From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 5 Jul 2022 23:11:43 +0000 (+1200)
Subject: CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch
X-Git-Tag: talloc-2.4.0~1072
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2b593c34c4f5cb82440b940766e53626c1cbec5b;p=thirdparty%2Fsamba.git

CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch

This simplifies the code for the following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index f4f97a60233..f8bacc26f3f 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -604,26 +604,6 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 	}
 
 	switch (hdb_auth_status) {
-	case KDC_AUTH_EVENT_CLIENT_AUTHORIZED:
-	{
-		TALLOC_CTX *frame = talloc_stackframe();
-		struct samba_kdc_entry *p = talloc_get_type(entry->context,
-							    struct samba_kdc_entry);
-		struct netr_SendToSamBase *send_to_sam = NULL;
-
-		/*
-		 * TODO: We could log the AS-REQ authorization success here as
-		 * well.  However before we do that, we need to pass
-		 * in the PAC here or re-calculate it.
-		 */
-		authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
-						 domain_dn, true, &send_to_sam);
-		if (kdc_db_ctx->rodc && send_to_sam != NULL) {
-			reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
-		}
-		talloc_free(frame);
-	}
-	FALL_THROUGH;
 	default:
 	{
 		TALLOC_CTX *frame = talloc_stackframe();
@@ -665,6 +645,19 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 		ui.auth_description = auth_description;
 
 		if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+			struct netr_SendToSamBase *send_to_sam = NULL;
+
+			/*
+			 * TODO: We could log the AS-REQ authorization success here as
+			 * well.  However before we do that, we need to pass
+			 * in the PAC here or re-calculate it.
+			 */
+			authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
+							 domain_dn, true, &send_to_sam);
+			if (kdc_db_ctx->rodc && send_to_sam != NULL) {
+				reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
+			}
+
 			/* This is the final sucess */
 			status = NT_STATUS_OK;
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {