auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available

The optional user_info->orig_client.{account,domain}_name are
the once really used by the client and should be used in
audit logging. But we still fallback to
user_info->client.{account,domain}_name.

This will be important for the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 24b580cae23860a0fe6c9d3a285d60564057043d)

diff --git a/auth/auth_log.c b/auth/auth_log.c
index 60bc63345918bd295a0b56768678b83947aa387a..dc1cea12390c9f9dc74dab8ce5a509263104ceb1 100644 (file)
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -152,6 +152,12 @@ static void log_authentication_event_json(
        char negotiate_flags[11];
        char logon_id[19];
        int rc = 0;
+       const char *clientDomain = ui->orig_client.domain_name ?
+                                  ui->orig_client.domain_name :
+                                  ui->client.domain_name;
+       const char *clientAccount = ui->orig_client.account_name ?
+                                   ui->orig_client.account_name :
+                                   ui->client.account_name;
 
        authentication = json_new_object();
        if (json_is_invalid(&authentication)) {
@@ -203,12 +209,12 @@ static void log_authentication_event_json(
                goto failure;
        }
        rc = json_add_string(
-           &authentication, "clientDomain", ui->client.domain_name);
+           &authentication, "clientDomain", clientDomain);
        if (rc != 0) {
                goto failure;
        }
        rc = json_add_string(
-           &authentication, "clientAccount", ui->client.account_name);
+           &authentication, "clientAccount", clientAccount);
        if (rc != 0) {
                goto failure;
        }
@@ -594,6 +600,12 @@ static void log_authentication_event_human_readable(
        char *trust_account_name = NULL;
        char *logon_line = NULL;
        const char *password_type = NULL;
+       const char *clientDomain = ui->orig_client.domain_name ?
+                                  ui->orig_client.domain_name :
+                                  ui->client.domain_name;
+       const char *clientAccount = ui->orig_client.account_name ?
+                                   ui->orig_client.account_name :
+                                   ui->client.account_name;
 
        frame = talloc_stackframe();
 
@@ -640,8 +652,8 @@ static void log_authentication_event_human_readable(
                " %s\n",
                ui->service_description,
                ui->auth_description,
-               log_escape(frame, ui->client.domain_name),
-               log_escape(frame, ui->client.account_name),
+               log_escape(frame, clientDomain),
+               log_escape(frame, clientAccount),
                ts,
                password_type,
                nt_errstr(status),

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 9d51ea69719b3346f1266cd90137595d2f623e07..d922b66ab4dce3dc0b1820193e30e7474b530657 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -56,7 +56,7 @@ struct auth_usersupplied_info
        struct {
                const char *account_name;
                const char *domain_name;
-       } client, mapped;
+       } client, mapped, orig_client;
 
        enum auth_password_state password_state;