Reduce older log messages to level 4 and collect some errors.
We take all of the kdc_log() and _kdc_r_log() calls in AS and TGS and move their log levels down to debugging on the assumption that our new log line subsumes the "informational" requirements. We collect some additional information in the kv-pair "pe-text" which is like e-text except it is not returned to the client.
This commit is contained in:
Roland C. Dowdeswell
committed by
Viktor Dukhovni
Viktor Dukhovni
parent
7d353d0557
commit
6db323157f
132
kdc/kerberos5.c
132
kdc/kerberos5.c
@@ -352,7 +352,7 @@ _kdc_set_e_text(astgs_request_t r, char *fmt, ...)
|
|||||||
|
|
||||||
r->e_text = e_text;
|
r->e_text = e_text;
|
||||||
r->e_text_buf = e_text;
|
r->e_text_buf = e_text;
|
||||||
kdc_log(r->context, r->config, 0, "%s", e_text);
|
kdc_log(r->context, r->config, 4, "%s", e_text);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@@ -391,7 +391,7 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
|
|||||||
else
|
else
|
||||||
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
|
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
|
||||||
|
|
||||||
kdc_log(context, config, 3,
|
kdc_log(context, config, 4,
|
||||||
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
|
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
|
||||||
type, authtime_str, starttime_str, endtime_str, renewtime_str);
|
type, authtime_str, starttime_str, endtime_str, renewtime_str);
|
||||||
}
|
}
|
||||||
@@ -514,7 +514,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
|
|
||||||
if (_kdc_is_anon_request(&r->req)) {
|
if (_kdc_is_anon_request(&r->req)) {
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
||||||
kdc_log(r->context, r->config, 2, "ENC-CHALL doesn't support anon");
|
kdc_log(r->context, r->config, 4, "ENC-CHALL doesn't support anon");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -573,7 +573,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str);
|
ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str);
|
||||||
if (ret2)
|
if (ret2)
|
||||||
str = NULL;
|
str = NULL;
|
||||||
_kdc_r_log(r, 2, "Failed to decrypt ENC-CHAL -- %s "
|
_kdc_r_log(r, 4, "Failed to decrypt ENC-CHAL -- %s "
|
||||||
"(enctype %s) error %s",
|
"(enctype %s) error %s",
|
||||||
r->cname, str ? str : "unknown enctype", msg);
|
r->cname, str ? str : "unknown enctype", msg);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
@@ -604,7 +604,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
client_time, sizeof(client_time), TRUE);
|
client_time, sizeof(client_time), TRUE);
|
||||||
|
|
||||||
ret = KRB5KRB_AP_ERR_SKEW;
|
ret = KRB5KRB_AP_ERR_SKEW;
|
||||||
_kdc_r_log(r, 2, "Too large time skew, "
|
_kdc_r_log(r, 4, "Too large time skew, "
|
||||||
"client time %s is out by %u > %u seconds -- %s",
|
"client time %s is out by %u > %u seconds -- %s",
|
||||||
client_time,
|
client_time,
|
||||||
(unsigned)labs(kdc_time - p.patimestamp),
|
(unsigned)labs(kdc_time - p.patimestamp),
|
||||||
@@ -680,11 +680,11 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
if(krb5_enctype_to_string(r->context, enc_data.etype, &estr))
|
if(krb5_enctype_to_string(r->context, enc_data.etype, &estr))
|
||||||
estr = NULL;
|
estr = NULL;
|
||||||
if(estr == NULL)
|
if(estr == NULL)
|
||||||
_kdc_r_log(r, 2,
|
_kdc_r_log(r, 4,
|
||||||
"No client key matching pa-data (%d) -- %s",
|
"No client key matching pa-data (%d) -- %s",
|
||||||
enc_data.etype, r->cname);
|
enc_data.etype, r->cname);
|
||||||
else
|
else
|
||||||
_kdc_r_log(r, 2,
|
_kdc_r_log(r, 4,
|
||||||
"No client key matching pa-data (%s) -- %s",
|
"No client key matching pa-data (%s) -- %s",
|
||||||
estr, r->cname);
|
estr, r->cname);
|
||||||
free(estr);
|
free(estr);
|
||||||
@@ -696,7 +696,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
ret = krb5_crypto_init(r->context, &pa_key->key, 0, &crypto);
|
ret = krb5_crypto_init(r->context, &pa_key->key, 0, &crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(r->context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
_kdc_r_log(r, 1, "krb5_crypto_init failed: %s", msg);
|
_kdc_r_log(r, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
free_EncryptedData(&enc_data);
|
free_EncryptedData(&enc_data);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -721,7 +721,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
pa_key->key.keytype, &str);
|
pa_key->key.keytype, &str);
|
||||||
if (ret2)
|
if (ret2)
|
||||||
str = NULL;
|
str = NULL;
|
||||||
_kdc_r_log(r, 2, "Failed to decrypt PA-DATA -- %s "
|
_kdc_r_log(r, 4, "Failed to decrypt PA-DATA -- %s "
|
||||||
"(enctype %s) error %s",
|
"(enctype %s) error %s",
|
||||||
r->cname, str ? str : "unknown enctype", msg);
|
r->cname, str ? str : "unknown enctype", msg);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
@@ -759,7 +759,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
client_time, sizeof(client_time), TRUE);
|
client_time, sizeof(client_time), TRUE);
|
||||||
|
|
||||||
ret = KRB5KRB_AP_ERR_SKEW;
|
ret = KRB5KRB_AP_ERR_SKEW;
|
||||||
_kdc_r_log(r, 2, "Too large time skew, "
|
_kdc_r_log(r, 4, "Too large time skew, "
|
||||||
"client time %s is out by %u > %u seconds -- %s",
|
"client time %s is out by %u > %u seconds -- %s",
|
||||||
client_time,
|
client_time,
|
||||||
(unsigned)labs(kdc_time - p.patimestamp),
|
(unsigned)labs(kdc_time - p.patimestamp),
|
||||||
@@ -904,7 +904,7 @@ _kdc_encode_reply(krb5_context context,
|
|||||||
ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
|
ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 1, "Failed to encode ticket: %s", msg);
|
kdc_log(context, config, 4, "Failed to encode ticket: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -914,7 +914,7 @@ _kdc_encode_reply(krb5_context context,
|
|||||||
ret = krb5_crypto_init(context, skey, etype, &crypto);
|
ret = krb5_crypto_init(context, skey, etype, &crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
|
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
free(buf);
|
free(buf);
|
||||||
return ret;
|
return ret;
|
||||||
@@ -931,7 +931,7 @@ _kdc_encode_reply(krb5_context context,
|
