kdc: Audit more TGS failure reasons
This commit is contained in:
Nicolas Williams
@@ -1640,13 +1640,17 @@ tgs_build_reply(astgs_request_t priv,
|
|||||||
b->additional_tickets->len == 0){
|
b->additional_tickets->len == 0){
|
||||||
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"No second ticket present in request");
|
"No second ticket present in user-to-user request");
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"No second ticket present in user-to-user request");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
t = &b->additional_tickets->val[0];
|
t = &b->additional_tickets->val[0];
|
||||||
if(!get_krbtgt_realm(&t->sname)){
|
if(!get_krbtgt_realm(&t->sname)){
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Additional ticket is not a ticket-granting ticket");
|
"Additional ticket is not a ticket-granting ticket");
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Additional ticket is not a ticket-granting ticket");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1665,6 +1669,8 @@ tgs_build_reply(astgs_request_t priv,
|
|||||||
if(ret){
|
if(ret){
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"User-to-user service principal (TGS) unknown");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = hdb_enctype2key(context, &uu->entry, NULL,
|
ret = hdb_enctype2key(context, &uu->entry, NULL,
|
||||||
@@ -1672,16 +1678,24 @@ tgs_build_reply(astgs_request_t priv,
|
|||||||
if(ret){
|
if(ret){
|
||||||
_kdc_free_ent(context, uu);
|
_kdc_free_ent(context, uu);
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"User-to-user enctype not supported");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
|
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
|
||||||
_kdc_free_ent(context, uu);
|
_kdc_free_ent(context, uu);
|
||||||
if(ret)
|
if(ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"User-to-user TGT decrypt failure");
|
||||||
goto out;
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
ret = verify_flags(context, config, &adtkt, tpn);
|
ret = verify_flags(context, config, &adtkt, spn);
|
||||||
if (ret)
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"User-to-user TGT expired or invalid");
|
||||||
goto out;
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
s = &adtkt.cname;
|
s = &adtkt.cname;
|
||||||
r = adtkt.crealm;
|
r = adtkt.crealm;
|
||||||
@@ -1719,6 +1733,7 @@ server_lookup:
|
|||||||
priv->server = server;
|
priv->server = server;
|
||||||
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||||
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn);
|
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Target not found here");
|
||||||
goto out;
|
goto out;
|
||||||
} else if (ret == HDB_ERR_WRONG_REALM) {
|
} else if (ret == HDB_ERR_WRONG_REALM) {
|
||||||
free(ref_realm);
|
free(ref_realm);
|
||||||
@@ -1758,6 +1773,8 @@ server_lookup:
|
|||||||
req_rlm, TRUE, &capath, &num_capath);
|
req_rlm, TRUE, &capath, &num_capath);
|
||||||
if (ret2) {
|
if (ret2) {
|
||||||
ret = ret2;
|
ret = ret2;
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"No trusted path from client realm to ours");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1819,6 +1836,8 @@ server_lookup:
|
|||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Service principal unknown");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1852,6 +1871,8 @@ server_lookup:
|
|||||||
"Addition ticket have not matching etypes");
|
"Addition ticket have not matching etypes");
|
||||||
krb5_clear_error_message(context);
|
krb5_clear_error_message(context);
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"No matching enctypes for 2nd ticket");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
etype = b->etype.val[i];
|
etype = b->etype.val[i];
|
||||||
@@ -1866,6 +1887,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Server (%s) has no support for etypes", spn);
|
"Server (%s) has no support for etypes", spn);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Enctype not supported");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = _kdc_get_preferred_key(context, config, server, spn,
|
ret = _kdc_get_preferred_key(context, config, server, spn,
|
||||||
@@ -1873,6 +1896,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Server (%s) has no supported etypes", spn);
|
"Server (%s) has no supported etypes", spn);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Enctype not supported");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = &skey->key;
|
ekey = &skey->key;
|
||||||
@@ -1891,7 +1916,7 @@ server_lookup:
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Validate authoriation data
|
* Validate authorization data
|
||||||
*/
|
*/
|
||||||
|
|
||||||
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
|
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
|
||||||
@@ -1899,6 +1924,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC check");
|
"Failed to find key for krbtgt PAC check");
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"No key for krbtgt PAC check");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1959,6 +1986,7 @@ server_lookup:
|
|||||||
if(ret == 0)
|
if(ret == 0)
|
||||||
free(ktpn);
|
free(ktpn);
|
