From bb699fb8196a02711ed572edf412d38e40d9174e Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 4 Jan 2022 02:30:42 +0000
Subject: [PATCH] kdc: audit requestor SID in altsecid GSS PA plugin

---
 kdc/altsecid_gss_preauth_authorizer.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kdc/altsecid_gss_preauth_authorizer.c b/kdc/altsecid_gss_preauth_authorizer.c
index 51ffdc6f8..626608397 100644
--- a/kdc/altsecid_gss_preauth_authorizer.c
+++ b/kdc/altsecid_gss_preauth_authorizer.c
@@ -453,7 +453,7 @@ authorize(void *ctx,
 
     if (requestor_sid) {
 	krb5_kdc_request_set_attribute((kdc_request_t)r,
-				       HSTR("org.h5l.pac-requestor-sid"), requestor_sid);
+				       HSTR("org.h5l.gss-pa-requestor-sid"), requestor_sid);
 	heim_release(requestor_sid);
     }
 
@@ -466,10 +466,12 @@ finalize_pac(void *ctx, astgs_request_t r)
     heim_data_t requestor_sid;
 
     requestor_sid = krb5_kdc_request_get_attribute((kdc_request_t)r,
-						   HSTR("org.h5l.pac-requestor-sid"));
+						   HSTR("org.h5l.gss-pa-requestor-sid"));
     if (requestor_sid == NULL)
 	return 0;
 
+    _kdc_audit_setkv_object((kdc_request_t)r, "gss_requestor_sid", requestor_sid);
+
     return krb5_pac_add_buffer(r->context, r->pac, PAC_REQUESTOR_SID,
 			       heim_data_get_data(requestor_sid));
 }