|||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 1, "Failed to encrypt data: %s", msg);
|
kdc_log(context, config, 4, "Failed to encrypt data: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -1005,13 +1005,13 @@ _kdc_encode_reply(krb5_context context,
|
|||||||
ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
|
ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 1, "Failed to encode KDC-REP: %s", msg);
|
kdc_log(context, config, 4, "Failed to encode KDC-REP: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
if(buf_size != len) {
|
if(buf_size != len) {
|
||||||
free(buf);
|
free(buf);
|
||||||
kdc_log(context, config, 1, "Internal error in ASN.1 encoder");
|
kdc_log(context, config, 4, "Internal error in ASN.1 encoder");
|
||||||
*e_text = "KDC internal error";
|
*e_text = "KDC internal error";
|
||||||
return KRB5KRB_ERR_GENERIC;
|
return KRB5KRB_ERR_GENERIC;
|
||||||
}
|
}
|
||||||
@@ -1019,7 +1019,7 @@ _kdc_encode_reply(krb5_context context,
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
free(buf);
|
free(buf);
|
||||||
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
|
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -1047,13 +1047,13 @@ _kdc_encode_reply(krb5_context context,
|
|||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 1, "Failed to encode KDC-REP: %s", msg);
|
kdc_log(context, config, 4, "Failed to encode KDC-REP: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
if(buf_size != len) {
|
if(buf_size != len) {
|
||||||
free(buf);
|
free(buf);
|
||||||
kdc_log(context, config, 1, "Internal error in ASN.1 encoder");
|
kdc_log(context, config, 4, "Internal error in ASN.1 encoder");
|
||||||
*e_text = "KDC internal error";
|
*e_text = "KDC internal error";
|
||||||
return KRB5KRB_ERR_GENERIC;
|
return KRB5KRB_ERR_GENERIC;
|
||||||
}
|
}
|
||||||
@@ -1110,7 +1110,7 @@ make_etype_info_entry(krb5_context context,
|
|||||||
else if(key->salt->type == hdb_afs3_salt)
|
else if(key->salt->type == hdb_afs3_salt)
|
||||||
*ent->salttype = 2;
|
*ent->salttype = 2;
|
||||||
else {
|
else {
|
||||||
kdc_log(context, config, 2, "unknown salt-type: %d",
|
kdc_log(context, config, 4, "unknown salt-type: %d",
|
||||||
key->salt->type);
|
key->salt->type);
|
||||||
return KRB5KRB_ERR_GENERIC;
|
return KRB5KRB_ERR_GENERIC;
|
||||||
}
|
}
|
||||||
@@ -1450,31 +1450,31 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
kdc_check_flags(krb5_context context,
|
kdc_check_flags(astgs_request_t r, krb5_boolean is_as_req)
|
||||||
krb5_kdc_configuration *config,
|
|
||||||
hdb_entry_ex *client_ex, const char *client_name,
|
|
||||||
hdb_entry_ex *server_ex, const char *server_name,
|
|
||||||
krb5_boolean is_as_req)
|
|
||||||
{
|
{
|
||||||
|
krb5_context context = r->context;
|
||||||
|
hdb_entry_ex *client_ex = r->client;
|
||||||
|
hdb_entry_ex *server_ex = r->server;
|
||||||
|
|
||||||
if(client_ex != NULL) {
|
if(client_ex != NULL) {
|
||||||
hdb_entry *client = &client_ex->entry;
|
hdb_entry *client = &client_ex->entry;
|
||||||
|
|
||||||
/* check client */
|
/* check client */
|
||||||
if (client->flags.locked_out) {
|
if (client->flags.locked_out) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Client (%s) is locked out", client_name);
|
"Client is locked out");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (client->flags.invalid) {
|
if (client->flags.invalid) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Client (%s) has invalid bit set", client_name);
|
"Client has invalid bit set");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!client->flags.client){
|
if (!client->flags.client) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Principal may not act as client -- %s", client_name);
|
"Principal may not act as client");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1482,9 +1482,8 @@ kdc_check_flags(krb5_context context,
|
|||||||
char starttime_str[100];
|
char starttime_str[100];
|
||||||
krb5_format_time(context, *client->valid_start,
|
krb5_format_time(context, *client->valid_start,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Client not yet valid until %s -- %s",
|
"Client not yet valid until %s", starttime_str);
|
||||||
starttime_str, client_name);
|
|
||||||
return KRB5KDC_ERR_CLIENT_NOTYET;
|
return KRB5KDC_ERR_CLIENT_NOTYET;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1492,27 +1491,22 @@ kdc_check_flags(krb5_context context,
|
|||||||
char endtime_str[100];
|
char endtime_str[100];
|
||||||
krb5_format_time(context, *client->valid_end,
|
krb5_format_time(context, *client->valid_end,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Client expired at %s -- %s",
|
"Client expired at %s", endtime_str);
|
||||||
endtime_str, client_name);
|
|
||||||
return KRB5KDC_ERR_NAME_EXP;
|
return KRB5KDC_ERR_NAME_EXP;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (client->flags.require_pwchange &&
|
if (client->flags.require_pwchange &&
|
||||||
(server_ex == NULL || !server_ex->entry.flags.change_pw)) {
|
(server_ex == NULL || !server_ex->entry.flags.change_pw))
|
||||||
kdc_log(context, config, 2,
|
|
||||||
"Client's key must be changed -- %s", client_name);
|
|
||||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||||
}
|
|
||||||
|
|
||||||
if (client->pw_end && *client->pw_end < kdc_time
|
if (client->pw_end && *client->pw_end < kdc_time
|
||||||
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
|
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
|
||||||
char pwend_str[100];
|
char pwend_str[100];
|
||||||
krb5_format_time(context, *client->pw_end,
|
krb5_format_time(context, *client->pw_end,
|
||||||
pwend_str, sizeof(pwend_str), TRUE);
|
pwend_str, sizeof(pwend_str), TRUE);
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Client's key has expired at %s -- %s",
|
"Client's key has expired at %s", pwend_str);
|
||||||
pwend_str, client_name);
|
|
||||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1523,25 +1517,24 @@ kdc_check_flags(krb5_context context,
|
|||||||
hdb_entry *server = &server_ex->entry;
|
hdb_entry *server = &server_ex->entry;
|
||||||
|
|
||||||
if (server->flags.locked_out) {
|
