From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Feb 2022 23:16:49 +0000 (+1300)
Subject: s4:kdc: Add 'not authorised' auth events
X-Git-Tag: tevent-0.12.0~607
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d37a1928100e229bea46701b41d4efa72e10266;p=thirdparty%2Fsamba.git

s4:kdc: Add 'not authorised' auth events

This is an adaptation to Heimdal:

commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 23:44:05 2022 +1100

    kdc: separate PKINIT/GSS authorization failure

    Create a new audit event for PKINIT/GSS authorization (impersonation) failure

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 2f9d51d3c04..1d273bf8da0 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -543,6 +543,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 	switch (hdb_auth_status) {
 	case HDB_AUTH_EVENT_PKINIT_SUCCEEDED:
 	case HDB_AUTH_EVENT_PKINIT_FAILED:
+	case HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED:
 		auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_PKINIT_CLIENT_CERT);
 		if (auth_details_obj != NULL) {
 			auth_details = heim_string_get_utf8(auth_details_obj);
@@ -551,6 +552,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 
 	case HDB_AUTH_EVENT_GSS_PA_SUCCEEDED:
 	case HDB_AUTH_EVENT_GSS_PA_FAILED:
+	case HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED:
 		auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, HDB_REQUEST_KV_GSS_INITIATOR);
 		if (auth_details_obj != NULL) {
 			auth_details = heim_string_get_utf8(auth_details_obj);