the
pkinit_max_life_from_cert_extension option is TRUE and
pkinit_max_life_bound is greater than four hours, or
pkinit_max_life_from_cert is greater than four hours.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Stefan Metzmacher
5294dc8009 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-17 00:41:33 +00:00
Joseph Sutton
b01388da8a s4-kdc: Handle previously unhandled auth event types
Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:

commit 791be84c3e
Author: Stefan Metzmacher <metze@samba.org>
Date:   Wed Mar 2 10:10:08 2022 +1300

    s4:kdc: hdb_samba4_audit() is only called once per request

Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR

To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.

For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-17 00:41:33 +00:00
Andrew Bartlett
b7bc1f6ddd s4-kdc: Fix memory leak in FAST cookie handling
The call to sdb_free_entry() was forgotten.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15000

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 11:05:55 UTC 2022 on sn-devel-184
2022-03-11 11:05:55 +00:00
Stefan Metzmacher
ca6948642b s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Stefan Metzmacher
0f5d7ff1a9 s4:kdc: redirect pre-authentication failures to an RWDC
The most important case is that we still have a previous
password cached at the RODC and the inbound replication
hasn't wiped the cache yet and we also haven't triggered
a new replication yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-06 23:05:40 +00:00
Stefan Metzmacher
791be84c3e s4:kdc: hdb_samba4_audit() is only called once per request
So we need to restructure the logic a bit.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Mar  1 23:28:22 UTC 2022 on sn-devel-184
2022-03-01 23:28:22 +00:00
Andrew Bartlett
c9b0b4bfc4 s4-kdc: Adapt to move from HDB auditing to KDC auditing constants
This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-03-01 22:34:35 +00:00
Joseph Sutton
94d387abd5 s4:kdc: Adapt to hdb_entry_ex removal
Rather than having a 'free_entry' member that can be called to free an
hdb_entry, we now implement the free function in HDB. We perform the
free only if the context pointer is non-NULL.

We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the
context pointer is now part of the 'hdb_entry' structure itself, and
this would undesirably zero it out.

This is an adaptation to Heimdal commits:

commit c5551775e204d00c7ee8055ab6ddbba7e0590584
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:15:55 2022 +1100

    hdb: decorate HDB_entry with context member

    Decorate HDB_entry with context and move free_entry callback into HDB structure
    itself. Requires updating hdb_free_entry() signature to include HDB parameter.
    A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
    member) into hdb_entry.

commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:54:40 2022 +1100

    hdb: eliminate hdb_entry_ex

    Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
    an additional context member in hdb_entry which is managed by the free_entry
    method in HDB).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:35 +00:00
Joseph Sutton
f234361abe s4:kdc: Adapt to removal of auth audit event types
This is an adaptation to Heimdal:

commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 09:42:03 2022 +1100

    hdb: consolidate preauth audit event types

    Instead of having distinct preauth success/failure events for different
    mechanisms, have a single event; the mechanism can be disambiguated by querying
    the HDB_REQUEST_KV_PA_NAME key.

    Note: there is still an explicit event for long-term key-based success/failure
    in order to help the backend implement lockout.

    Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
    than in each mechanism. Success is still audited in the mechanism to allow
    client pre-authentication success to be noted even if something subsequent
    (e.g. encoding a reply, memory allocation) fails. The generic catch-all for
    success remains.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
0d37a19281 s4:kdc: Add 'not authorised' auth events
This is an adaptation to Heimdal:

commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 23:44:05 2022 +1100

    kdc: separate PKINIT/GSS authorization failure

    Create a new audit event for PKINIT/GSS authorization (impersonation) failure

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00