if (server->flags.locked_out) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Server locked out -- %s", server_name);
|
"Server locked out");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
if (server->flags.invalid) {
|
if (server->flags.invalid) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Server has invalid flag set -- %s", server_name);
|
"Server has invalid flag set");
|
||||||
|
return KRB5KDC_ERR_POLICY;
|
||||||
|
}
|
||||||
|
if (!server->flags.server) {
|
||||||
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
|
"Principal may not act as server");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!server->flags.server){
|
if (!is_as_req && server->flags.initial) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Principal may not act as server -- %s", server_name);
|
"AS-REQ is required for server");
|
||||||
return KRB5KDC_ERR_POLICY;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(!is_as_req && server->flags.initial) {
|
|
||||||
kdc_log(context, config, 2,
|
|
||||||
"AS-REQ is required for server -- %s", server_name);
|
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1549,9 +1542,8 @@ kdc_check_flags(krb5_context context,
|
|||||||
char starttime_str[100];
|
char starttime_str[100];
|
||||||
krb5_format_time(context, *server->valid_start,
|
krb5_format_time(context, *server->valid_start,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Server not yet valid until %s -- %s",
|
"Server not yet valid until %s", starttime_str);
|
||||||
starttime_str, server_name);
|
|
||||||
return KRB5KDC_ERR_SERVICE_NOTYET;
|
return KRB5KDC_ERR_SERVICE_NOTYET;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1559,9 +1551,8 @@ kdc_check_flags(krb5_context context,
|
|||||||
char endtime_str[100];
|
char endtime_str[100];
|
||||||
krb5_format_time(context, *server->valid_end,
|
krb5_format_time(context, *server->valid_end,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Server expired at %s -- %s",
|
"Server expired at %s", endtime_str);
|
||||||
endtime_str, server_name);
|
|
||||||
return KRB5KDC_ERR_SERVICE_EXP;
|
return KRB5KDC_ERR_SERVICE_EXP;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1569,9 +1560,8 @@ kdc_check_flags(krb5_context context,
|
|||||||
char pwend_str[100];
|
char pwend_str[100];
|
||||||
krb5_format_time(context, *server->pw_end,
|
krb5_format_time(context, *server->pw_end,
|
||||||
pwend_str, sizeof(pwend_str), TRUE);
|
pwend_str, sizeof(pwend_str), TRUE);
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Server's key has expired at %s -- %s",
|
"Server's key has expired at %s", pwend_str);
|
||||||
pwend_str, server_name);
|
|
||||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1633,8 +1623,8 @@ krb5_error_code
|
|||||||
_kdc_check_anon_policy(astgs_request_t r)
|
_kdc_check_anon_policy(astgs_request_t r)
|
||||||
{
|
{
|
||||||
if (!r->config->allow_anonymous) {
|
if (!r->config->allow_anonymous) {
|
||||||
_kdc_r_log(r, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason", "anonymous tickets "
|
||||||
"Request for anonymous ticket denied by local policy");
|
"denied by local policy");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1932,7 +1922,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
b->etype.val, b->etype.len,
|
b->etype.val, b->etype.len,
|
||||||
&r->sessionetype, NULL, NULL);
|
&r->sessionetype, NULL, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Client (%s) from %s has no common enctypes with KDC "
|
"Client (%s) from %s has no common enctypes with KDC "
|
||||||
"to use for the session key",
|
"to use for the session key",
|
||||||
r->cname, from);
|
r->cname, from);
|
||||||
@@ -1982,7 +1972,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
}
|
}
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
kdc_log(context, config, 3,
|
kdc_log(context, config, 4,
|
||||||
"%s pre-authentication succeeded -- %s",
|
"%s pre-authentication succeeded -- %s",
|
||||||
pat[n].name, r->cname);
|
pat[n].name, r->cname);
|
||||||
found_pa = 1;
|
found_pa = 1;
|
||||||
@@ -2370,7 +2360,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
ret = add_enc_pa_rep(r);
|
ret = add_enc_pa_rep(r);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
msg = krb5_get_error_message(r->context, ret);
|
msg = krb5_get_error_message(r->context, ret);
|
||||||
_kdc_r_log(r, 1, "add_enc_pa_rep failed: %s: %d", msg, ret);
|
_kdc_r_log(r, 4, "add_enc_pa_rep failed: %s: %d", msg, ret);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|||||||
205
kdc/krb5tgs.c
205
kdc/krb5tgs.c
@@ -243,7 +243,7 @@ check_KRB5SignedPath(krb5_context context,
|
|||||||
free(data.data);
|
free(data.data);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_KRB5SignedPath(&sp);
|
free_KRB5SignedPath(&sp);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"KRB5SignedPath not signed correctly, not marking as signed");
|
"KRB5SignedPath not signed correctly, not marking as signed");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -389,45 +389,43 @@ is_anon_tgs_request_p(const KDC_REQ_BODY *b,
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
check_tgs_flags(krb5_context context,
|
check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
||||||
krb5_kdc_configuration *config,
|
|
||||||
KDC_REQ_BODY *b,
|
|
||||||
krb5_const_principal tgt_name,
|
krb5_const_principal tgt_name,
|
||||||
const EncTicketPart *tgt,
|
const EncTicketPart *tgt, EncTicketPart *et)
|
||||||
EncTicketPart *et)
|
|
||||||
{
|
{
|
||||||
|
krb5_context context = r->context;
|
||||||
KDCOptions f = b->kdc_options;
|
KDCOptions f = b->kdc_options;
|
||||||
|
|
||||||
if(f.validate){
|
if(f.validate){
|
||||||
if(!tgt->flags.invalid || tgt->starttime == NULL){
|
if (!tgt->flags.invalid || tgt->starttime == NULL) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Bad request to validate ticket");
|
"Bad request to validate ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
if(*tgt->starttime > kdc_time){
|
if(*tgt->starttime > kdc_time){
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Early request to validate ticket");
|
"Early request to validate ticket");
|
||||||
return KRB5KRB_AP_ERR_TKT_NYV;
|
return KRB5KRB_AP_ERR_TKT_NYV;
|
||||||
}
|
}
|
||||||
/* XXX tkt = tgt */
|
/* XXX tkt = tgt */
|
||||||
et->flags.invalid = 0;
|
et->flags.invalid = 0;
|
||||||
}else if(tgt->flags.invalid){
|
} else if (tgt->flags.invalid) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Ticket-granting ticket has INVALID flag set");
|
"Ticket-granting ticket has INVALID flag set");
|
||||||
return KRB5KRB_AP_ERR_TKT_INVALID;
|
return KRB5KRB_AP_ERR_TKT_INVALID;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(f.forwardable){
|
if(f.forwardable){
|
||||||
if(!tgt->flags.forwardable){
|
if (!tgt->flags.forwardable) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Bad request for forwardable ticket");
|
"Bad request for forwardable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.forwardable = 1;
|
et->flags.forwardable = 1;
|
||||||
}
|
}
|
||||||
if(f.forwarded){
|
if(f.forwarded){
|
||||||
if(!tgt->flags.forwardable){
|
if (!tgt->flags.forwardable) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Request to forward non-forwardable ticket");
|
"Request to forward non-forwardable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
@@ -438,16 +436,16 @@ check_tgs_flags(krb5_context context,
|
|||||||
et->flags.forwarded = 1;
|
et->flags.forwarded = 1;
|
||||||
|
|
||||||
if(f.proxiable){
|
if(f.proxiable){
|
||||||
if(!tgt->flags.proxiable){
|
if (!tgt->flags.proxiable) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Bad request for proxiable ticket");
|
"Bad request for proxiable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.proxiable = 1;
|
et->flags.proxiable = 1;
|
||||||
}
|
}
|
||||||
if(f.proxy){
|
if(f.proxy){
|
||||||
if(!tgt->flags.proxiable){
|
if (!tgt->flags.proxiable) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Request to proxy non-proxiable ticket");
|
"Request to proxy non-proxiable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
@@ -458,16 +456,16 @@ check_tgs_flags(krb5_context context,
|
|||||||
et->flags.proxy = 1;
|
et->flags.proxy = 1;
|
||||||
|
|
||||||
if(f.allow_postdate){
|
if(f.allow_postdate){
|
||||||
if(!tgt->flags.may_postdate){
|
if (!tgt->flags.may_postdate) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Bad request for post-datable ticket");
|
"Bad request for post-datable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.may_postdate = 1;
|
et->flags.may_postdate = 1;
|
||||||
}
|
}
|
||||||
if(f.postdated){
|
if(f.postdated){
|
||||||
if(!tgt->flags.may_postdate){
|
if (!tgt->flags.may_postdate) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Bad request for postdated ticket");
|
"Bad request for postdated ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
@@ -475,14 +473,15 @@ check_tgs_flags(krb5_context context,
|
|||||||
*et->starttime = *b->from;
|
*et->starttime = *b->from;
|
||||||
et->flags.postdated = 1;
|
et->flags.postdated = 1;
|
||||||
et->flags.invalid = 1;
|
et->flags.invalid = 1;
|
||||||
}else if(b->from && *b->from > kdc_time + context->max_skew){
|
} else if (b->from && *b->from > kdc_time + context->max_skew) {
|
||||||
kdc_log(context, config, 0, "Ticket cannot be postdated");
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
|
"Ticket cannot be postdated");
|
||||||
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(f.renewable){
|
if(f.renewable){
|
||||||
if(!tgt->flags.renewable || tgt->renew_till == NULL){
|
if (!tgt->flags.renewable || tgt->renew_till == NULL) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Bad request for renewable ticket");
|
"Bad request for renewable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
@@ -493,8 +492,8 @@ check_tgs_flags(krb5_context context,
|
|||||||
}
|
}
|
||||||
if(f.renew){
|
if(f.renew){
|
||||||
time_t old_life;
|
time_t old_life;
|
||||||
if(!tgt->flags.renewable || tgt->renew_till == NULL){
|
if (!tgt->flags.renewable || tgt->renew_till == NULL) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Request to renew non-renewable ticket");
|
"Request to renew non-renewable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
@@ -514,8 +513,9 @@ check_tgs_flags(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
if (tgt->flags.anonymous &&
|
if (tgt->flags.anonymous &&
|
||||||
!_kdc_is_anonymous(context, tgt_name)) {
|
!_kdc_is_anonymous(context, tgt_name)) {
|
||||||
kdc_log(context, config, 2,
|
_kdc_audit_addkv((kdc_request_t)r, 0, "reason",
|
||||||
"Anonymous ticket flag set without anonymous principal");
|
"Anonymous ticket flag set without "
|
||||||
|
"anonymous principal");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -554,7 +554,7 @@ check_constrained_delegation(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
|
if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Bad request for constrained delegation");
|
"Bad request for constrained delegation");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -582,7 +582,7 @@ check_constrained_delegation(krb5_context context,
|
|||||||
}
|
}
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Bad request for constrained delegation");
|
"Bad request for constrained delegation");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -628,11 +628,11 @@ verify_flags (krb5_context context,
|
|||||||
const char *pstr)
|
const char *pstr)
|
||||||
{
|
{
|
||||||
if(et->endtime < kdc_time){
|
if(et->endtime < kdc_time){
|
||||||
kdc_log(context, config, 2, "Ticket expired (%s)", pstr);
|
kdc_log(context, config, 4, "Ticket expired (%s)", pstr);
|
||||||
return KRB5KRB_AP_ERR_TKT_EXPIRED;
|
return KRB5KRB_AP_ERR_TKT_EXPIRED;
|
||||||
}
|
}
|
||||||
if(et->flags.invalid){
|
if(et->flags.invalid){
|
||||||
kdc_log(context, config, 2, "Ticket not valid (%s)", pstr);
|
kdc_log(context, config, 4, "Ticket not valid (%s)", pstr);
|
||||||
return KRB5KRB_AP_ERR_TKT_NYV;
|
return KRB5KRB_AP_ERR_TKT_NYV;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
@@ -667,11 +667,11 @@ fix_transited_encoding(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
if (tr->contents.length == 0)
|
if (tr->contents.length == 0)
|
||||||
break;
|
break;
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Transited type 0 with non empty content");
|
