Log service princ in KDC more reliably

Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions.  Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

ticket: 7831 (new)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 79da300d22b76b3cc6570153842dbbfb4b45724c..27574928bb5eb80237f564f22dc501b826f240ad 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -524,6 +524,19 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     }
     limit_string(state->sname);
 
+    if (!state->request->server) {
+        state->status = "NULL_SERVER";
+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        goto errout;
+    }
+    if ((errcode = krb5_unparse_name(kdc_context,
+                                     state->request->server,
+                                     &state->sname))) {
+        state->status = "UNPARSING_SERVER";
+        goto errout;
+    }
+    limit_string(state->sname);
+
     /*
      * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
      * to the backend to return naming information in lieu

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 745a48e98449c6a298eb1c4190e3e661dd5e4813..ef697636a882ee1675056ddf5669ba94e8ce4dff 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -145,6 +145,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
+    /* Save pointer to client-requested service principal, in case of errors
+     * before a successful call to search_sprinc(). */
+    sprinc = request->server;
     if (retval)
         return retval;
     if (request->msg_type != KRB5_TGS_REQ) {
@@ -185,6 +188,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     scratch.data = (char *) pa_tgs_req->contents;
     errcode = kdc_find_fast(&request, &scratch, subkey,
                             header_ticket->enc_part2->session, state, NULL);
+    /* Reset sprinc because kdc_find_fast() can replace request. */
+    sprinc = request->server;
     if (errcode !=0) {
         status = "kdc_find_fast";
         goto cleanup;