From 2eb5cc575aa08b0b4c233c55cf378a5637717a90 Mon Sep 17 00:00:00 2001 From: rbasch Date: Mon, 16 Dec 2013 10:54:41 -0500 Subject: [PATCH] Log service princ in KDC more reliably Under some error conditions, the KDC would log "" for the service principal because service principal information is not yet available to the logging functions. Set the appropriate variables earlier. do_as_req.c: After unparsing the client, immediately unparse the server before searching for the client principal in the KDB. do_tgs_req.c: Save a pointer to the client-requested service principal, to make sure it gets logged if an error happens before search_sprinc() successfully completes. [tlyu@mit.edu: commit message; fix TGS to catch more error cases] (cherry picked from commit f37067776f9431879769f3874fdab6120ba3f155) ticket: 7802 --- src/kdc/do_as_req.c | 25 +++++++++++++------------ src/kdc/do_tgs_req.c | 5 +++++ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 268d4f452b..95c3e23620 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } limit_string(state->cname); + if (!state->request->server) { + state->status = "NULL_SERVER"; + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; + } + if ((errcode = krb5_unparse_name(kdc_context, + state->request->server, + &state->sname))) { + state->status = "UNPARSING_SERVER"; + goto errout; + } + limit_string(state->sname); + /* * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint * to the backend to return naming information in lieu @@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = SRVC_PRINC; - if (!state->request->server) { - state->status = "NULL_SERVER"; - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; - } - if ((errcode = krb5_unparse_name(kdc_context, - state->request->server, - &state->sname))) { - state->status = "UNPARSING_SERVER"; - goto errout; - } - limit_string(state->sname); s_flags = 0; setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) { diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c12de2b3e6..5cfe0b64b1 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -145,6 +145,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, session_key.contents = NULL; retval = decode_krb5_tgs_req(pkt, &request); + /* Save pointer to client-requested service principal, in case of errors + * before a successful call to search_sprinc(). */ + sprinc = request->server; if (retval) return retval; if (request->msg_type != KRB5_TGS_REQ) { @@ -202,6 +205,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, scratch.data = (char *) pa_tgs_req->contents; errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state, NULL); + /* Reset sprinc because kdc_find_fast() can replace request. */ + sprinc = request->server; if (errcode !=0) { status = "kdc_find_fast"; goto cleanup; -- 2.47.3