"Transited type 0 with non empty content");
|
||||||
return KRB5KDC_ERR_TRTYPE_NOSUPP;
|
return KRB5KDC_ERR_TRTYPE_NOSUPP;
|
||||||
default:
|
default:
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Unknown transited type: %u", tr->tr_type);
|
"Unknown transited type: %u", tr->tr_type);
|
||||||
return KRB5KDC_ERR_TRTYPE_NOSUPP;
|
return KRB5KDC_ERR_TRTYPE_NOSUPP;
|
||||||
}
|
}
|
||||||
@@ -802,7 +802,7 @@ tgs_make_reply(astgs_request_t r,
|
|||||||
ALLOC(et.starttime);
|
ALLOC(et.starttime);
|
||||||
*et.starttime = kdc_time;
|
*et.starttime = kdc_time;
|
||||||
|
|
||||||
ret = check_tgs_flags(context, config, b, tgt_name, tgt, &et);
|
ret = check_tgs_flags(r, b, tgt_name, tgt, &et);
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -1083,7 +1083,7 @@ tgs_check_authenticator(krb5_context context,
|
|||||||
|
|
||||||
krb5_auth_con_getauthenticator(context, ac, &auth);
|
krb5_auth_con_getauthenticator(context, ac, &auth);
|
||||||
if(auth->cksum == NULL){
|
if(auth->cksum == NULL){
|
||||||
kdc_log(context, config, 2, "No authenticator in request");
|
kdc_log(context, config, 4, "No authenticator in request");
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1097,7 +1097,7 @@ tgs_check_authenticator(krb5_context context,
|
|||||||
||
|
||
|
||||||
#endif
|
#endif
|
||||||
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
|
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
|
||||||
kdc_log(context, config, 2, "Bad checksum type in authenticator: %d",
|
kdc_log(context, config, 4, "Bad checksum type in authenticator: %d",
|
||||||
auth->cksum->cksumtype);
|
auth->cksum->cksumtype);
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1107,13 +1107,13 @@ tgs_check_authenticator(krb5_context context,
|
|||||||
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
|
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
|
||||||
if(ret){
|
if(ret){
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 1, "Failed to encode KDC-REQ-BODY: %s", msg);
|
kdc_log(context, config, 4, "Failed to encode KDC-REQ-BODY: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(buf_size != len) {
|
if(buf_size != len) {
|
||||||
free(buf);
|
free(buf);
|
||||||
kdc_log(context, config, 1, "Internal error in ASN.1 encoder");
|
kdc_log(context, config, 4, "Internal error in ASN.1 encoder");
|
||||||
*e_text = "KDC internal error";
|
*e_text = "KDC internal error";
|
||||||
ret = KRB5KRB_ERR_GENERIC;
|
ret = KRB5KRB_ERR_GENERIC;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1122,7 +1122,7 @@ tgs_check_authenticator(krb5_context context,
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
free(buf);
|
free(buf);
|
||||||
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
|
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1136,7 +1136,7 @@ tgs_check_authenticator(krb5_context context,
|
|||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if(ret){
|
if(ret){
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Failed to verify authenticator checksum: %s", msg);
|
"Failed to verify authenticator checksum: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
}
|
}
|
||||||
@@ -1227,14 +1227,14 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
|
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
|
||||||
if(ret){
|
if(ret){
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2, "Failed to decode AP-REQ: %s", msg);
|
kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
|
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
|
||||||
/* XXX check for ticket.sname == req.sname */
|
/* XXX check for ticket.sname == req.sname */
|
||||||
kdc_log(context, config, 2, "PA-DATA is not a ticket-granting ticket");
|
kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket");
|
||||||
ret = KRB5KDC_ERR_POLICY; /* ? */
|
ret = KRB5KDC_ERR_POLICY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1294,7 +1294,7 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
ret = krb5_unparse_name(context, princ, &p);
|
ret = krb5_unparse_name(context, princ, &p);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
p = failed;
|
p = failed;
|
||||||
kdc_log(context, config, 1,
|
kdc_log(context, config, 4,
|
||||||
"Ticket-granting ticket %s not found in database: %s", p, msg);
|
"Ticket-granting ticket %s not found in database: %s", p, msg);
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(context, princ);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
@@ -1320,7 +1320,7 @@ next_kvno:
|
|||||||
|
|
||||||
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
|
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
|
||||||
krb5_unparse_name(context, princ, &p);
|
krb5_unparse_name(context, princ, &p);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"No server key with enctype %s found for %s",
|
"No server key with enctype %s found for %s",
|
||||||
str ? str : "<unknown enctype>",
|
str ? str : "<unknown enctype>",
|
||||||
p ? p : "<unparse_name failed>");
|
p ? p : "<unparse_name failed>");
|
||||||
@@ -1353,7 +1353,7 @@ next_kvno:
|
|||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(context, princ);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2, "Failed to verify AP-REQ: %s", msg);
|
kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1366,14 +1366,14 @@ next_kvno:
|
|||||||
*csec = malloc(sizeof(**csec));
|
*csec = malloc(sizeof(**csec));
|
||||||
if (*csec == NULL) {
|
if (*csec == NULL) {
|
||||||
krb5_free_authenticator(context, &auth);
|
krb5_free_authenticator(context, &auth);
|
||||||
kdc_log(context, config, 1, "malloc failed");
|
kdc_log(context, config, 4, "malloc failed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
**csec = auth->ctime;
|
**csec = auth->ctime;
|
||||||
*cusec = malloc(sizeof(**cusec));
|
*cusec = malloc(sizeof(**cusec));
|
||||||
if (*cusec == NULL) {
|
if (*cusec == NULL) {
|
||||||
krb5_free_authenticator(context, &auth);
|
krb5_free_authenticator(context, &auth);
|
||||||
kdc_log(context, config, 1, "malloc failed");
|
kdc_log(context, config, 4, "malloc failed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
**cusec = auth->cusec;
|
**cusec = auth->cusec;
|
||||||
