[PATCH] Improve logging for localauth MIT Kerberos plugin
Andreas Schneider
asn at samba.org
Fri Feb 15 09:52:15 UTC 2019
Hello,
attached is a patch to improve the logging for the MIT KRB5 localauth plugin.
Review is much appreciated.
Thanks,
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
-------------- next part --------------
>From 35c98252b0d865f71fa98e45e79c116ad62886f6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Fri, 16 Nov 2018 18:23:35 +0100
Subject: [PATCH] nssswitch: Log user access to kerberos
Signed-off-by: Andreas Schneider <asn at samba.org>
---
nsswitch/krb5_plugin/winbind_krb5_localauth.c | 21 ++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/nsswitch/krb5_plugin/winbind_krb5_localauth.c b/nsswitch/krb5_plugin/winbind_krb5_localauth.c
index f87b19abed6..293f5297ca8 100644
--- a/nsswitch/krb5_plugin/winbind_krb5_localauth.c
+++ b/nsswitch/krb5_plugin/winbind_krb5_localauth.c
@@ -98,14 +98,12 @@ static krb5_error_code winbind_userok(krb5_context context,
cmp = strcasecmp(princ_str, lname);
if (cmp == 0) {
- krb5_free_unparsed_name(context, princ_str);
- return 0;
+ goto out;
}
wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
princ_str,
&pwd);
- krb5_free_unparsed_name(context, princ_str);
switch (wbc_status) {
case WBC_ERR_SUCCESS:
princ_uid = pwd->pw_uid;
@@ -123,7 +121,7 @@ static krb5_error_code winbind_userok(krb5_context context,
}
wbcFreeMemory(pwd);
if (code != 0) {
- return code;
+ goto out;
}
wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
@@ -145,13 +143,26 @@ static krb5_error_code winbind_userok(krb5_context context,
}
wbcFreeMemory(pwd);
if (code != 0) {
- return code;
+ goto out;
}
if (princ_uid != lname_uid) {
code = EPERM;
}
+ com_err("winbind_localauth",
+ code,
+ "Access %s: %s (uid=%u) %sequal to %s (uid=%u)",
+ code == 0 ? "granted" : "denied",
+ princ_str,
+ (unsigned int)princ_uid,
+ code == 0 ? "" : "not ",
+ lname,
+ (unsigned int)lname_uid);
+
+out:
+ krb5_free_unparsed_name(context, princ_str);
+
return code;
}
--
2.20.1
More information about the samba-technical
mailing list