diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2017-07-10 07:48:08 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-24 23:29:23 +0200 |
commit | efc335a03062740f51a6edd09d765a8b77e239c5 (patch) | |
tree | 924d5a0b417185ea2b1f84a7f4613e5a7e84a725 | |
parent | f3d3e6da5a42833b8de86e9b7c0aa1c56e1c4e80 (diff) | |
download | samba-efc335a03062740f51a6edd09d765a8b77e239c5.tar.gz |
source4 netlogon: Add authentication logging for ServerAuthenticate3
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
-rw-r--r-- | auth/auth_log.c | 12 | ||||
-rw-r--r-- | selftest/knownfail.d/auth-logging | 8 | ||||
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 90 |
3 files changed, 72 insertions, 38 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c index 9dbf8f210fc..d4c6c445bed 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -639,6 +639,18 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui) if (ui->password_type != NULL) { password_type = ui->password_type; + } else if (ui->auth_description != NULL && + strncmp("ServerAuthenticate", ui->auth_description, 18) == 0) + { + if (ui->netlogon_trust_account.negotiate_flags + & NETLOGON_NEG_SUPPORTS_AES) { + password_type = "HMAC-SHA256"; + } else if (ui->netlogon_trust_account.negotiate_flags + & NETLOGON_NEG_STRONG_KEYS) { + password_type = "HMAC-MD5"; + } else { + password_type = "DES"; + } } else if (ui->password_state == AUTH_PASSWORD_RESPONSE && (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) && ui->password.response.nt.length == 24) { diff --git a/selftest/knownfail.d/auth-logging b/selftest/knownfail.d/auth-logging deleted file mode 100644 index 1f3532d4a34..00000000000 --- a/selftest/knownfail.d/auth-logging +++ /dev/null @@ -1,8 +0,0 @@ -# NETLOGON authentication logging tests, currently fail as the -# code has not been implemented -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc_ntvfs:local\) -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc_ntvfs:local\) -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc:local\) -^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc:local\) -^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc_ntvfs:local\) -^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc:local\) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b50b7a52980..c140ee8e162 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -105,8 +105,15 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal return NT_STATUS_OK; } -static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_ServerAuthenticate3 *r) +/* + * Do the actual processing of a netr_ServerAuthenticate3 message. + * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. + */ +static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate3 *r, + struct dom_sid **sid) { struct netlogon_server_pipe_state *pipe_state = talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state); @@ -469,36 +476,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca negotiate_flags); } - { - char* local = NULL; - char* remote = NULL; - TALLOC_CTX *frame = talloc_stackframe(); - - remote = tsocket_address_string(dce_call->conn->remote_address, - frame); - local = tsocket_address_string(dce_call->conn->local_address, - frame); - if (creds == NULL) { - DEBUG(2, ("Failed to authenticate NETLOGON " - "account[%s] workstation[%s] " - "remote[%s] local[%s]\n", - log_escape(frame, r->in.account_name), - log_escape(frame, r->in.computer_name), - remote, local)); - TALLOC_FREE(frame); - return NT_STATUS_ACCESS_DENIED; - } else { - DEBUG(3, ("Successful authenticate of NETLOGON " - "account[%s] workstation[%s] " - "remote[%s] local[%s]\n", - log_escape(frame, r->in.account_name), - log_escape(frame, r->in.computer_name), - remote, local)); - TALLOC_FREE(frame); - } + if (creds == NULL) { + return NT_STATUS_ACCESS_DENIED; } - creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); + *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid)); nt_status = schannel_save_creds_state(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, @@ -514,6 +496,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_OK; } +/* + * Log a netr_ServerAuthenticate3 request, and then invoke + * dcesrv_netr_ServerAuthenticate3_helper to perform the actual processing + */ +static NTSTATUS dcesrv_netr_ServerAuthenticate3( + struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate3 *r) +{ + NTSTATUS status; + struct dom_sid *sid = NULL; + struct auth_usersupplied_info ui = { + .local_host = dce_call->conn->local_address, + .remote_host = dce_call->conn->remote_address, + .client = { + .account_name = r->in.account_name, + .domain_name = lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), + }, + .service_description = "NETLOGON", + .auth_description = "ServerAuthenticate", + .netlogon_trust_account = { + .computer_name = r->in.computer_name, + .account_name = r->in.account_name, + .negotiate_flags = *r->in.negotiate_flags, + .secure_channel_type = r->in.secure_channel_type, + }, + .mapped = { + .account_name = r->in.account_name, + } + }; + + status = dcesrv_netr_ServerAuthenticate3_helper(dce_call, + mem_ctx, + r, + &sid); + ui.netlogon_trust_account.sid = sid; + log_authentication_event( + dce_call->conn->msg_ctx, + dce_call->conn->dce_ctx->lp_ctx, + &ui, + status, + lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), + r->in.account_name, + NULL, + sid); + + return status; +} static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate *r) { |