diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 83e55a6c4..030dd0f54 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -77,23 +77,6 @@ audited_auth_event_p(astgs_request_t r) return !!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT_TYPE); } -/* - * Notify the HDB backend of the audited event. - */ - -static krb5_error_code -notify_hdb_audit(astgs_request_t r) -{ - struct HDB *hdb; - - hdb = r->clientdb ? r->clientdb : r->config->db[0]; - - if (hdb && hdb->hdb_audit && audited_auth_event_p(r)) - return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r); - - return 0; -} - void _kdc_fix_time(time_t **t) { @@ -2770,7 +2753,7 @@ _kdc_as_rep(astgs_request_t r) out: r->ret = ret; - notify_hdb_audit(r); + _kdc_hdb_audit(r); /* * In case of a non proxy error, build an error message. diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index e0e4102c7..b7673eb15 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -2575,6 +2575,7 @@ _kdc_tgs_rep(astgs_request_t r) out: r->ret = ret; + _kdc_hdb_audit(r); if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ METHOD_DATA error_method = { 0, NULL }; diff --git a/kdc/misc.c b/kdc/misc.c index 61296ffa0..ee73b4a3e 100644 --- a/kdc/misc.c +++ b/kdc/misc.c @@ -341,3 +341,20 @@ _kdc_include_pac_p(astgs_request_t r) return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY)); } + +/* + * Notify the HDB backend of the audited event. + */ + +krb5_error_code +_kdc_hdb_audit(astgs_request_t r) +{ + struct HDB *hdb; + + hdb = r->clientdb ? r->clientdb : r->config->db[0]; + + if (hdb && hdb->hdb_audit) + return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r); + + return 0; +} diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h index 899881307..bb9d6497d 100644 --- a/lib/hdb/hdb.h +++ b/lib/hdb/hdb.h @@ -305,7 +305,9 @@ typedef struct HDB { krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); /** - * Authentication auditing + * Authentication auditing. Note that this function is called by + * both the AS and TGS, but currently only the AS sets the auth + * event type and details. This may change in a future version. * * Event details are available by querying the request using * heim_audit_getkv(HDB_REQUEST_KV_...).