gensec:spnego: Add debug message for the failed principal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 47878922f9683177cc100fd4453ede139c8d6137..f063f7b358be5ba26d1772507de7a1cb0a28c92d 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                    NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
                                    NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
                                    NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-                                       /* Pretend we never started it (lets the first run find some incompatible demand) */
+                                       const char *next = NULL;
+                                       const char *principal = NULL;
+                                       int dbg_level = DBGLVL_WARNING;
+
+                                       if (all_sec[i+1].op != NULL) {
+                                               next = all_sec[i+1].op->name;
+                                               dbg_level = DBGLVL_NOTICE;
+                                       }
+
+                                       if (gensec_security->target.principal != NULL) {
+                                               principal = gensec_security->target.principal;
+                                       } else if (gensec_security->target.service != NULL &&
+                                                  gensec_security->target.hostname != NULL)
+                                       {
+                                               principal = talloc_asprintf(spnego_state->sub_sec_security,
+                                                                           "%s/%s",
+                                                                           gensec_security->target.service,
+                                                                           gensec_security->target.hostname);
+                                       } else {
+                                               principal = gensec_security->target.hostname;
+                                       }
+
+                                       DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+                                                         spnego_state->sub_sec_security->ops->name,
+                                                         principal,
+                                                         next, nt_errstr(nt_status)));
 
-                                       DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
-                                                 spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+                                       /* Pretend we never started it (lets the first run find some incompatible demand) */
                                        talloc_free(spnego_state->sub_sec_security);
                                        spnego_state->sub_sec_security = NULL;
                                        continue;
@@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
 
                        if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) 
                            && !NT_STATUS_IS_OK(nt_status)) {
-                               DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", 
-                                         spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+                               const char *next = NULL;
+                               const char *principal = NULL;
+                               int dbg_level = DBGLVL_WARNING;
+
+                               if (all_sec[i+1].op != NULL) {
+                                       next = all_sec[i+1].op->name;
+                                       dbg_level = DBGLVL_NOTICE;
+                               }
+
+                               if (gensec_security->target.principal != NULL) {
+                                       principal = gensec_security->target.principal;
+                               } else if (gensec_security->target.service != NULL &&
+                                          gensec_security->target.hostname != NULL)
+                               {
+                                       principal = talloc_asprintf(spnego_state->sub_sec_security,
+                                                                   "%s/%s",
+                                                                   gensec_security->target.service,
+                                                                   gensec_security->target.hostname);
+                               } else {
+                                       principal = gensec_security->target.hostname;
+                               }
+
+                               DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+                                         spnego_state->sub_sec_security->ops->name,
+                                         principal,
+                                         next, nt_errstr(nt_status)));
                                talloc_free(spnego_state->sub_sec_security);
                                spnego_state->sub_sec_security = NULL;
                                /* Pretend we never started it (lets the first run find some incompatible demand) */