From 14a88597eb1a016632e5b859eaddb19961f19e70 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 10 Jul 2017 07:48:08 +1200 Subject: [PATCH 3/3] source4 netlogon: Add authentication logging for ServerAuthenticate3 Log NETLOGON authentication activity by instrumenting the netr_ServerAuthenticate3 processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865 Signed-off-by: Gary Lockyer --- auth/auth_log.c | 12 ++++ selftest/knownfail.d/auth-logging | 8 --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 90 ++++++++++++++++++--------- 3 files changed, 72 insertions(+), 38 deletions(-) delete mode 100644 selftest/knownfail.d/auth-logging diff --git a/auth/auth_log.c b/auth/auth_log.c index 9dbf8f2..d4c6c44 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -639,6 +639,18 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui) if (ui->password_type != NULL) { password_type = ui->password_type; + } else if (ui->auth_description != NULL && + strncmp("ServerAuthenticate", ui->auth_description, 18) == 0) + { + if (ui->netlogon_trust_account.negotiate_flags + & NETLOGON_NEG_SUPPORTS_AES) { + password_type = "HMAC-SHA256"; + } else if (ui->netlogon_trust_account.negotiate_flags + & NETLOGON_NEG_STRONG_KEYS) { + password_type = "HMAC-MD5"; + } else { + password_type = "DES"; + } } else if (ui->password_state == AUTH_PASSWORD_RESPONSE && (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) && ui->password.response.nt.length == 24) { diff --git a/selftest/knownfail.d/auth-logging b/selftest/knownfail.d/auth-logging deleted file mode 100644 index e10a69e..0000000 --- a/selftest/knownfail.d/auth-logging +++ /dev/null @@ -1,8 +0,0 @@ -# NETLOGON authentication logging tests, currently fail as the -# code has not been implemented -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc_ntvfs:local\) -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc_ntvfs:local\) -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc:local\) -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc:local\) -^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc_ntvfs:local\) -^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc:local\) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b50b7a5..c140ee8 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -105,8 +105,15 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal return NT_STATUS_OK; } -static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_ServerAuthenticate3 *r) +/* + * Do the actual processing of a netr_ServerAuthenticate3 message. + * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. + */ +static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate3 *r, + struct dom_sid **sid) { struct netlogon_server_pipe_state *pipe_state = talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state); @@ -469,36 +476,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca negotiate_flags); } - { - char* local = NULL; - char* remote = NULL; - TALLOC_CTX *frame = talloc_stackframe(); - - remote = tsocket_address_string(dce_call->conn->remote_address, - frame); - local = tsocket_address_string(dce_call->conn->local_address, - frame); - if (creds == NULL) { - DEBUG(2, ("Failed to authenticate NETLOGON " - "account[%s] workstation[%s] " - "remote[%s] local[%s]\n", - log_escape(frame, r->in.account_name), - log_escape(frame, r->in.computer_name), - remote, local)); - TALLOC_FREE(frame); - return NT_STATUS_ACCESS_DENIED; - } else { - DEBUG(3, ("Successful authenticate of NETLOGON " - "account[%s] workstation[%s] " - "remote[%s] local[%s]\n", - log_escape(frame, r->in.account_name), - log_escape(frame, r->in.computer_name), - remote, local)); - TALLOC_FREE(frame); - } + if (creds == NULL) { + return NT_STATUS_ACCESS_DENIED; } - creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); + *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid)); nt_status = schannel_save_creds_state(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, @@ -514,6 +496,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_OK; } +/* + * Log a netr_ServerAuthenticate3 request, and then invoke + * dcesrv_netr_ServerAuthenticate3_helper to perform the actual processing + */ +static NTSTATUS dcesrv_netr_ServerAuthenticate3( + struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate3 *r) +{ + NTSTATUS status; + struct dom_sid *sid = NULL; + struct auth_usersupplied_info ui = { + .local_host = dce_call->conn->local_address, + .remote_host = dce_call->conn->remote_address, + .client = { + .account_name = r->in.account_name, + .domain_name = lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), + }, + .service_description = "NETLOGON", + .auth_description = "ServerAuthenticate", + .netlogon_trust_account = { + .computer_name = r->in.computer_name, + .account_name = r->in.account_name, + .negotiate_flags = *r->in.negotiate_flags, + .secure_channel_type = r->in.secure_channel_type, + }, + .mapped = { + .account_name = r->in.account_name, + } + }; + + status = dcesrv_netr_ServerAuthenticate3_helper(dce_call, + mem_ctx, + r, + &sid); + ui.netlogon_trust_account.sid = sid; + log_authentication_event( + dce_call->conn->msg_ctx, + dce_call->conn->dce_ctx->lp_ctx, + &ui, + status, + lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), + r->in.account_name, + NULL, + sid); + + return status; +} static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate *r) { -- 2.7.4