From: Joseph Sutton Date: Tue, 15 Mar 2022 02:34:34 +0000 (+1300) Subject: s4-kdc: Handle previously unhandled auth event types X-Git-Tag: tevent-0.12.0~439 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b01388da8a72c11c46bb27e773b354520bc6ac88;p=thirdparty%2Fsamba.git s4-kdc: Handle previously unhandled auth event types Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in: commit 791be84c3eecb95e03611458e2305bae272ba267 Author: Stefan Metzmacher Date: Wed Mar 2 10:10:08 2022 +1300 s4:kdc: hdb_samba4_audit() is only called once per request Normally these auth event types are overwritten with the KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the pre-authentication check, and happens to fail the client access check (e.g. because the account is disabled), we get error messages of the form: hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR To avoid such errors, use the error code provided in the request structure to obtain a relevant status code in cases not handled explicitly. For unexpected values we return KRB5KRB_ERR_GENERIC in order to hopefully prevent success. And within make test we panic in order let a ci run fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Joseph Sutton Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 5720dfadc1f..ceb3a292160 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -612,7 +612,40 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, ui.auth_description = auth_description; if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) { + /* This is the final sucess */ status = NT_STATUS_OK; + } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { + /* + * This was only a pre-authentication success, + * but we didn't reach the final + * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, + * so consult the error code. + */ + if (r->error_code == 0) { + DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY " + "with error=0 => INTERNAL_ERROR\n"); + status = NT_STATUS_INTERNAL_ERROR; + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; + } else { + status = krb5_to_nt_status(r->error_code); + } + } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) { + /* + * This was only a pre-authentication success, + * but we didn't reach the final + * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, + * so consult the error code. + */ + if (r->error_code == 0) { + DBG_ERR("ERROR: PREAUTH_SUCCEEDED " + "with error=0 => INTERNAL_ERROR\n"); + status = NT_STATUS_INTERNAL_ERROR; + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; + } else { + status = krb5_to_nt_status(r->error_code); + } } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) { status = NT_STATUS_TIME_DIFFERENCE_AT_DC; } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) { @@ -640,6 +673,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n", hdb_auth_status); status = NT_STATUS_INTERNAL_ERROR; + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; } if (rwdc_fallback) { @@ -664,6 +699,14 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, domain_name, account_name, sid); + if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) { + /* + * If we're running under make test + * just panic + */ + DBG_ERR("Unexpected situation => PANIC\n"); + smb_panic("hdb_samba4_audit: Unexpected situation"); + } TALLOC_FREE(frame); break; }