From fa1846cb67b8d7373fd19af3722abd3ebf806696 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 23 Feb 2017 11:54:21 +0100
Subject: [PATCH] s3:libads: add more debugging to ads_sasl_spnego_bind()

Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86)
---
 source3/libads/sasl.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 39c60c3e14d..c2564cbc886 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 #ifdef HAVE_KRB5
 	bool got_kerberos_mechanism = False;
 #endif
+	const char *mech = NULL;
 
 	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
 
@@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 	    got_kerberos_mechanism) 
 	{
+		mech = "KRB5";
+
 		if (ads->auth.password == NULL ||
 		    ads->auth.password[0] == '\0')
 		{
@@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 							blob);
 			if (!ADS_ERR_OK(status)) {
 				DEBUG(0,("kinit succeeded but "
-					"ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n",
+					"ads_sasl_spnego_gensec_bind(KRB5) failed: "
+					"for %s/%s user[%s] realm[%s]: %s\n",
+					p.service, p.hostname,
+					ads->auth.user_name,
+					ads->auth.realm,
 					ads_errstr(status)));
 			}
 		}
@@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
 			goto done;
 		}
+
+		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s "
+			 "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n",
+			 p.service, p.hostname,
+			 ads->auth.user_name,
+			 ads->auth.realm,
+			 ads_errstr(status)));
 	}
 #endif
 
 	/* lets do NTLMSSP ... this has the big advantage that we don't need
 	   to sync clocks, and we don't rely on special versions of the krb5 
 	   library for HMAC_MD4 encryption */
+	mech = "NTLMSSP";
 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
 					     CRED_DONT_USE_KERBEROS,
 					     p.service, p.hostname,
 					     data_blob_null);
 done:
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s "
+			 "with user[%s] realm=[%s]: %s\n", mech,
+			  p.service, p.hostname,
+			  ads->auth.user_name,
+			  ads->auth.realm,
+			  ads_errstr(status)));
+	}
 	ads_free_service_principal(&p);
 	TALLOC_FREE(frame);
 	if (blob.data != NULL) {
-- 
2.47.2