From: Ken Raeburn Date: Wed, 14 Jan 2009 19:50:34 +0000 (+0000) Subject: Pass s4u name and c_flags to log_tgs_req. If values are supplied, log X-Git-Tag: krb5-1.7-alpha1~76 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=50679fdf318017bb3781e6d9c553f9878362894f;p=krb5.git Pass s4u name and c_flags to log_tgs_req. If values are supplied, log an additional message to record the name and s4u mode. Untested for lack of code to invoke these code paths. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21745 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 17c7f1534..9c96734e6 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1,7 +1,7 @@ /* * kdc/do_tgs_req.c * - * Copyright 1990,1991,2001,2007,2008 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2001,2007,2008,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -840,7 +840,7 @@ cleanup: if (errcode) emsg = krb5_get_error_message (kdc_context, errcode); log_tgs_req(from, request, &reply, cname, sname, altcname, authtime, - status, errcode, emsg); + c_flags, s4u_name, status, errcode, emsg); if (errcode) { krb5_free_error_message (kdc_context, emsg); emsg = NULL; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index cd7f83958..34a8ed0c3 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2147,6 +2147,7 @@ validate_transit_path(krb5_context context, /* "status" is null to indicate success. */ /* Someday, pass local address/port as well. */ +/* Currently no info about name canonicalization is logged. */ void log_as_req(const krb5_fulladdr *from, krb5_kdc_req *request, krb5_kdc_rep *reply, @@ -2221,12 +2222,15 @@ log_as_req(const krb5_fulladdr *from, } /* Here "status" must be non-null. Error code - KRB5KDC_ERR_SERVER_NOMATCH is handled specially. */ + KRB5KDC_ERR_SERVER_NOMATCH is handled specially. + + Currently no info about name canonicalization is logged. */ void log_tgs_req(const krb5_fulladdr *from, krb5_kdc_req *request, krb5_kdc_rep *reply, const char *cname, const char *sname, const char *altcname, krb5_timestamp authtime, + unsigned int c_flags, const char *s4u_name, const char *status, krb5_error_code errcode, const char *emsg) { char ktypestr[128]; @@ -2248,7 +2252,7 @@ log_tgs_req(const krb5_fulladdr *from, /* Differences: server-nomatch message logs 2nd ticket's client name (useful), and doesn't log ktypestr (probably not important). */ - if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) + if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) { krb5_klog_syslog(LOG_INFO, "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s", ktypestr, @@ -2259,7 +2263,19 @@ log_tgs_req(const krb5_fulladdr *from, sname ? sname : "", errcode ? ", " : "", errcode ? emsg : ""); - else + if (s4u_name) { + assert(isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) || + isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)); + if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) + krb5_klog_syslog(LOG_INFO, + "... PROTOCOL-TRANSITION s4u-client=%s", + s4u_name); + else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) + krb5_klog_syslog(LOG_INFO, + "... CONSTRAINED-DELEGATION s4u-client=%s", + s4u_name); + } + } else krb5_klog_syslog(LOG_INFO, "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s", fromstring, status, authtime, @@ -2269,6 +2285,7 @@ log_tgs_req(const krb5_fulladdr *from, /* OpenSolaris: audit_krb5kdc_tgs_req(...) or audit_krb5kdc_tgs_req_2ndtktmm(...) */ + /* ... krb5_db_invoke ... */ } void diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index f0c5563ef..b70f98a6e 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -293,6 +293,7 @@ log_tgs_req(const krb5_fulladdr *from, krb5_kdc_req *request, krb5_kdc_rep *reply, const char *cname, const char *sname, const char *altcname, krb5_timestamp authtime, + unsigned int c_flags, const char *s4u_name, const char *status, krb5_error_code errcode, const char *emsg); void log_tgs_alt_tgt(krb5_principal p);