The Samba-Bugzilla – Attachment 13367 Details for
Bug 12865
Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add auth logging to ServerAuthenticate3
0003-source4-netlogon-Add-authentication-logging-for-Serv.patch (text/plain), 6.39 KB, created by
Gary Lockyer
on 2017-07-12 19:20:31 UTC
(
hide
)
Description:
Add auth logging to ServerAuthenticate3
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2017-07-12 19:20:31 UTC
Size:
6.39 KB
patch
obsolete
>From 9db7f22fd639801876a0e91eafe446e621ba485a Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Mon, 10 Jul 2017 07:48:08 +1200 >Subject: [PATCH 3/3] source4 netlogon: Add authentication logging for > ServerAuthenticate3 > >Log NETLOGON authentication activity by instrumenting the >netr_ServerAuthenticate3 processing. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > auth/auth_log.c | 8 +++ > selftest/knownfail.d/auth-logging | 8 --- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 90 ++++++++++++++++++--------- > 3 files changed, 68 insertions(+), 38 deletions(-) > delete mode 100644 selftest/knownfail.d/auth-logging > >diff --git a/auth/auth_log.c b/auth/auth_log.c >index 9dbf8f2..9c1e8e1 100644 >--- a/auth/auth_log.c >+++ b/auth/auth_log.c >@@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui) > && ui->password.response.nt.length == 0 > && ui->password.response.lanman.length == 0) { > password_type = "No-Password"; >+ } else if (ui->netlogon_trust_account.negotiate_flags >+ & NETLOGON_NEG_SUPPORTS_AES) { >+ password_type = "HMAC-SHA256"; >+ } else if (ui->netlogon_trust_account.negotiate_flags >+ & NETLOGON_NEG_STRONG_KEYS) { >+ ; >+ } else if (strncmp("NETLOGON", ui->service_description, 8) == 0) { >+ password_type = "DES"; > } > return password_type; > } >diff --git a/selftest/knownfail.d/auth-logging b/selftest/knownfail.d/auth-logging >deleted file mode 100644 >index e10a69e..0000000 >--- a/selftest/knownfail.d/auth-logging >+++ /dev/null >@@ -1,8 +0,0 @@ >-# NETLOGON authentication logging tests, currently fail as the >-# code has not been implemented >-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc_ntvfs:local\) >-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc_ntvfs:local\) >-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc:local\) >-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc:local\) >-^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc_ntvfs:local\) >-^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc:local\) >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index b50b7a5..c140ee8 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -105,8 +105,15 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal > return NT_STATUS_OK; > } > >-static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, >- struct netr_ServerAuthenticate3 *r) >+/* >+ * Do the actual processing of a netr_ServerAuthenticate3 message. >+ * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. >+ */ >+static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( >+ struct dcesrv_call_state *dce_call, >+ TALLOC_CTX *mem_ctx, >+ struct netr_ServerAuthenticate3 *r, >+ struct dom_sid **sid) > { > struct netlogon_server_pipe_state *pipe_state = > talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state); >@@ -469,36 +476,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca > negotiate_flags); > } > >- { >- char* local = NULL; >- char* remote = NULL; >- TALLOC_CTX *frame = talloc_stackframe(); >- >- remote = tsocket_address_string(dce_call->conn->remote_address, >- frame); >- local = tsocket_address_string(dce_call->conn->local_address, >- frame); >- if (creds == NULL) { >- DEBUG(2, ("Failed to authenticate NETLOGON " >- "account[%s] workstation[%s] " >- "remote[%s] local[%s]\n", >- log_escape(frame, r->in.account_name), >- log_escape(frame, r->in.computer_name), >- remote, local)); >- TALLOC_FREE(frame); >- return NT_STATUS_ACCESS_DENIED; >- } else { >- DEBUG(3, ("Successful authenticate of NETLOGON " >- "account[%s] workstation[%s] " >- "remote[%s] local[%s]\n", >- log_escape(frame, r->in.account_name), >- log_escape(frame, r->in.computer_name), >- remote, local)); >- TALLOC_FREE(frame); >- } >+ if (creds == NULL) { >+ return NT_STATUS_ACCESS_DENIED; > } >- > creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); >+ *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid)); > > nt_status = schannel_save_creds_state(mem_ctx, > dce_call->conn->dce_ctx->lp_ctx, >@@ -514,6 +496,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca > return NT_STATUS_OK; > } > >+/* >+ * Log a netr_ServerAuthenticate3 request, and then invoke >+ * dcesrv_netr_ServerAuthenticate3_helper to perform the actual processing >+ */ >+static NTSTATUS dcesrv_netr_ServerAuthenticate3( >+ struct dcesrv_call_state *dce_call, >+ TALLOC_CTX *mem_ctx, >+ struct netr_ServerAuthenticate3 *r) >+{ >+ NTSTATUS status; >+ struct dom_sid *sid = NULL; >+ struct auth_usersupplied_info ui = { >+ .local_host = dce_call->conn->local_address, >+ .remote_host = dce_call->conn->remote_address, >+ .client = { >+ .account_name = r->in.account_name, >+ .domain_name = lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), >+ }, >+ .service_description = "NETLOGON", >+ .auth_description = "ServerAuthenticate", >+ .netlogon_trust_account = { >+ .computer_name = r->in.computer_name, >+ .account_name = r->in.account_name, >+ .negotiate_flags = *r->in.negotiate_flags, >+ .secure_channel_type = r->in.secure_channel_type, >+ }, >+ .mapped = { >+ .account_name = r->in.account_name, >+ } >+ }; >+ >+ status = dcesrv_netr_ServerAuthenticate3_helper(dce_call, >+ mem_ctx, >+ r, >+ &sid); >+ ui.netlogon_trust_account.sid = sid; >+ log_authentication_event( >+ dce_call->conn->msg_ctx, >+ dce_call->conn->dce_ctx->lp_ctx, >+ &ui, >+ status, >+ lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), >+ r->in.account_name, >+ NULL, >+ sid); >+ >+ return status; >+} > static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, > struct netr_ServerAuthenticate *r) > { >-- >2.7.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12865
:
13365
|
13366
|
13367
|
13394
|
13395
|
13396
|
13426