kdc: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We also log the authentication duration. This is not a general purpose profiling solution, but in Smaba these JSON logs are already being generated and stored, so this is worth adding. Some administrators are very keen to know how long authentication takes, particularly due to long replication transactions in other Samba processes. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org> (Similar to Samba commit f498ba77df2313e78863e5f2706840c43e232a96 and bb2a1c6b3eaccf114ac3f3b5b51f57828a04996) [metze@samba.org: improved for heimdal upstream] Signed-off-by: Stefan Metzmacher <metze@samba.org> [abartlet@samba.org: improved again for Heimdal based on feedback]
This commit is contained in:
Andrew Bartlett
committed by
Luke Howard
Luke Howard
parent
22515634cf
commit
842b856e4c
@@ -80,9 +80,18 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
|
||||
#define HDB_CAP_F_SHARED_DIRECTORY 8
|
||||
|
||||
/* auth status values */
|
||||
#define HDB_AUTH_SUCCESS 0
|
||||
#define HDB_AUTHZ_SUCCESS 0
|
||||
#define HDB_AUTH_WRONG_PASSWORD 1
|
||||
#define HDB_AUTH_INVALID_SIGNATURE 2
|
||||
#define HDB_AUTH_CORRECT_PASSWORD 3
|
||||
#define HDB_AUTH_CLIENT_UNKNOWN 4
|
||||
#define HDB_AUTH_CLIENT_LOCKED_OUT 5
|
||||
#define HDB_AUTH_GENERIC_SUCCESS 6
|
||||
#define HDB_AUTH_GENERIC_FAILURE 7
|
||||
#define HDB_AUTH_PKINIT_SUCCESS 8
|
||||
#define HDB_AUTH_PKINIT_FAILURE 9
|
||||
#define HDB_AUTH_GSS_SUCCESS 10
|
||||
#define HDB_AUTH_GSS_FAILURE 11
|
||||
|
||||
/* key usage for master key */
|
||||
#define HDB_KU_MKEY 0x484442
|
||||
@@ -280,7 +289,15 @@ typedef struct HDB {
|
||||
* In case the entry is locked out, the backend should set the
|
||||
* hdb_entry.flags.locked-out flag.
|
||||
*/
|
||||
krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int);
|
||||
krb5_error_code (*hdb_auth_status)(krb5_context,
|
||||
struct HDB *,
|
||||
hdb_entry_ex *,
|
||||
const struct timeval *start_time,
|
||||
const struct sockaddr *from_addr,
|
||||
const char *original_client_name,
|
||||
int auth_type,
|
||||
const char *auth_details,
|
||||
const char *pa_type);
|
||||
/**
|
||||
* Check if delegation is allowed.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user