From: Kern Sibbald Date: Sat, 20 Nov 2004 07:49:43 +0000 (+0000) Subject: Add more auth debug code X-Git-Tag: Release-1.36.1~10 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f61e402d773545def9aafc841b97f8e65ce78cd9;p=bacula%2Fbacula Add more auth debug code git-svn-id: https://bacula.svn.sourceforge.net/svnroot/bacula/trunk@1708 91ce42f0-d328-0410-95d8-f526ca767f89 --- diff --git a/bacula/src/dird/authenticate.c b/bacula/src/dird/authenticate.c index e2a309dd6b..2b6762d955 100644 --- a/bacula/src/dird/authenticate.c +++ b/bacula/src/dird/authenticate.c @@ -57,6 +57,7 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) BSOCK *sd = jcr->store_bsock; char dirname[MAX_NAME_LENGTH]; int ssl_need = BNET_SSL_NONE; + bool get_auth, auth = false; /* * Send my name to the Storage daemon then do authentication @@ -67,12 +68,22 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) btimer_t *tid = start_bsock_timer(sd, 60 * 10); if (!bnet_fsend(sd, hello, dirname)) { stop_bsock_timer(tid); + Dmsg1(50, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd)); Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd)); return 0; } - if (!cram_md5_get_auth(sd, store->password, ssl_need) || - !cram_md5_auth(sd, store->password, ssl_need)) { + get_auth = cram_md5_get_auth(sd, store->password, ssl_need); + if (get_auth) { + auth = cram_md5_auth(sd, store->password, ssl_need); + if (!auth) { + Dmsg1(50, "cram_auth failed for %s\n", sd->who); + } + } else { + Dmsg1(50, "cram_get_auth failed for %s\n", sd->who); + } + if (!get_auth || !auth) { stop_bsock_timer(tid); + Dmsg0(50, _("Director and Storage daemon passwords or names not the same.\n")); Jmsg0(jcr, M_FATAL, 0, _("Director and Storage daemon passwords or names not the same.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); return 0; @@ -87,6 +98,7 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) Dmsg1(110, "msg); stop_bsock_timer(tid); if (strncmp(sd->msg, OKhello, sizeof(OKhello)) != 0) { + Dmsg0(50, _("Storage daemon rejected Hello command\n")); Jmsg0(jcr, M_FATAL, 0, _("Storage daemon rejected Hello command\n")); return 0; } @@ -101,6 +113,7 @@ int authenticate_file_daemon(JCR *jcr) BSOCK *fd = jcr->file_bsock; char dirname[MAX_NAME_LENGTH]; int ssl_need = BNET_SSL_NONE; + bool get_auth, auth = false; /* * Send my name to the File daemon then do authentication @@ -114,9 +127,18 @@ int authenticate_file_daemon(JCR *jcr) Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to File daemon. ERR=%s\n"), bnet_strerror(fd)); return 0; } - if (!cram_md5_get_auth(fd, jcr->client->password, ssl_need) || - !cram_md5_auth(fd, jcr->client->password, ssl_need)) { + get_auth = cram_md5_get_auth(fd, jcr->client->password, ssl_need); + if (get_auth) { + auth = cram_md5_auth(fd, jcr->client->password, ssl_need); + if (!auth) { + Dmsg1(50, "cram_auth failed for %s\n", fd->who); + } + } else { + Dmsg1(50, "cram_get_auth failed for %s\n", fd->who); + } + if (!get_auth || !auth) { stop_bsock_timer(tid); + Dmsg0(50, _("Director and File daemon passwords or names not the same.\n")); Jmsg(jcr, M_FATAL, 0, _("Director and File daemon passwords or names not the same.