s4:kdc: Add 'not authorised' auth events

This is an adaptation to Heimdal:

commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 23:44:05 2022 +1100

    kdc: separate PKINIT/GSS authorization failure

    Create a new audit event for PKINIT/GSS authorization (impersonation) failure

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 2f9d51d3c04a8407fbcbb3ef4f6825919932073e..1d273bf8da08144cf7b8daa186138818777275b8 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -543,6 +543,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
        switch (hdb_auth_status) {
        case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
        case HDB_AUTH_EVENT_PKINIT_FAILED:
+       case HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED:
                auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
                if (auth_details_obj != NULL) {
                        auth_details = heim_string_get_utf8(auth_details_obj);
@@ -551,6 +552,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 
        case HDB_AUTH_EVENT_GSS_PA_SUCCEEDED:
        case HDB_AUTH_EVENT_GSS_PA_FAILED:
+       case HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED:
                auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR);
                if (auth_details_obj != NULL) {
                        auth_details = heim_string_get_utf8(auth_details_obj);