@@ -1395,7 +1395,7 @@ next_kvno:
|
|||||||
if(ret){
|
if(ret){
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
kdc_log(context, config, 1, "Failed to get remote subkey: %s", msg);
|
kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1407,14 +1407,14 @@ next_kvno:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
kdc_log(context, config, 1, "Failed to get session key: %s", msg);
|
kdc_log(context, config, 4, "Failed to get session key: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(subkey == NULL){
|
if(subkey == NULL){
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
kdc_log(context, config, 1,
|
kdc_log(context, config, 4,
|
||||||
"Failed to get key for enc-authorization-data");
|
"Failed to get key for enc-authorization-data");
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1429,7 +1429,7 @@ next_kvno:
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg);
|
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1441,7 +1441,7 @@ next_kvno:
|
|||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if(ret){
|
if(ret){
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Failed to decrypt enc-authorization-data");
|
"Failed to decrypt enc-authorization-data");
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1457,7 +1457,7 @@ next_kvno:
|
|||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
free(*auth_data);
|
free(*auth_data);
|
||||||
*auth_data = NULL;
|
*auth_data = NULL;
|
||||||
kdc_log(context, config, 2, "Failed to decode authorization data");
|
kdc_log(context, config, 4, "Failed to decode authorization data");
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1625,13 +1625,13 @@ tgs_build_reply(astgs_request_t priv,
|
|||||||
if(b->additional_tickets == NULL ||
|
if(b->additional_tickets == NULL ||
|
||||||
b->additional_tickets->len == 0){
|
b->additional_tickets->len == 0){
|
||||||
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"No second ticket present in request");
|
"No second ticket present in request");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
t = &b->additional_tickets->val[0];
|
t = &b->additional_tickets->val[0];
|
||||||
if(!get_krbtgt_realm(&t->sname)){
|
if(!get_krbtgt_realm(&t->sname)){
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Additional ticket is not a ticket-granting ticket");
|
"Additional ticket is not a ticket-granting ticket");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1684,11 +1684,11 @@ tgs_build_reply(astgs_request_t priv,
|
|||||||
asn1_KDCOptions_units(),
|
asn1_KDCOptions_units(),
|
||||||
opt_str, sizeof(opt_str));
|
opt_str, sizeof(opt_str));
|
||||||
if(*opt_str)
|
if(*opt_str)
|
||||||
kdc_log(context, config, 3,
|
kdc_log(context, config, 4,
|
||||||
"TGS-REQ %s from %s for %s [%s]",
|
"TGS-REQ %s from %s for %s [%s]",
|
||||||
cpn, from, spn, opt_str);
|
cpn, from, spn, opt_str);
|
||||||
else
|
else
|
||||||
kdc_log(context, config, 3,
|
kdc_log(context, config, 4,
|
||||||
"TGS-REQ %s from %s for %s", cpn, from, spn);
|
"TGS-REQ %s from %s for %s", cpn, from, spn);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1796,7 +1796,7 @@ server_lookup:
|
|||||||
krb5_free_host_realm(context, realms);
|
krb5_free_host_realm(context, realms);
|
||||||
}
|
}
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Server not found in database: %s: %s", spn, msg);
|
"Server not found in database: %s: %s", spn, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
@@ -1830,7 +1830,7 @@ server_lookup:
|
|||||||
if (b->etype.val[i] == adtkt.key.keytype)
|
if (b->etype.val[i] == adtkt.key.keytype)
|
||||||
break;
|
break;
|
||||||
if(i == b->etype.len) {
|
if(i == b->etype.len) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Addition ticket have not matching etypes");
|
"Addition ticket have not matching etypes");
|
||||||
krb5_clear_error_message(context);
|
krb5_clear_error_message(context);
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||||
@@ -1846,14 +1846,14 @@ server_lookup:
|
|||||||
b->etype.val, b->etype.len, &etype, NULL,
|
b->etype.val, b->etype.len, &etype, NULL,
|
||||||
NULL);
|
NULL);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Server (%s) has no support for etypes", spn);
|
"Server (%s) has no support for etypes", spn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = _kdc_get_preferred_key(context, config, server, spn,
|
ret = _kdc_get_preferred_key(context, config, server, spn,
|
||||||
NULL, &skey);
|
NULL, &skey);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Server (%s) has no supported etypes", spn);
|
"Server (%s) has no supported etypes", spn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1879,7 +1879,7 @@ server_lookup:
|
|||||||
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
|
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
|
||||||
krbtgt_etype, &tkey_check);
|
krbtgt_etype, &tkey_check);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC check");
|
"Failed to find key for krbtgt PAC check");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1897,14 +1897,14 @@ server_lookup:
|
|||||||
our_realm,
|
our_realm,
|
||||||
NULL);
|
NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
kdc_log(context, config, 4,
|
||||||
"Failed to make krbtgt principal name object for "
|
"Failed to make krbtgt principal name object for "
|
||||||
"authz-data signatures");
|
"authz-data signatures");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
|
ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
kdc_log(context, config, 4,
|
||||||
"Failed to make krbtgt principal name object for "
|
"Failed to make krbtgt principal name object for "
|
||||||
"authz-data signatures");
|
"authz-data signatures");
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1915,7 +1915,7 @@ server_lookup:
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
char *ktpn = NULL;
|
char *ktpn = NULL;
|
||||||
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
|
ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"No such principal %s (needed for authz-data signature keys) "
|
"No such principal %s (needed for authz-data signature keys) "
|
||||||
"while processing TGS-REQ for service %s with krbtg %s",