||||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Request with wrong TGT");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1967,6 +1995,8 @@ server_lookup:
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Failed to find key for krbtgt PAC signature");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
|
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
|
||||||
@@ -1974,6 +2004,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Failed to find key for krbtgt PAC signature");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2020,15 +2052,18 @@ server_lookup:
|
|||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
kdc_log(context, config, 4, "Client no longer in database: %s",
|
kdc_log(context, config, 4, "Client no longer in database: %s",
|
||||||
cpn);
|
cpn);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Client no longer in HDB");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, config, 4, "Client not found in database: %s", msg);
|
kdc_log(context, config, 4, "Client not found in database: %s", msg);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Client does not exist");
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
} else if (ret == 0 &&
|
} else if (ret == 0 &&
|
||||||
(client->entry.flags.invalid || !client->entry.flags.client)) {
|
(client->entry.flags.invalid || !client->entry.flags.client)) {
|
||||||
kdc_log(context, config, 4, "Client has invalid attribute set");
|
_kdc_audit_addreason((kdc_request_t)priv, "Client has invalid bit set");
|
||||||
|
kdc_log(context, config, 4, "Client has invalid bit set");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2040,6 +2075,7 @@ server_lookup:
|
|||||||
tgt, &rspac, &signedpath);
|
tgt, &rspac, &signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Verify PAC failed for %s (%s) from %s with %s",
|
"Verify PAC failed for %s (%s) from %s with %s",
|
||||||
spn, cpn, from, msg);
|
spn, cpn, from, msg);
|
||||||
@@ -2057,6 +2093,7 @@ server_lookup:
|
|||||||
&signedpath);
|
&signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "KRB5SignedPath check failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"KRB5SignedPath check failed for %s (%s) from %s with %s",
|
"KRB5SignedPath check failed for %s (%s) from %s with %s",
|
||||||
spn, cpn, from, msg);
|
spn, cpn, from, msg);
|
||||||
@@ -2088,12 +2125,16 @@ server_lookup:
|
|||||||
sdata->padata_value.length,
|
sdata->padata_value.length,
|
||||||
&self, NULL);
|
&self, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Failed to decode PA-S4U2Self");
|
||||||
kdc_log(context, config, 4, "Failed to decode PA-S4U2Self");
|
kdc_log(context, config, 4, "Failed to decode PA-S4U2Self");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
|
if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
|
||||||
free_PA_S4U2Self(&self);
|
free_PA_S4U2Self(&self);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"PA-S4U2Self with unkeyed checksum");
|
||||||
kdc_log(context, config, 4, "Reject PA-S4U2Self with unkeyed checksum");
|
kdc_log(context, config, 4, "Reject PA-S4U2Self with unkeyed checksum");
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2146,6 +2187,8 @@ server_lookup:
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
free_PA_S4U2Self(&self);
|
free_PA_S4U2Self(&self);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"S4U2Self checksum failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"krb5_verify_checksum failed for S4U2Self: %s", msg);
|
"krb5_verify_checksum failed for S4U2Self: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
@@ -2183,6 +2226,8 @@ server_lookup:
|
|||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(context, ret);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"S4U2Self principal to impersonate not found");
|
||||||
kdc_log(context, config, 2,
|
kdc_log(context, config, 2,
|
||||||
"S4U2Self principal to impersonate %s not found in database: %s",
|
"S4U2Self principal to impersonate %s not found in database: %s",
|
||||||
tpn, msg);
|
tpn, msg);
|
||||||
@@ -2202,7 +2247,7 @@ server_lookup:
|
|||||||
|
|
||||||
ret = kdc_check_flags(&imp_req, FALSE);
|
ret = kdc_check_flags(&imp_req, FALSE);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
|
||||||
|
|
||||||
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
|
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
|
||||||
if(rspac.data) {
|
if(rspac.data) {
|
||||||
@@ -2210,6 +2255,8 @@ server_lookup:
|
|||||||
krb5_data_free(&rspac);
|
krb5_data_free(&rspac);
|
||||||
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
|
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"KRB5SignedPath missing");
|
||||||
kdc_log(context, config, 4, "PAC generation failed for -- %s",
|
kdc_log(context, config, 4, "PAC generation failed for -- %s",
|
||||||
tpn);
|
tpn);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2279,6 +2326,7 @@ server_lookup:
|
|||||||
*/
|
*/
|
||||||
if (!signedpath) {
|
if (!signedpath) {
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "KRB5SignedPath missing");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Constrained delegation done on service ticket %s/%s",
|
"Constrained delegation done on service ticket %s/%s",
|
||||||
cpn, spn);
|
cpn, spn);
|
||||||
@@ -2298,6 +2346,8 @@ server_lookup:
|
|||||||
|
|
||||||
ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
|
ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Failed to decrypt constrained delegation ticket");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"failed to decrypt ticket for "
|
"failed to decrypt ticket for "
|
||||||
"constrained delegation from %s to %s ", cpn, spn);
|
"constrained delegation from %s to %s ", cpn, spn);
|
||||||
@@ -2315,6 +2365,8 @@ server_lookup:
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
_kdc_audit_addkv((kdc_request_t)priv, 0, "impersonatee", "%s", tpn);
|
||||||
|
|
||||||
ret = _krb5_principalname2krb5_principal(context,
|
ret = _krb5_principalname2krb5_principal(context,
|
||||||
&dp,
|
&dp,
|
||||||
t->sname,
|
t->sname,
|
||||||
@@ -2328,6 +2380,8 @@ server_lookup:
|
|||||||
|
|
||||||
/* check that ticket is valid */
|
/* check that ticket is valid */
|
||||||
if (adtkt.flags.forwardable == 0) {
|
if (adtkt.flags.forwardable == 0) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Missing forwardable flag on ticket for constrained delegation");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Missing forwardable flag on ticket for "
|
"Missing forwardable flag on ticket for "
|
||||||
"constrained delegation from %s (%s) as %s to %s ",
|
"constrained delegation from %s (%s) as %s to %s ",
|
||||||
@@ -2339,6 +2393,8 @@ server_lookup:
|
|||||||
ret = check_constrained_delegation(context, config, clientdb,
|
ret = check_constrained_delegation(context, config, clientdb,
|
||||||
client, server, sp);
|
client, server, sp);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Constrained delegation not allowed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"constrained delegation from %s (%s) as %s to %s not allowed",
|
"constrained delegation from %s (%s) as %s to %s not allowed",
|
||||||
cpn, dpn, tpn, spn);
|
cpn, dpn, tpn, spn);
|
||||||
@@ -2347,6 +2403,8 @@ server_lookup:
|
|||||||
|
|
||||||
ret = verify_flags(context, config, &adtkt, tpn);
|
ret = verify_flags(context, config, &adtkt, tpn);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Constrained delegation ticket expired or invalid");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2365,6 +2423,8 @@ server_lookup:
|
|||||||
&adtkt, &rspac, &ad_signedpath);
|
&adtkt, &rspac, &ad_signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Constrained delegation ticket PAC check failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Verify delegated PAC failed to %s for client"
|
"Verify delegated PAC failed to %s for client"
|
||||||
"%s (%s) as %s from %s with %s",
|
"%s (%s) as %s from %s with %s",
|
||||||
@@ -2391,6 +2451,8 @@ server_lookup:
|
|||||||
"from %s failed with %s",
|
"from %s failed with %s",
|
||||||
spn, tpn, dpn, cpn, from, msg);
|
spn, tpn, dpn, cpn, from, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"KRB5SignedPath check failed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2401,10 +2463,11 @@ server_lookup:
|
|||||||
"for delegation to %s for client %s (%s)"
|
"for delegation to %s for client %s (%s)"
|
||||||
"from %s",
|
"from %s",
|
||||||
spn, tpn, dpn, cpn, from);
|
spn, tpn, dpn, cpn, from);
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv,
|
||||||
|
"Constrained delegation ticket not signed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
_kdc_audit_addkv((kdc_request_t)priv, 0, "impersonatee", "%s", tpn);
|
|
||||||
kdc_log(context, config, 4, "constrained delegation for %s "
|
kdc_log(context, config, 4, "constrained delegation for %s "
|
||||||
"from %s (%s) to %s", tpn, cpn, dpn, spn);
|
"from %s (%s) to %s", tpn, cpn, dpn, spn);
|
||||||
}
|
}
|
||||||
@@ -2421,6 +2484,7 @@ server_lookup:
|
|||||||
!krb5_principal_compare(context,
|
!krb5_principal_compare(context,
|
||||||
krbtgt->entry.principal,
|
krbtgt->entry.principal,
|
||||||
server->entry.principal)){
|
server->entry.principal)){
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request");
|
||||||
kdc_log(context, config, 4, "Inconsistent request.");
|
kdc_log(context, config, 4, "Inconsistent request.");
|
||||||
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2432,6 +2496,7 @@ server_lookup:
|
|||||||
ret = KRB5KRB_AP_ERR_BADADDR;
|
ret = KRB5KRB_AP_ERR_BADADDR;
|
||||||
_kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
|
_kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
|
||||||
kdc_log(context, config, 4, "Request from wrong address");
|
kdc_log(context, config, 4, "Request from wrong address");
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Request from wrong address");
|
||||||
goto out;
|
goto out;
|
||||||
} else if (config->warn_ticket_addresses) {
|
} else if (config->warn_ticket_addresses) {
|
||||||
_kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
|
_kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
|
||||||
@@ -2464,6 +2529,7 @@ server_lookup:
|
|||||||
NULL, s, &pa.padata_value);
|
NULL, s, &pa.padata_value);
|
||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
_kdc_audit_addreason((kdc_request_t)priv, "Referral build failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed building server referral");
|
"Failed building server referral");
|
||||||
goto out;
|
goto out;
|
||||||
|
|||||||
Reference in New Issue
Block a user