Pass s4u name and c_flags to log_tgs_req. If values are supplied, log
authorKen Raeburn <raeburn@mit.edu>
Wed, 14 Jan 2009 19:50:34 +0000 (19:50 +0000)
committerKen Raeburn <raeburn@mit.edu>
Wed, 14 Jan 2009 19:50:34 +0000 (19:50 +0000)
an additional message to record the name and s4u mode.

Untested for lack of code to invoke these code paths.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21745 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_tgs_req.c
src/kdc/kdc_util.c
src/kdc/kdc_util.h

index 17c7f1534cb3724cbdf7e34a51f7527730b21a6c..9c96734e6abff7847e1c2f7d796dd765b958056d 100644 (file)
@@ -1,7 +1,7 @@
 /*
  * kdc/do_tgs_req.c
  *
- * Copyright 1990,1991,2001,2007,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001,2007,2008,2009 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -840,7 +840,7 @@ cleanup:
     if (errcode) 
        emsg = krb5_get_error_message (kdc_context, errcode);
     log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
-               status, errcode, emsg);
+               c_flags, s4u_name, status, errcode, emsg);
     if (errcode) {
        krb5_free_error_message (kdc_context, emsg);
        emsg = NULL;
index cd7f839588416b5568d8b61ef01e8074097296e1..34a8ed0c3fdf36654138b9092c903e52c541ab1d 100644 (file)
@@ -2147,6 +2147,7 @@ validate_transit_path(krb5_context context,
 
 /* "status" is null to indicate success.  */
 /* Someday, pass local address/port as well.  */
+/* Currently no info about name canonicalization is logged.  */
 void
 log_as_req(const krb5_fulladdr *from,
           krb5_kdc_req *request, krb5_kdc_rep *reply,
@@ -2221,12 +2222,15 @@ log_as_req(const krb5_fulladdr *from,
 }
 
 /* Here "status" must be non-null.  Error code
-   KRB5KDC_ERR_SERVER_NOMATCH is handled specially.  */
+   KRB5KDC_ERR_SERVER_NOMATCH is handled specially.
+
+   Currently no info about name canonicalization is logged.  */
 void
 log_tgs_req(const krb5_fulladdr *from,
            krb5_kdc_req *request, krb5_kdc_rep *reply,
            const char *cname, const char *sname, const char *altcname,
            krb5_timestamp authtime,
+           unsigned int c_flags, const char *s4u_name,
            const char *status, krb5_error_code errcode, const char *emsg)
 {
     char ktypestr[128];
@@ -2248,7 +2252,7 @@ log_tgs_req(const krb5_fulladdr *from,
     /* Differences: server-nomatch message logs 2nd ticket's client
        name (useful), and doesn't log ktypestr (probably not
        important).  */
-    if (errcode != KRB5KDC_ERR_SERVER_NOMATCH)
+    if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {
        krb5_klog_syslog(LOG_INFO,
                         "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s",
                         ktypestr,
@@ -2259,7 +2263,19 @@ log_tgs_req(const krb5_fulladdr *from,
                         sname ? sname : "<unknown server>",
                         errcode ? ", " : "",
                         errcode ? emsg : "");
-    else
+       if (s4u_name) {
+           assert(isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ||
+                  isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION));
+           if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
+               krb5_klog_syslog(LOG_INFO,
+                                "... PROTOCOL-TRANSITION s4u-client=%s",
+                                s4u_name);
+           else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
+               krb5_klog_syslog(LOG_INFO,
+                                "... CONSTRAINED-DELEGATION s4u-client=%s",
+                                s4u_name);
+       }
+    } else
        krb5_klog_syslog(LOG_INFO,
                         "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s",
                         fromstring, status, authtime,
@@ -2269,6 +2285,7 @@ log_tgs_req(const krb5_fulladdr *from,
 
     /* OpenSolaris: audit_krb5kdc_tgs_req(...)  or
        audit_krb5kdc_tgs_req_2ndtktmm(...) */
+    /* ... krb5_db_invoke ... */
 }
 
 void
index f0c5563efe42ea93907cb1361b13302316b58ba6..b70f98a6e265a129fb15a6096491679453988176 100644 (file)
@@ -293,6 +293,7 @@ log_tgs_req(const krb5_fulladdr *from,
            krb5_kdc_req *request, krb5_kdc_rep *reply,
            const char *cname, const char *sname, const char *altcname,
            krb5_timestamp authtime,
+           unsigned int c_flags, const char *s4u_name,
            const char *status, krb5_error_code errcode, const char *emsg);
 void log_tgs_alt_tgt(krb5_principal p);