|
"while processing TGS-REQ for service %s with krbtg %s",
|
||||||
krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
|
krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
|
||||||
@@ -1935,7 +1935,7 @@ server_lookup:
|
|||||||
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
|
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
|
||||||
char *ktpn;
|
char *ktpn;
|
||||||
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
|
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Request with wrong krbtgt: %s",
|
"Request with wrong krbtgt: %s",
|
||||||
(ret == 0) ? ktpn : "<unknown>");
|
(ret == 0) ? ktpn : "<unknown>");
|
||||||
if(ret == 0)
|
if(ret == 0)
|
||||||
@@ -1947,14 +1947,14 @@ server_lookup:
|
|||||||
ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n,
|
ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n,
|
||||||
NULL, &tkey_sign);
|
NULL, &tkey_sign);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
|
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
|
||||||
tkey_sign->key.keytype, &tkey_sign);
|
tkey_sign->key.keytype, &tkey_sign);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1980,13 +1980,13 @@ server_lookup:
|
|||||||
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
|
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
kdc_log(context, config, 2, "Client no longer in database: %s",
|
kdc_log(context, config, 4, "Client no longer in database: %s",
|
||||||
cpn);
|
cpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2, "Client not found in database: %s", msg);
|
kdc_log(context, config, 4, "Client not found in database: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1997,7 +1997,7 @@ server_lookup:
|
|||||||
tgt, &rspac, &signedpath);
|
tgt, &rspac, &signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Verify PAC failed for %s (%s) from %s with %s",
|
"Verify PAC failed for %s (%s) from %s with %s",
|
||||||
spn, cpn, from, msg);
|
spn, cpn, from, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
@@ -2014,7 +2014,7 @@ server_lookup:
|
|||||||
&signedpath);
|
&signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"KRB5SignedPath check failed for %s (%s) from %s with %s",
|
"KRB5SignedPath check failed for %s (%s) from %s with %s",
|
||||||
spn, cpn, from, msg);
|
spn, cpn, from, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
@@ -2044,13 +2044,13 @@ server_lookup:
|
|||||||
sdata->padata_value.length,
|
sdata->padata_value.length,
|
||||||
&self, NULL);
|
&self, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2, "Failed to decode PA-S4U2Self");
|
kdc_log(context, config, 4, "Failed to decode PA-S4U2Self");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
|
if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
|
||||||
free_PA_S4U2Self(&self);
|
free_PA_S4U2Self(&self);
|
||||||
kdc_log(context, config, 2, "Reject PA-S4U2Self with unkeyed checksum");
|
kdc_log(context, config, 4, "Reject PA-S4U2Self with unkeyed checksum");
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2064,7 +2064,7 @@ server_lookup:
|
|||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
free_PA_S4U2Self(&self);
|
free_PA_S4U2Self(&self);
|
||||||
krb5_data_free(&datack);
|
krb5_data_free(&datack);
|
||||||
kdc_log(context, config, 2, "krb5_crypto_init failed: %s", msg);
|
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2102,7 +2102,7 @@ server_lookup:
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
free_PA_S4U2Self(&self);
|
free_PA_S4U2Self(&self);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"krb5_verify_checksum failed for S4U2Self: %s", msg);
|
"krb5_verify_checksum failed for S4U2Self: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2138,7 +2138,7 @@ server_lookup:
|
|||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"S4U2Self principal to impersonate %s not found in database: %s",
|
"S4U2Self principal to impersonate %s not found in database: %s",
|
||||||
tpn, msg);
|
tpn, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
@@ -2146,7 +2146,7 @@ server_lookup:
|
|||||||
}
|
}
|
||||||
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
|
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2, "PAC generation failed for -- %s",
|
kdc_log(context, config, 4, "PAC generation failed for -- %s",
|
||||||
tpn);
|
tpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2157,7 +2157,7 @@ server_lookup:
|
|||||||
&rspac);
|
&rspac);
|
||||||
krb5_pac_free(context, p);
|
krb5_pac_free(context, p);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2, "PAC signing failed for -- %s",
|
kdc_log(context, config, 4, "PAC signing failed for -- %s",
|
||||||
tpn);
|
tpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2170,7 +2170,7 @@ server_lookup:
|
|||||||
*/
|
*/
|
||||||
ret = check_s4u2self(context, config, clientdb, client, sp);
|
ret = check_s4u2self(context, config, clientdb, client, sp);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2, "S4U2Self: %s is not allowed "
|
kdc_log(context, config, 4, "S4U2Self: %s is not allowed "
|
||||||
"to impersonate to service "
|
"to impersonate to service "
|
||||||
"(tried for user %s to service %s)",
|
"(tried for user %s to service %s)",
|
||||||
cpn, tpn, spn);
|
cpn, tpn, spn);
|
||||||
@@ -2188,7 +2188,7 @@ server_lookup:
|
|||||||
b->kdc_options.forwardable = 0;
|
b->kdc_options.forwardable = 0;
|
||||||
str = "";
|
str = "";
|
||||||
}
|
}
|
||||||
kdc_log(context, config, 3, "s4u2self %s impersonating %s to "
|
kdc_log(context, config, 4, "s4u2self %s impersonating %s to "
|
||||||
"service %s %s", cpn, tpn, spn, str);
|
"service %s %s", cpn, tpn, spn, str);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -2213,7 +2213,7 @@ server_lookup:
|
|||||||
*/
|
*/
|
||||||
if (!signedpath) {
|
if (!signedpath) {
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Constrained delegation done on service ticket %s/%s",
|
"Constrained delegation done on service ticket %s/%s",
|
||||||
cpn, spn);
|
cpn, spn);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2232,7 +2232,7 @@ server_lookup:
|
|||||||
|
|
||||||
ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
|
ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"failed to decrypt ticket for "
|
"failed to decrypt ticket for "
|
||||||
"constrained delegation from %s to %s ", cpn, spn);
|
"constrained delegation from %s to %s ", cpn, spn);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2262,7 +2262,7 @@ server_lookup:
|
|||||||
|
|
||||||
/* check that ticket is valid */
|
/* check that ticket is valid */
|
||||||
if (adtkt.flags.forwardable == 0) {
|
if (adtkt.flags.forwardable == 0) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Missing forwardable flag on ticket for "
|
"Missing forwardable flag on ticket for "
|
||||||
"constrained delegation from %s (%s) as %s to %s ",
|
"constrained delegation from %s (%s) as %s to %s ",
|
||||||
cpn, dpn, tpn, spn);
|
cpn, dpn, tpn, spn);
|
||||||
@@ -2273,7 +2273,7 @@ server_lookup:
|
|||||||
ret = check_constrained_delegation(context, config, clientdb,
|
ret = check_constrained_delegation(context, config, clientdb,
|
||||||
client, server, sp);
|
client, server, sp);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"constrained delegation from %s (%s) as %s to %s not allowed",
|
"constrained delegation from %s (%s) as %s to %s not allowed",
|
||||||
cpn, dpn, tpn, spn);
|
cpn, dpn, tpn, spn);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2299,7 +2299,7 @@ server_lookup:
|
|||||||
&adtkt, &rspac, &ad_signedpath);
|
&adtkt, &rspac, &ad_signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Verify delegated PAC failed to %s for client"
|
"Verify delegated PAC failed to %s for client"
|
||||||
"%s (%s) as %s from %s with %s",
|
"%s (%s) as %s from %s with %s",
|
||||||
spn, cpn, dpn, tpn, from, msg);
|
spn, cpn, dpn, tpn, from, msg);
|
||||||
@@ -2319,7 +2319,7 @@ server_lookup:
|
|||||||
&ad_signedpath);
|
&ad_signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"KRB5SignedPath check from service %s failed "
|
"KRB5SignedPath check from service %s failed "
|
||||||
"for delegation to %s for client %s (%s)"
|
"for delegation to %s for client %s (%s)"
|
||||||
"from %s failed with %s",
|
"from %s failed with %s",
|
||||||
@@ -2330,7 +2330,7 @@ server_lookup:
|
|||||||
|
|
||||||
if (!ad_signedpath) {
|
if (!ad_signedpath) {
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Ticket not signed with PAC nor SignedPath service %s failed "
|
"Ticket not signed with PAC nor SignedPath service %s failed "
|
||||||
"for delegation to %s for client %s (%s)"
|
"for delegation to %s for client %s (%s)"
|
||||||
"from %s",
|
"from %s",
|
||||||
@@ -2339,7 +2339,7 @@ server_lookup:
|
|||||||
}
|
}
|
||||||
|
|
||||||
_kdc_audit_addkv((kdc_request_t)priv, 0, "impersonatee", tpn);
|
_kdc_audit_addkv((kdc_request_t)priv, 0, "impersonatee", tpn);
|
||||||
kdc_log(context, config, 3, "constrained delegation for %s "
|
kdc_log(context, config, 4, "constrained delegation for %s "
|
||||||
"from %s (%s) to %s", tpn, cpn, dpn, spn);
|
"from %s (%s) to %s", tpn, cpn, dpn, spn);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2347,10 +2347,7 @@ server_lookup:
|
|||||||
* Check flags
|
* Check flags
|
||||||
*/
|
*/
|
||||||
|
|
||||||
ret = kdc_check_flags(context, config,
|
ret = kdc_check_flags(priv, FALSE);
|
||||||
client, cpn,
|
|
||||||
server, spn,
|
|
||||||
FALSE);
|
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -2358,7 +2355,7 @@ server_lookup:
|
|||||||
!krb5_principal_compare(context,
|
!krb5_principal_compare(context,
|
||||||
krbtgt->entry.principal,
|
krbtgt->entry.principal,
|
||||||
server->entry.principal)){
|
server->entry.principal)){
|
||||||
kdc_log(context, config, 2, "Inconsistent request.");
|
kdc_log(context, config, 4, "Inconsistent request.");
|
||||||
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2366,7 +2363,7 @@ server_lookup:
|
|||||||
/* check for valid set of addresses */
|
/* check for valid set of addresses */
|
||||||
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
|
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
|
||||||
ret = KRB5KRB_AP_ERR_BADADDR;
|
ret = KRB5KRB_AP_ERR_BADADDR;
|
||||||
kdc_log(context, config, 2, "Request from wrong address");
|
kdc_log(context, config, 4, "Request from wrong address");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2396,7 +2393,7 @@ server_lookup:
|
|||||||
NULL, s, &pa.padata_value);
|
NULL, s, &pa.padata_value);
|
||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
kdc_log(context, config, 4,
|
||||||
"Failed building server referral");
|
"Failed building server referral");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2498,7 +2495,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
|
|
||||||
if(req->padata == NULL){
|
if(req->padata == NULL){
|
||||||
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"TGS-REQ from %s without PA-DATA", from);
|
"TGS-REQ from %s without PA-DATA", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2508,7 +2505,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
if(tgs_req == NULL){
|
if(tgs_req == NULL){
|
||||||
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||||
|
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"TGS-REQ from %s without PA-TGS-REQ", from);
|
"TGS-REQ from %s without PA-TGS-REQ", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2527,7 +2524,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 4,
|
||||||
"Failed parsing TGS-REQ from %s", from);
|
"Failed parsing TGS-REQ from %s", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2549,7 +2546,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
&auth_data,
|
&auth_data,
|
||||||
from_addr);
|
from_addr);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
kdc_log(context, config, 4,
|
||||||
"Failed building TGS-REP to %s", from);
|
"Failed building TGS-REP to %s", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -212,10 +212,7 @@ _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||||
return kdc_check_flags(context, config,
|
return kdc_check_flags(r, req->msg_type == krb_as_req);
|
||||||
client_ex, client_name,
|
|
||||||
server_ex, server_name,
|
|
||||||
req->msg_type == krb_as_req);
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user