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); return 0; @@ -124,6 +146,8 @@ int authenticate_file_daemon(JCR *jcr) Dmsg1(116, ">filed: %s", fd->msg); if (bnet_recv(fd) <= 0) { stop_bsock_timer(tid); + Dmsg1(50, _("Bad response from File daemon to Hello command: ERR=%s\n"), + bnet_strerror(fd)); Jmsg(jcr, M_FATAL, 0, _("Bad response from File daemon to Hello command: ERR=%s\n"), bnet_strerror(fd)); return 0; @@ -131,6 +155,7 @@ int authenticate_file_daemon(JCR *jcr) Dmsg1(110, "msg); stop_bsock_timer(tid); if (strncmp(fd->msg, FDOKhello, sizeof(FDOKhello)) != 0) { + Dmsg0(50, _("File daemon rejected Hello command\n")); Jmsg(jcr, M_FATAL, 0, _("File daemon rejected Hello command\n")); return 0; } diff --git a/bacula/src/filed/authenticate.c b/bacula/src/filed/authenticate.c index 31a4137c3d..b8f123431d 100644 --- a/bacula/src/filed/authenticate.c +++ b/bacula/src/filed/authenticate.c @@ -7,7 +7,7 @@ * */ /* - Copyright (C) 2000, 2001, 2002 Kern Sibbald and John Walker + Copyright (C) 2000-2004 Kern Sibbald and John Walker This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as @@ -41,12 +41,16 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) POOLMEM *dirname; DIRRES *director; int ssl_need = BNET_SSL_NONE; + bool auth, get_auth = false; if (rcode != R_DIRECTOR) { + Dmsg1(50, _("I only authenticate directors, not %d\n"), rcode); Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode); return 0; } if (bs->msglen < 25 || bs->msglen > 200) { + Dmsg2(50, _("Bad Hello command from Director at %s. Len=%d.\n"), + bs->who, bs->msglen); Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), bs->who, bs->msglen); return 0; @@ -57,6 +61,8 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (sscanf(bs->msg, "Hello Director %s calling\n", dirname) != 1) { free_pool_memory(dirname); bs->msg[100] = 0; + Dmsg2(50, _("Bad Hello command from Director at %s: %s\n"), + bs->who, bs->msg); Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), bs->who, bs->msg); return 0; @@ -69,6 +75,8 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } UnlockRes(); if (!director) { + Dmsg2(50, _("Connection from unknown Director %s at %s rejected.\n"), + dirname, bs->who); Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"), dirname, bs->who); @@ -76,8 +84,16 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) return 0; } btimer_t *tid = start_bsock_timer(bs, 60 * 10); - if (!cram_md5_auth(bs, director->password, ssl_need) || - !cram_md5_get_auth(bs, director->password, ssl_need)) { + auth = cram_md5_auth(bs, director->password, ssl_need); + if (auth) { + get_auth = cram_md5_get_auth(bs, director->password, ssl_need); + if (!get_auth) { + Dmsg1(50, "cram_get_auth failed for %s\n", bs->who); + } + } else { + Dmsg1(50, "cram_auth failed for %s\n", bs->who); + } + if (!auth || !get_auth) { Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"), bs->who); @@ -117,17 +133,24 @@ int authenticate_director(JCR *jcr) int authenticate_storagedaemon(JCR *jcr) { BSOCK *sd = jcr->store_bsock; - int stat; int ssl_need = BNET_SSL_NONE; + bool get_auth, auth = false; btimer_t *tid = start_bsock_timer(sd, 60 * 10); - stat = cram_md5_get_auth(sd, jcr->sd_auth_key, ssl_need) && - cram_md5_auth(sd, jcr->sd_auth_key, ssl_need); + get_auth = cram_md5_get_auth(sd, jcr->sd_auth_key, ssl_need); + if (!get_auth) { + Dmsg1(50, "cram_get_auth failed for %s\n", sd->who); + } else { + auth = cram_md5_auth(sd, jcr->sd_auth_key, ssl_need); + if (!auth) { + Dmsg1(50, "cram_auth failed for %s\n", sd->who); + } + } stop_bsock_timer(tid); memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key)); - if (!stat) { + if (!get_auth || !auth) { Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); } - return stat; + return get_auth && auth; } diff --git a/bacula/src/lib/cram-md5.c b/bacula/src/lib/cram-md5.c index bee0751133..af36c8993d 100644 --- a/bacula/src/lib/cram-md5.c +++ b/bacula/src/lib/cram-md5.c @@ -49,9 +49,9 @@ int cram_md5_auth(BSOCK *bs, char *password, int ssl_need) bstrncpy(host, my_name, sizeof(host)); } bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host); - Dmsg2(100, "send: auth cram-md5 %s ssl=%d\n", chal, ssl_need); + Dmsg2(50, "send: auth cram-md5 %s ssl=%d\n", chal, ssl_need); if (!bnet_fsend(bs, "auth cram-md5 %s ssl=%d\n", chal, ssl_need)) { - Dmsg0(100, "Send challenge error.\n"); + Dmsg1(50, "Bnet send challenge error.\n", bnet_strerror(bs)); return 0; } @@ -59,6 +59,7 @@ int cram_md5_auth(BSOCK *bs, char *password, int ssl_need) return 0; } if (bnet_wait_data(bs, 180) <= 0 || bnet_recv(bs) <= 0) { + Dmsg1(50, "Bnet receive challenge response error.\n", bnet_strerror(bs)); bmicrosleep(5, 0); return 0; } @@ -66,14 +67,14 @@ int cram_md5_auth(BSOCK *bs, char *password, int ssl_need) bin_to_base64(host, (char *)hmac, 16); ok = strcmp(bs->msg, host) == 0; if (ok) { - Dmsg0(99, "Authenticate OK\n"); + Dmsg1(50, "Authenticate OK %s\n", host); } else { - Dmsg2(99, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg); + Dmsg2(50, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg); } if (ok) { bnet_fsend(bs, "1000 OK auth\n"); } else { - Dmsg1(100, "PW: %s\n", password); + Dmsg1(50, "Auth failed PW: %s\n", password); bnet_fsend(bs, "1999 Authorization failed.\n"); bmicrosleep(5, 0); } @@ -92,7 +93,7 @@ int cram_md5_get_auth(BSOCK *bs, char *password, int ssl_need) return 0; } if (bs->msglen >= MAXSTRING) { - Dmsg1(99, "Wanted auth cram... Got: %s", bs->msg); + Dmsg1(50, "Msg too long wanted auth cram... Got: %s", bs->msg); bmicrosleep(5, 0); return 0; } @@ -100,7 +101,7 @@ int cram_md5_get_auth(BSOCK *bs, char *password, int ssl_need) if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d\n", chal, &ssl_has) != 2) { ssl_has = BNET_SSL_NONE; if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) { - Dmsg1(100, "Cannot scan challenge: %s", bs->msg); + Dmsg1(50, "Cannot scan challenge: %s", bs->msg); bnet_fsend(bs, "1999 Authorization failed.\n"); bmicrosleep(5, 0); return 0; @@ -113,18 +114,19 @@ int cram_md5_get_auth(BSOCK *bs, char *password, int ssl_need) hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac); bs->msglen = bin_to_base64(bs->msg, (char *)hmac, 16) + 1; if (!bnet_send(bs)) { - Dmsg0(100, "Send response failed.\n"); + Dmsg1(50, "Send challenge failed. ERR=%s\n", bnet_strerror(bs)); return 0; } Dmsg1(99, "sending resp to challenge: %s\n", bs->msg); if (bnet_wait_data(bs, 180) <= 0 || bnet_recv(bs) <= 0) { + Dmsg1(50, "Receive chanllenge response failed. ERR=%s\n", bnet_strerror(bs)); bmicrosleep(5, 0); return 0; } if (strcmp(bs->msg, "1000 OK auth\n") == 0) { return 1; } - Dmsg1(100, "Bad response: %s\n", bs->msg); + Dmsg1(50, "Bad auth response: %s\n", bs->msg); bmicrosleep(5, 0); return 0; } diff --git a/bacula/src/stored/authenticate.c