s4-kdc: Adapt to move from HDB auditing to KDC auditing constants

This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 90cd3a78de8ffaa7a796f5499f0fd906713b8f75..c2f55329cec68d4cb9b266bf98e842e7e969c82b 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -46,6 +46,7 @@
 #include "librpc/gen_ndr/ndr_winbind_c.h"
 #include "lib/messaging/irpc.h"
 #include "hdb.h"
+#include <kdc-audit.h>
 
 static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
 {
@@ -545,7 +546,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 
        size_t sa_socklen = 0;
 
-       hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_AUTH_EVENT);
+       hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
        if (hdb_auth_status_obj == NULL) {
                /* No status code found, so just return. */
                return 0;
@@ -558,15 +559,15 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                pa_type = heim_string_get_utf8(pa_type_obj);
        }
 
-       auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
+       auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
        if (auth_details_obj != NULL) {
                auth_details = heim_string_get_utf8(auth_details_obj);
        } else {
-               auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR);
+               auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
                if (auth_details_obj != NULL) {
                        auth_details = heim_string_get_utf8(auth_details_obj);
                } else {
-                       heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
+                       heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
                        if (etype_obj != NULL) {
                                int etype = heim_number_get_int(etype_obj);
 
@@ -610,7 +611,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
        }
 
        switch (hdb_auth_status) {
-       case HDB_AUTH_EVENT_CLIENT_AUTHORIZED:
+       case KDC_AUTH_EVENT_CLIENT_AUTHORIZED:
        {
                TALLOC_CTX *frame = talloc_stackframe();
                struct samba_kdc_entry *p = talloc_get_type(entry->context,
@@ -630,11 +631,11 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                talloc_free(frame);
                break;
        }
-       case HDB_AUTH_EVENT_CLIENT_LOCKED_OUT:
-       case HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
-       case HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY:
-       case HDB_AUTH_EVENT_PREAUTH_SUCCEEDED:
-       case HDB_AUTH_EVENT_PREAUTH_FAILED:
+       case KDC_AUTH_EVENT_CLIENT_LOCKED_OUT:
+       case KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
+       case KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY:
+       case KDC_AUTH_EVENT_PREAUTH_SUCCEEDED:
+       case KDC_AUTH_EVENT_PREAUTH_FAILED:
        {
                TALLOC_CTX *frame = talloc_stackframe();
                struct samba_kdc_entry *p = talloc_get_type(entry->context,
@@ -673,7 +674,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                }
                ui.auth_description = auth_description;
 
-               if (hdb_auth_status == HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
+               if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
                        authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
                        status = NT_STATUS_WRONG_PASSWORD;
                        /*
@@ -684,13 +685,13 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                        if (kdc_db_ctx->rodc) {
                                send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
                        }
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_CLIENT_LOCKED_OUT) {
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
                        status = NT_STATUS_ACCOUNT_LOCKED_OUT;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
                        status = NT_STATUS_OK;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_SUCCEEDED) {
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
                        status = NT_STATUS_OK;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_FAILED) {
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
                        if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
                                status = NT_STATUS_PKINIT_FAILURE;
                        } else {
@@ -711,7 +712,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                TALLOC_FREE(frame);
                break;
        }
-       case HDB_AUTH_EVENT_CLIENT_UNKNOWN:
+       case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
        {
                struct tsocket_address *remote_host;
                int ret;

diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 95cd88bdfb6e6ea9cc83d8e76dcce1126358962e..26a68e9c37c400041b0d08930ecc18715d66c623 100644 (file)
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -48,7 +48,7 @@ if bld.CONFIG_GET('SAMBA_USES_MITKDC'):
 
 bld.SAMBA_LIBRARY('HDB_SAMBA4',
                   source='hdb-samba4.c hdb-samba4-plugin.c',
-                  deps='ldb auth4_sam common_auth samba-credentials hdb db-glue samba-hostconfig com_err sdb_hdb RPC_NDR_WINBIND',
+                  deps='ldb auth4_sam common_auth samba-credentials hdb kdc db-glue samba-hostconfig com_err sdb_hdb RPC_NDR_WINBIND',
                   includes=kdc_include,
                   private_library=True,
                   enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')