From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 1 Mar 2022 21:10:08 +0000 (+1300)
Subject: s4:kdc: hdb_samba4_audit() is only called once per request
X-Git-Tag: tevent-0.12.0~596
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=791be84c3eecb95e03611458e2305bae272ba267;p=thirdparty%2Fsamba.git

s4:kdc: hdb_samba4_audit() is only called once per request

So we need to restructure the logic a bit.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Mar  1 23:28:22 UTC 2022 on sn-devel-184
---

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index c2f55329cec..6e87345e2c3 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -629,13 +629,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 			reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
 		}
 		talloc_free(frame);
-		break;
 	}
-	case KDC_AUTH_EVENT_CLIENT_LOCKED_OUT:
-	case KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY:
-	case KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY:
-	case KDC_AUTH_EVENT_PREAUTH_SUCCEEDED:
-	case KDC_AUTH_EVENT_PREAUTH_FAILED:
+	FALL_THROUGH;
+	default:
 	{
 		TALLOC_CTX *frame = talloc_stackframe();
 		struct samba_kdc_entry *p = talloc_get_type(entry->context,
@@ -674,7 +670,11 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 		}
 		ui.auth_description = auth_description;
 
-		if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
+		if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
+			status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+		} else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
 			authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
 			status = NT_STATUS_WRONG_PASSWORD;
 			/*
@@ -687,10 +687,12 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 			}
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
 			status = NT_STATUS_ACCOUNT_LOCKED_OUT;
-		} else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
-			status = NT_STATUS_OK;
-		} else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
-			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
+			if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+				status = NT_STATUS_PKINIT_NAME_MISMATCH;
+			} else {
+				status = NT_STATUS_ACCOUNT_RESTRICTION;
+			}
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
 			if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
 				status = NT_STATUS_PKINIT_FAILURE;
@@ -698,6 +700,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 				status = NT_STATUS_GENERIC_COMMAND_FAILED;
 			}
 		} else {
+			DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
+				hdb_auth_status);
 			status = NT_STATUS_INTERNAL_ERROR;
 		}