12865 – Samba 4.7 auth audit does not track machine account ServerAuthenticate3

Bug 12865 - Samba 4.7 auth audit does not track machine account ServerAuthenticate3

Summary: Samba 4.7 auth audit does not track machine account ServerAuthenticate3

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 regression (vote)
Target Milestone:	4.7
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	11998
	Show dependency tree / graph

Reported:	2017-06-26 09:14 UTC by Andrew Bartlett
Modified:	2017-09-19 18:55 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Modify existing tests to handle netlogon message (7.01 KB, patch) 2017-07-12 19:18 UTC, Gary Lockyer	no flags	Details
Test for NETLOGON auth logging (14.12 KB, patch) 2017-07-12 19:19 UTC, Gary Lockyer	no flags	Details
Add auth logging to ServerAuthenticate3 (6.39 KB, patch) 2017-07-12 19:20 UTC, Gary Lockyer	no flags	Details
Modify existing tests to handle netlogon message (7.01 KB, patch) 2017-07-17 19:14 UTC, Gary Lockyer	no flags	Details
Tests for NETLOGON auth logging (16.42 KB, patch) 2017-07-17 19:15 UTC, Gary Lockyer	no flags	Details
Add auth logging to ServerAuthenticate3 (6.56 KB, patch) 2017-07-17 19:16 UTC, Gary Lockyer	no flags	Details
patch cherry-picked from master for 4.7 (only) (45.88 KB, patch) 2017-07-25 01:51 UTC, Andrew Bartlett	abartlet: review? (garming) dbagnall: review+	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2017-06-26 09:14:23 UTC

Auditing of machine account logins over NETLOGON, eg ServerAuthenticate3 was out of scope for the initial effort to provide user account auditing. 

However it is reasonable to desire that machine accounts are subject to similar audit when used on the NETLOGON service, just as Kerberos was added to the originally NTLM-only scheme.

Comment 1 Stefan Metzmacher 2017-07-04 19:40:04 UTC

Mark as regression in order to remember to reevaluate before 4.7.0

Comment 2 Gary Lockyer 2017-07-11 19:41:17 UTC

Have made changes to source4/rpc_server/netlogon/dcerpc_netlogon.c and associated tests.  Running build and tests now, will submit patch set once that is complete

Comment 3 Gary Lockyer 2017-07-12 19:18:57 UTC

Created attachment 13365 [details]
Modify existing tests to handle netlogon message

Comment 4 Gary Lockyer 2017-07-12 19:19:47 UTC

Created attachment 13366 [details]
Test for NETLOGON auth logging

Comment 5 Gary Lockyer 2017-07-12 19:20:31 UTC

Created attachment 13367 [details]
Add auth logging to ServerAuthenticate3

Comment 6 Gary Lockyer 2017-07-17 19:12:18 UTC

Sample JSON

Successful Auth message:

{ "timestamp": "2017-07-18T06:57:18.044871+1200",
  "type": "Authentication",
  "Authentication": {
    "version": {"major": 1, "minor": 0},
   "becameDomain": "ADDOMAIN",
   "authDescription": "ServerAuthenticate",
   "remoteAddress": "ipv4:127.0.0.11:23613",
   "status": "NT_STATUS_OK",
   "serviceDescription": "NETLOGON",
   "localAddress": "ipv4:127.0.0.30:445",
   "clientDomain": "ADDOMAIN",
   "becameSid": "S-1-5-21-957060844-616297711-1930508676-1000",
   "clientAccount": "ADDC$",
   "workstation": null,
   "becameAccount": "ADDC$",
   "mappedAccount": "ADDC$",
   "mappedDomain": null,
   "netlogonComputer": "ADDC",
   "netlogonTrustAccount": "ADDC$",
   "netlogonNegotiateFlags": "0x610FFFFF",
   "netlogonSecureChannelType": 6,
   "netlogonTrustAccountSid":   
      "S-1-5-21-957060844-616297711-1930508676-1000",
   "passwordType": "HMAC-SHA256"
  }
}

Unsuccessful auth message.

{ "timestamp": "2017-07-18T06:58:03.113876+1200",
  "type": "Authentication",
  "Authentication": {
    "version": {"major": 1, "minor": 0},
    "becameDomain": "ADDOMAIN", 
    "authDescription": "ServerAuthenticate", 
    "remoteAddress": "unix:/root/ncalrpc_as_system", 
    "status": "NT_STATUS_OK", 
    "serviceDescription": "NETLOGON", 
    "localAddress": 
       "unix:/home/gary/projects/samba03/st/ad_dc/ncalrpc/DEFAULT",  
    "clientDomain": "ADDOMAIN",
    "becameSid": "S-1-5-21-957060844-616297711-1930508676-1115",
    "clientAccount": "SamLogonTest$", 
    "workstation": null, 
    "becameAccount": "SamLogonTest$",
    "mappedAccount": "SamLogonTest$",
    "mappedDomain": null,
    "netlogonComputer": "ADDC",
    "netlogonTrustAccount": "SamLogonTest$",
    "netlogonNegotiateFlags": "0x610FFFFF",
    "netlogonSecureChannelType": 2,
    "netlogonTrustAccountSid": 
       "S-1-5-21-957060844-616297711-1930508676-1115",
    "passwordType": "HMAC-SHA256"
  }
}

Comment 7 Gary Lockyer 2017-07-17 19:14:24 UTC

Created attachment 13394 [details]
Modify existing tests to handle netlogon message

Comment 8 Gary Lockyer 2017-07-17 19:15:23 UTC

Created attachment 13395 [details]
Tests for NETLOGON auth logging

Comment 9 Gary Lockyer 2017-07-17 19:16:06 UTC

Created attachment 13396 [details]
Add auth logging to ServerAuthenticate3

Comment 10 Andrew Bartlett 2017-07-25 01:51:05 UTC

Created attachment 13426 [details]
patch cherry-picked from master for 4.7 (only)

Here is the backported patch to Samba 4.7, ensuring this feature is comprehensive for 4.7.

Comment 11 Karolin Seeger 2017-07-31 09:26:06 UTC

Pushed to autobuild-v4-7-test.

Comment 12 Karolin Seeger 2017-08-01 06:05:00 UTC

(In reply to Karolin Seeger from comment #11)
Pushed to v4-7-test.
Closing out bug report.

Thanks!

Comment 13 Andrew Bartlett 2017-09-19 18:55:02 UTC

Fixed in master by a420b1bdccbba72faf1108f7fae8b8202075db97 for Samba 4.8, backported to Samba 4.7.0.