Auditing of machine account logins over NETLOGON, eg ServerAuthenticate3 was out of scope for the initial effort to provide user account auditing. However it is reasonable to desire that machine accounts are subject to similar audit when used on the NETLOGON service, just as Kerberos was added to the originally NTLM-only scheme.
Mark as regression in order to remember to reevaluate before 4.7.0
Have made changes to source4/rpc_server/netlogon/dcerpc_netlogon.c and associated tests. Running build and tests now, will submit patch set once that is complete
Created attachment 13365 [details] Modify existing tests to handle netlogon message
Created attachment 13366 [details] Test for NETLOGON auth logging
Created attachment 13367 [details] Add auth logging to ServerAuthenticate3
Sample JSON Successful Auth message: { "timestamp": "2017-07-18T06:57:18.044871+1200", "type": "Authentication", "Authentication": { "version": {"major": 1, "minor": 0}, "becameDomain": "ADDOMAIN", "authDescription": "ServerAuthenticate", "remoteAddress": "ipv4:127.0.0.11:23613", "status": "NT_STATUS_OK", "serviceDescription": "NETLOGON", "localAddress": "ipv4:127.0.0.30:445", "clientDomain": "ADDOMAIN", "becameSid": "S-1-5-21-957060844-616297711-1930508676-1000", "clientAccount": "ADDC$", "workstation": null, "becameAccount": "ADDC$", "mappedAccount": "ADDC$", "mappedDomain": null, "netlogonComputer": "ADDC", "netlogonTrustAccount": "ADDC$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 6, "netlogonTrustAccountSid": "S-1-5-21-957060844-616297711-1930508676-1000", "passwordType": "HMAC-SHA256" } } Unsuccessful auth message. { "timestamp": "2017-07-18T06:58:03.113876+1200", "type": "Authentication", "Authentication": { "version": {"major": 1, "minor": 0}, "becameDomain": "ADDOMAIN", "authDescription": "ServerAuthenticate", "remoteAddress": "unix:/root/ncalrpc_as_system", "status": "NT_STATUS_OK", "serviceDescription": "NETLOGON", "localAddress": "unix:/home/gary/projects/samba03/st/ad_dc/ncalrpc/DEFAULT", "clientDomain": "ADDOMAIN", "becameSid": "S-1-5-21-957060844-616297711-1930508676-1115", "clientAccount": "SamLogonTest$", "workstation": null, "becameAccount": "SamLogonTest$", "mappedAccount": "SamLogonTest$", "mappedDomain": null, "netlogonComputer": "ADDC", "netlogonTrustAccount": "SamLogonTest$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": "S-1-5-21-957060844-616297711-1930508676-1115", "passwordType": "HMAC-SHA256" } }
Created attachment 13394 [details] Modify existing tests to handle netlogon message
Created attachment 13395 [details] Tests for NETLOGON auth logging
Created attachment 13396 [details] Add auth logging to ServerAuthenticate3
Created attachment 13426 [details] patch cherry-picked from master for 4.7 (only) Here is the backported patch to Samba 4.7, ensuring this feature is comprehensive for 4.7.
Pushed to autobuild-v4-7-test.
(In reply to Karolin Seeger from comment #11) Pushed to v4-7-test. Closing out bug report. Thanks!
Fixed in master by a420b1bdccbba72faf1108f7fae8b8202075db97 for Samba 4.8, backported to Samba 4.7.0.