Bug 12865 - Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All All
: P5 regression
: 4.7
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 11998
  Show dependency treegraph
 
Reported: 2017-06-26 09:14 UTC by Andrew Bartlett
Modified: 2017-09-19 18:55 UTC (History)
4 users (show)

See Also:


Attachments
Modify existing tests to handle netlogon message (7.01 KB, patch)
2017-07-12 19:18 UTC, Gary Lockyer
no flags Details
Test for NETLOGON auth logging (14.12 KB, patch)
2017-07-12 19:19 UTC, Gary Lockyer
no flags Details
Add auth logging to ServerAuthenticate3 (6.39 KB, patch)
2017-07-12 19:20 UTC, Gary Lockyer
no flags Details
Modify existing tests to handle netlogon message (7.01 KB, patch)
2017-07-17 19:14 UTC, Gary Lockyer
no flags Details
Tests for NETLOGON auth logging (16.42 KB, patch)
2017-07-17 19:15 UTC, Gary Lockyer
no flags Details
Add auth logging to ServerAuthenticate3 (6.56 KB, patch)
2017-07-17 19:16 UTC, Gary Lockyer
no flags Details
patch cherry-picked from master for 4.7 (only) (45.88 KB, patch)
2017-07-25 01:51 UTC, Andrew Bartlett
abartlet: review? (garming)
dbagnall: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2017-06-26 09:14:23 UTC
Auditing of machine account logins over NETLOGON, eg ServerAuthenticate3 was out of scope for the initial effort to provide user account auditing. 

However it is reasonable to desire that machine accounts are subject to similar audit when used on the NETLOGON service, just as Kerberos was added to the originally NTLM-only scheme.
Comment 1 Stefan Metzmacher 2017-07-04 19:40:04 UTC
Mark as regression in order to remember to reevaluate before 4.7.0
Comment 2 Gary Lockyer 2017-07-11 19:41:17 UTC
Have made changes to source4/rpc_server/netlogon/dcerpc_netlogon.c and associated tests.  Running build and tests now, will submit patch set once that is complete
Comment 3 Gary Lockyer 2017-07-12 19:18:57 UTC
Created attachment 13365 [details]
Modify existing tests to handle netlogon message
Comment 4 Gary Lockyer 2017-07-12 19:19:47 UTC
Created attachment 13366 [details]
Test for NETLOGON auth logging
Comment 5 Gary Lockyer 2017-07-12 19:20:31 UTC
Created attachment 13367 [details]
Add auth logging to ServerAuthenticate3
Comment 6 Gary Lockyer 2017-07-17 19:12:18 UTC
Sample JSON

Successful Auth message:

{ "timestamp": "2017-07-18T06:57:18.044871+1200",
  "type": "Authentication",
  "Authentication": {
    "version": {"major": 1, "minor": 0},
   "becameDomain": "ADDOMAIN",
   "authDescription": "ServerAuthenticate",
   "remoteAddress": "ipv4:127.0.0.11:23613",
   "status": "NT_STATUS_OK",
   "serviceDescription": "NETLOGON",
   "localAddress": "ipv4:127.0.0.30:445",
   "clientDomain": "ADDOMAIN",
   "becameSid": "S-1-5-21-957060844-616297711-1930508676-1000",
   "clientAccount": "ADDC$",
   "workstation": null,
   "becameAccount": "ADDC$",
   "mappedAccount": "ADDC$",
   "mappedDomain": null,
   "netlogonComputer": "ADDC",
   "netlogonTrustAccount": "ADDC$",
   "netlogonNegotiateFlags": "0x610FFFFF",
   "netlogonSecureChannelType": 6,
   "netlogonTrustAccountSid":   
      "S-1-5-21-957060844-616297711-1930508676-1000",
   "passwordType": "HMAC-SHA256"
  }
}

Unsuccessful auth message.

{ "timestamp": "2017-07-18T06:58:03.113876+1200",
  "type": "Authentication",
  "Authentication": {
    "version": {"major": 1, "minor": 0},
    "becameDomain": "ADDOMAIN", 
    "authDescription": "ServerAuthenticate", 
    "remoteAddress": "unix:/root/ncalrpc_as_system", 
    "status": "NT_STATUS_OK", 
    "serviceDescription": "NETLOGON", 
    "localAddress": 
       "unix:/home/gary/projects/samba03/st/ad_dc/ncalrpc/DEFAULT",  
    "clientDomain": "ADDOMAIN",
    "becameSid": "S-1-5-21-957060844-616297711-1930508676-1115",
    "clientAccount": "SamLogonTest$", 
    "workstation": null, 
    "becameAccount": "SamLogonTest$",
    "mappedAccount": "SamLogonTest$",
    "mappedDomain": null,
    "netlogonComputer": "ADDC",
    "netlogonTrustAccount": "SamLogonTest$",
    "netlogonNegotiateFlags": "0x610FFFFF",
    "netlogonSecureChannelType": 2,
    "netlogonTrustAccountSid": 
       "S-1-5-21-957060844-616297711-1930508676-1115",
    "passwordType": "HMAC-SHA256"
  }
}
Comment 7 Gary Lockyer 2017-07-17 19:14:24 UTC
Created attachment 13394 [details]
Modify existing tests to handle netlogon message
Comment 8 Gary Lockyer 2017-07-17 19:15:23 UTC
Created attachment 13395 [details]
Tests for NETLOGON auth logging
Comment 9 Gary Lockyer 2017-07-17 19:16:06 UTC
Created attachment 13396 [details]
Add auth logging to ServerAuthenticate3
Comment 10 Andrew Bartlett 2017-07-25 01:51:05 UTC
Created attachment 13426 [details]
patch cherry-picked from master for 4.7 (only)

Here is the backported patch to Samba 4.7, ensuring this feature is comprehensive for 4.7.
Comment 11 Karolin Seeger 2017-07-31 09:26:06 UTC
Pushed to autobuild-v4-7-test.
Comment 12 Karolin Seeger 2017-08-01 06:05:00 UTC
(In reply to Karolin Seeger from comment #11)
Pushed to v4-7-test.
Closing out bug report.

Thanks!
Comment 13 Andrew Bartlett 2017-09-19 18:55:02 UTC
Fixed in master by a420b1bdccbba72faf1108f7fae8b8202075db97 for Samba 4.8, backported to Samba 4.7.0.