From: Joseph Sutton Date: Tue, 3 Oct 2023 00:39:48 +0000 (+1300) Subject: s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code X-Git-Tag: tevent-0.16.0~139 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a57d973d804eeda2129017a94e4ee7cfa22cc26c;p=thirdparty%2Fsamba.git s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code instead of an NT status code. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 9fff0c3dac8..6cb16a6239a 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1484,12 +1484,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * and computers should never be members of Protected Users, or * they may fail to authenticate. */ - status = samba_kdc_get_user_info_from_db(tmp_ctx, - p, - msg, - &user_info_dc); - if (!NT_STATUS_IS_OK(status)) { - ret = EINVAL; + ret = samba_kdc_get_user_info_from_db(tmp_ctx, + p, + msg, + &user_info_dc); + if (ret) { goto out; } diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index f22d6a38599..e8ed7842fe0 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -484,17 +484,13 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx, cred_ndr_ptr = &cred_ndr; } - nt_status = samba_kdc_get_user_info_from_db(tmp_ctx, - skdc_entry, - skdc_entry->msg, - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { + code = samba_kdc_get_user_info_from_db(tmp_ctx, + skdc_entry, + skdc_entry->msg, + &user_info_dc); + if (code) { talloc_free(tmp_ctx); - if (NT_STATUS_EQUAL(nt_status, - NT_STATUS_OBJECT_NAME_NOT_FOUND)) { - return ENOENT; - } - return EINVAL; + return code; } nt_status = samba_kdc_add_asserted_identity(asserted_identity, @@ -917,14 +913,16 @@ krb5_error_code mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, return ENOMEM; } - status = samba_kdc_get_user_info_from_db(tmp_ctx, - p, - p->msg, - &user_info_dc); - if (!NT_STATUS_IS_OK(status)) { + code = samba_kdc_get_user_info_from_db(tmp_ctx, + p, + p->msg, + &user_info_dc); + if (code) { + const char *krb5err = krb5_get_error_message(ctx->context, code); DBG_WARNING("samba_kdc_get_user_info_from_db failed: %s\n", - nt_errstr(status)); - code = EINVAL; + krb5err != NULL ? krb5err : ""); + krb5_free_error_message(ctx->context, krb5err); + goto out; } diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index ad29a3c4259..a26843438e3 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1118,10 +1118,10 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, - struct samba_kdc_entry *entry, - const struct ldb_message *msg, - struct auth_user_info_dc **info_out) +krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, + struct samba_kdc_entry *entry, + const struct ldb_message *msg, + struct auth_user_info_dc **info_out) { NTSTATUS nt_status; struct auth_user_info_dc *user_info_dc = NULL; @@ -1142,7 +1142,8 @@ NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("Getting user info for PAC failed: %s\n", nt_errstr(nt_status)); - return nt_status; + /* NT_STATUS_OBJECT_NAME_NOT_FOUND is mapped to ENOENT. */ + return map_errno_from_nt_status(nt_status); } } @@ -1151,12 +1152,12 @@ NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n", nt_errstr(nt_status)); - return nt_status; + return map_errno_from_nt_status(nt_status); } *info_out = user_info_dc; - return NT_STATUS_OK; + return 0; } static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, @@ -1236,13 +1237,16 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY * here. */ - nt_status = samba_kdc_get_user_info_from_db(mem_ctx, - entry.entry, - entry.entry->msg, - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n", - nt_errstr(nt_status)); + ret = samba_kdc_get_user_info_from_db(mem_ctx, + entry.entry, + entry.entry->msg, + &user_info_dc); + if (ret) { + const char *krb5err = krb5_get_error_message(context, ret); + DBG_ERR("samba_kdc_get_user_info_from_db: %s\n", + krb5err != NULL ? krb5err : "?"); + krb5_free_error_message(context, krb5err); + ret = KRB5KDC_ERR_TGT_REVOKED; goto out; } @@ -2046,13 +2050,16 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, frame = talloc_stackframe(); - nt_status = samba_kdc_get_user_info_from_db(frame, - device, - device->msg, - &device_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { + code = samba_kdc_get_user_info_from_db(frame, + device, + device->msg, + &device_info_dc); + if (code) { + const char *krb5_err = krb5_get_error_message(context, code); DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n", - nt_errstr(nt_status)); + krb5_err != NULL ? krb5_err : ""); + krb5_free_error_message(context, krb5_err); + talloc_free(frame); return KRB5KDC_ERR_TGT_REVOKED; } @@ -2127,7 +2134,6 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, TALLOC_CTX *tmp_ctx = NULL; struct pac_blobs *pac_blobs = NULL; krb5_error_code code = EINVAL; - NTSTATUS nt_status; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -2158,13 +2164,16 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, goto done; } - nt_status = samba_kdc_get_user_info_from_db(tmp_ctx, - client.entry, - client.entry->msg, - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { + code = samba_kdc_get_user_info_from_db(tmp_ctx, + client.entry, + client.entry->msg, + &user_info_dc); + if (code) { + const char *krb5_err = krb5_get_error_message(context, code); DBG_ERR("Getting user info for PAC failed: %s\n", - nt_errstr(nt_status)); + krb5_err != NULL ? krb5_err : ""); + krb5_free_error_message(context, krb5_err); + code = KRB5KDC_ERR_TGT_REVOKED; goto done; } @@ -2911,15 +2920,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, goto out; } } else { - nt_status = samba_kdc_get_user_info_from_db(frame, - device.entry, - device.entry->msg, - &device_info); - if (!NT_STATUS_IS_OK(nt_status)) { + code = samba_kdc_get_user_info_from_db(frame, + device.entry, + device.entry->msg, + &device_info); + if (code) { + const char *krb5err = krb5_get_error_message(context, code); DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n", - nt_errstr(nt_status)); + krb5err != NULL ? krb5err : ""); + krb5_free_error_message(context, krb5err); - code = KRB5KDC_ERR_TGT_REVOKED; goto out; } diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 64895483aaa..1b40fabc07a 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -107,10 +107,10 @@ krb5_error_code samba_krbtgt_is_in_db(const struct samba_kdc_entry *skdc_entry, bool *is_in_db, bool *is_trusted); -NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, - struct samba_kdc_entry *entry, - const struct ldb_message *msg, - struct auth_user_info_dc **info_out); +krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, + struct samba_kdc_entry *entry, + const struct ldb_message *msg, + struct auth_user_info_dc **info_out); krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status); diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 0bece0b065e..352edb899b1 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -123,13 +123,13 @@ static krb5_error_code samba_wdc_get_pac(void *priv, cred_ndr_ptr = &cred_ndr; } - nt_status = samba_kdc_get_user_info_from_db(mem_ctx, - skdc_entry, - skdc_entry->msg, - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { + ret = samba_kdc_get_user_info_from_db(mem_ctx, + skdc_entry, + skdc_entry->msg, + &user_info_dc); + if (ret) { talloc_free(mem_ctx); - return map_errno_from_nt_status(nt_status); + return ret; } nt_status = samba_kdc_add_asserted_identity(asserted_identity,