s4-kdc: Handle previously unhandled auth event types

Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:

commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze@samba.org>
Date:   Wed Mar 2 10:10:08 2022 +1300

    s4:kdc: hdb_samba4_audit() is only called once per request

Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR

To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.

For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 5720dfadc1f151032daf6d033431ad3ae6b456c1..ceb3a292160741901fcbbc57e53716662c71f916 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -612,7 +612,40 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                ui.auth_description = auth_description;
 
                if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+                       /* This is the final sucess */
                        status = NT_STATUS_OK;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+                       /*
+                        * This was only a pre-authentication success,
+                        * but we didn't reach the final
+                        * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+                        * so consult the error code.
+                        */
+                       if (r->error_code == 0) {
+                               DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
+                                       "with error=0 => INTERNAL_ERROR\n");
+                               status = NT_STATUS_INTERNAL_ERROR;
+                               final_ret = KRB5KRB_ERR_GENERIC;
+                               r->error_code = final_ret;
+                       } else {
+                               status = krb5_to_nt_status(r->error_code);
+                       }
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
+                       /*
+                        * This was only a pre-authentication success,
+                        * but we didn't reach the final
+                        * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+                        * so consult the error code.
+                        */
+                       if (r->error_code == 0) {
+                               DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
+                                       "with error=0 => INTERNAL_ERROR\n");
+                               status = NT_STATUS_INTERNAL_ERROR;
+                               final_ret = KRB5KRB_ERR_GENERIC;
+                               r->error_code = final_ret;
+                       } else {
+                               status = krb5_to_nt_status(r->error_code);
+                       }
                } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
                        status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
                } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
@@ -640,6 +673,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                        DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
                                hdb_auth_status);
                        status = NT_STATUS_INTERNAL_ERROR;
+                       final_ret = KRB5KRB_ERR_GENERIC;
+                       r->error_code = final_ret;
                }
 
                if (rwdc_fallback) {
@@ -664,6 +699,14 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                                         domain_name,
                                         account_name,
                                         sid);
+               if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
+                       /*
+                        * If we're running under make test
+                        * just panic
+                        */
+                       DBG_ERR("Unexpected situation => PANIC\n");
+                       smb_panic("hdb_samba4_audit: Unexpected situation");
+               }
                TALLOC_FREE(frame);
                break;
        }