s4:kdc: Adapt to removal of auth audit event types

This is an adaptation to Heimdal:

commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 09:42:03 2022 +1100

    hdb: consolidate preauth audit event types

    Instead of having distinct preauth success/failure events for different
    mechanisms, have a single event; the mechanism can be disambiguated by querying
    the HDB_REQUEST_KV_PA_NAME key.

    Note: there is still an explicit event for long-term key-based success/failure
    in order to help the backend implement lockout.

    Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
    than in each mechanism. Success is still audited in the mechanism to allow
    client pre-authentication success to be noted even if something subsequent
    (e.g. encoding a reply, memory allocation) fails. The generic catch-all for
    success remains.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 1d273bf8da08144cf7b8daa186138818777275b8..94809b9c91499d757242ba52ddb7bbbda9d384f7 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -540,40 +540,27 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                pa_type = heim_string_get_utf8(pa_type_obj);
        }
 
-       switch (hdb_auth_status) {
-       case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
-       case HDB_AUTH_EVENT_PKINIT_FAILED:
-       case HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED:
-               auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
-               if (auth_details_obj != NULL) {
-                       auth_details = heim_string_get_utf8(auth_details_obj);
-               }
-               break;
-
-       case HDB_AUTH_EVENT_GSS_PA_SUCCEEDED:
-       case HDB_AUTH_EVENT_GSS_PA_FAILED:
-       case HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED:
+       auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
+       if (auth_details_obj != NULL) {
+               auth_details = heim_string_get_utf8(auth_details_obj);
+       } else {
                auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR);
                if (auth_details_obj != NULL) {
                        auth_details = heim_string_get_utf8(auth_details_obj);
-               }
-               break;
-
-       default:
-       {
-               heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
-               if (etype_obj != NULL) {
-                       int etype = heim_number_get_int(etype_obj);
-
-                       krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
-                       if (ret == 0) {
-                               auth_details = etype_str;
-                       } else {
-                               auth_details = "unknown enctype";
+               } else {
+                       heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PA_ETYPE);
+                       if (etype_obj != NULL) {
+                               int etype = heim_number_get_int(etype_obj);
+
+                               krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
+                               if (ret == 0) {
+                                       auth_details = etype_str;
+                               } else {
+                                       auth_details = "unknown enctype";
+                               }
                        }
                }
        }
-       }
 
        /*
         * Forcing this via the NTLM auth structure is not ideal, but
@@ -626,12 +613,10 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                break;
        }
        case HDB_AUTH_EVENT_CLIENT_LOCKED_OUT:
-       case HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED:
-       case HDB_AUTH_EVENT_LTK_PREAUTH_FAILED:
-       case HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED:
-       case HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED:
-       case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
-       case HDB_AUTH_EVENT_PKINIT_FAILED:
+       case HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
+       case HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY:
+       case HDB_AUTH_EVENT_PREAUTH_SUCCEEDED:
+       case HDB_AUTH_EVENT_PREAUTH_FAILED:
        {
                TALLOC_CTX *frame = talloc_stackframe();
                struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
@@ -670,7 +655,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                }
                ui.auth_description = auth_description;
 
-               if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_FAILED) {
+               if (hdb_auth_status == HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
                        authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
                        status = NT_STATUS_WRONG_PASSWORD;
                        /*
@@ -683,16 +668,16 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                        }
                } else if (hdb_auth_status == HDB_AUTH_EVENT_CLIENT_LOCKED_OUT) {
                        status = NT_STATUS_ACCOUNT_LOCKED_OUT;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED) {
-                       status = NT_STATUS_OK;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED) {
+               } else if (hdb_auth_status == HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
                        status = NT_STATUS_OK;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED) {
-                       status = NT_STATUS_GENERIC_COMMAND_FAILED;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_SUCCEEDED) {
+               } else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_SUCCEEDED) {
                        status = NT_STATUS_OK;
-               } else if (hdb_auth_status == HDB_AUTH_EVENT_PKINIT_FAILED) {
-                       status = NT_STATUS_PKINIT_FAILURE;
+               } else if (hdb_auth_status == HDB_AUTH_EVENT_PREAUTH_FAILED) {
+                       if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+                               status = NT_STATUS_PKINIT_FAILURE;
+                       } else {
+                               status = NT_STATUS_GENERIC_COMMAND_FAILED;
+                       }
                } else {
                        status = NT_STATUS_INTERNAL_ERROR;
                }