s4:kdc: hdb_samba4_audit() is only called once per request

author Stefan Metzmacher <metze@samba.org>

Tue, 1 Mar 2022 21:10:08 +0000 (10:10 +1300)

committer Joseph Sutton <jsutton@samba.org>

Tue, 1 Mar 2022 23:28:22 +0000 (23:28 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 1 Mar 2022 21:10:08 +0000 (10:10 +1300)
committer Joseph Sutton <jsutton@samba.org>
Tue, 1 Mar 2022 23:28:22 +0000 (23:28 +0000)
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c

index c2f55329cec68d4cb9b266bf98e842e7e969c82b..6e87345e2c312b029d2906f51bd835eaeb4db546 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -629,13 +629,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                         reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
                 }
                 talloc_free(frame);
-               break;
         }
-       case KDC_AUTH_EVENT_CLIENT_LOCKED_OUT:
-       case KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
-       case KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY:
-       case KDC_AUTH_EVENT_PREAUTH_SUCCEEDED:
-       case KDC_AUTH_EVENT_PREAUTH_FAILED:
+       FALL_THROUGH;
+       default:
         {
                 TALLOC_CTX *frame = talloc_stackframe();
                 struct samba_kdc_entry *p = talloc_get_type(entry->context,
@@ -674,7 +670,11 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                 }
                 ui.auth_description = auth_description;
  
-               if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
+               if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+                       status = NT_STATUS_OK;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
+                       status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
                         authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
                         status = NT_STATUS_WRONG_PASSWORD;
                         /*
@@ -687,10 +687,12 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                         }
                 } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
                         status = NT_STATUS_ACCOUNT_LOCKED_OUT;
-               } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
-                       status = NT_STATUS_OK;
-               } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
-                       status = NT_STATUS_OK;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
+                       if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+                               status = NT_STATUS_PKINIT_NAME_MISMATCH;
+                       } else {
+                               status = NT_STATUS_ACCOUNT_RESTRICTION;
+                       }
                 } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
                         if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
                                 status = NT_STATUS_PKINIT_FAILURE;
@@ -698,6 +700,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                                 status = NT_STATUS_GENERIC_COMMAND_FAILED;
                         }
                 } else {
+                       DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
+                               hdb_auth_status);
                         status = NT_STATUS_INTERNAL_ERROR;
                 }
author	Stefan Metzmacher <metze@samba.org>
	Tue, 1 Mar 2022 21:10:08 +0000 (10:10 +1300)
committer	Joseph Sutton <jsutton@samba.org>
	Tue, 1 Mar 2022 23:28:22 +0000 (23:28 +0000)