From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 16 Jun 2023 02:49:11 +0000 (+1200)
Subject: s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be... 
X-Git-Tag: talloc-2.4.1~199
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cf139d14218ab1423949fbc952ae056943858dc8;p=thirdparty%2Fsamba.git

s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index d1bfc2fcc3d..56f4588b9ab 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -717,7 +717,9 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 				    NULL /* device */,
 				    NULL /* device_pac */,
 				    *pac,
-				    new_pac);
+				    new_pac,
+				    NULL /* server_audit_info_out */,
+				    NULL /* status_out */);
 	if (code != 0) {
 		krb5_pac_free(context, new_pac);
 		if (code == ENOATTR) {
@@ -831,7 +833,9 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
 				    NULL /* device */,
 				    NULL /* device_pac */,
 				    old_pac,
-				    new_pac);
+				    new_pac,
+				    NULL /* server_audit_info_out */,
+				    NULL /* status_out */);
 	if (code != 0) {
 		if (code == ENOATTR) {
 			/*
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 10d63848857..b128bca4578 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2337,7 +2337,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				     struct samba_kdc_entry *device,
 				     const krb5_const_pac device_pac,
 				     const krb5_const_pac old_pac,
-				     krb5_pac new_pac)
+				     krb5_pac new_pac,
+				     struct authn_audit_info **server_audit_info_out,
+				     NTSTATUS *status_out)
 {
 	krb5_error_code code = EINVAL;
 	NTSTATUS nt_status;
@@ -2360,6 +2362,14 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 	struct pac_blobs pac_blobs;
 	pac_blobs_init(&pac_blobs);
 
+	if (server_audit_info_out != NULL) {
+		*server_audit_info_out = NULL;
+	}
+
+	if (status_out != NULL) {
+		*status_out = NT_STATUS_OK;
+	}
+
 	is_tgs = smb_krb5_principal_is_tgs(context, server_principal);
 	if (is_tgs == -1) {
 		code = ENOMEM;
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index e7623471ea5..5b23f18f7f6 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -140,7 +140,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				     struct samba_kdc_entry *device,
 				     krb5_const_pac device_pac,
 				     krb5_const_pac old_pac,
-				     krb5_pac new_pac);
+				     krb5_pac new_pac,
+				     struct authn_audit_info **server_audit_info_out,
+				     NTSTATUS *status_out);
 
 NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
 				       const struct auth_user_info_dc *user_info_dc,
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index e174012d9b0..7cc68fed1be 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "kdc/authn_policy_util.h"
 #include "kdc/kdc-glue.h"
 #include "kdc/db-glue.h"
 #include "kdc/pac-glue.h"
@@ -391,7 +392,9 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 		talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry);
 	TALLOC_CTX *mem_ctx = NULL;
 	krb5_pac new_pac = NULL;
+	struct authn_audit_info *server_audit_info = NULL;
 	krb5_error_code ret;
+	NTSTATUS status = NT_STATUS_OK;
 	uint32_t flags = 0;
 
 	mem_ctx = talloc_named(NULL, 0, "samba_wdc_reget_pac context");
@@ -433,7 +436,25 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 				   device_skdc_entry,
 				   device_pac,
 				   *pac,
-				   new_pac);
+				   new_pac,
+				   &server_audit_info,
+				   &status);
+	if (server_audit_info != NULL) {
+		krb5_error_code ret2;
+
+		ret2 = hdb_samba4_set_steal_server_audit_info(r, server_audit_info);
+		if (ret2) {
+			ret = ret2;
+		}
+	}
+	if (!NT_STATUS_IS_OK(status)) {
+		krb5_error_code ret2;
+
+		ret2 = hdb_samba4_set_ntstatus(r, status, ret);
+		if (ret2) {
+			ret = ret2;
+		}
+	}
 	if (ret != 0) {
 		krb5_pac_free(context, new_pac);
 		if (ret == ENOATTR) {
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 8c2f0719b05..b15f3e7bcb4 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -98,7 +98,7 @@ bld.SAMBA_SUBSYSTEM('KDC-GLUE',
 bld.SAMBA_SUBSYSTEM('WDC_SAMBA4',
 	source='wdc-samba4.c',
         includes=kdc_include,
-	deps='ldb auth4_sam common_auth samba-credentials hdb PAC_GLUE samba-hostconfig com_err KDC-GLUE',
+	deps='ldb auth4_sam common_auth samba-credentials hdb PAC_GLUE samba-hostconfig com_err KDC-GLUE authn_policy_util',
 	enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')
 	)