b/bacula/src/stored/authenticate.c index 29c110c921..4aaadadf20 100644 --- a/bacula/src/stored/authenticate.c +++ b/bacula/src/stored/authenticate.c @@ -42,12 +42,16 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) POOLMEM *dirname; DIRRES *director = NULL; int ssl_need = BNET_SSL_NONE; + bool auth, get_auth = false; if (rcode != R_DIRECTOR) { + Dmsg1(50, _("I only authenticate Directors, not %d\n"), rcode); Emsg1(M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); return 0; } if (bs->msglen < 25 || bs->msglen > 200) { + Dmsg2(50, _("Bad Hello command from Director at %s. Len=%d.\n"), + bs->who, bs->msglen); Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), bs->who, bs->msglen); return 0; @@ -57,6 +61,8 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (sscanf(bs->msg, "Hello Director %127s calling\n", dirname) != 1) { bs->msg[100] = 0; + Dmsg2(50, _("Bad Hello command from Director at %s: %s\n"), + bs->who, bs->msg); Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), bs->who, bs->msg); return 0; @@ -70,6 +76,8 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } UnlockRes(); if (!director) { + Dmsg2(50, _("Connection from unknown Director %s at %s rejected.\n"), + dirname, bs->who); Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"), dirname, bs->who); @@ -79,8 +87,16 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) /* Timeout Hello after 10 mins */ btimer_t *tid = start_bsock_timer(bs, 60 * 10); - if (!cram_md5_auth(bs, director->password, ssl_need) || - !cram_md5_get_auth(bs, director->password, ssl_need)) { + auth = cram_md5_auth(bs, director->password, ssl_need); + if (auth) { + get_auth = cram_md5_get_auth(bs, director->password, ssl_need); + if (!get_auth) { + Dmsg1(50, "cram_get_auth failed with %s\n", bs->who); + } + } else { + Dmsg1(50, "cram_auth failed with %s\n", bs->who); + } + if (!auth || !get_auth) { stop_bsock_timer(tid); Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); @@ -111,6 +127,7 @@ int authenticate_director(JCR *jcr) if (!authenticate(R_DIRECTOR, dir, jcr)) { bnet_fsend(dir, "%s", Dir_sorry); + Dmsg1(50, _("Unable to authenticate Director at %s.\n"), dir->who); Emsg1(M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who); bmicrosleep(5, 0); return 0; @@ -122,11 +139,20 @@ int authenticate_filed(JCR *jcr) { BSOCK *fd = jcr->file_bsock; int ssl_need = BNET_SSL_NONE; + bool auth, get_auth = false; /* Timeout Hello after 5 mins */ btimer_t *tid = start_bsock_timer(fd, 60 * 10); - if (cram_md5_auth(fd, jcr->sd_auth_key, ssl_need) && - cram_md5_get_auth(fd, jcr->sd_auth_key, ssl_need)) { + auth = cram_md5_auth(fd, jcr->sd_auth_key, ssl_need); + if (auth) { + get_auth = cram_md5_get_auth(fd, jcr->sd_auth_key, ssl_need); + if (!get_auth) { + Dmsg1(50, "cram-get-auth failed with %s\n", fd->who); + } + } else { + Dmsg1(50, "cram-auth failed with %s\n", fd->who); + } + if (auth && get_auth) { jcr->authenticated = true; } stop_bsock_timer(tid); diff --git a/bacula/src/version.h b/bacula/src/version.h index 483df6c45c..b42ff04d8a 100644 --- a/bacula/src/version.h +++ b/bacula/src/version.h @@ -1,8 +1,8 @@ /* */ #undef VERSION #define VERSION "1.36.1" -#define BDATE "19 November 2004" -#define LSMDATE "19Nov04" +#define BDATE "20 November 2004" +#define LSMDATE "20Nov04" /* Debug flags */ #undef DEBUG