From b7baf96bd7248b1d34416e3ae86f4613c5ed0934 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 13 Dec 2018 10:20:28 +1300 Subject: auth log: Add windows event codes Add a new "eventId" element to the Authorisation JSON log messages. This contains a Windows Event Code Id either: 4624 Successful logon 4625 Unsuccessful logon Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- python/samba/tests/auth_log.py | 121 ++++++++++++++++++---- python/samba/tests/auth_log_ncalrpc.py | 3 + python/samba/tests/auth_log_netlogon.py | 3 + python/samba/tests/auth_log_netlogon_bad_creds.py | 19 ++-- python/samba/tests/auth_log_pass_change.py | 32 ++++-- python/samba/tests/auth_log_samlogon.py | 4 +- 6 files changed, 149 insertions(+), 33 deletions(-) (limited to 'python') diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py index 2b280bcc3c1..08c8b64bcd5 100644 --- a/python/samba/tests/auth_log.py +++ b/python/samba/tests/auth_log.py @@ -28,6 +28,10 @@ from samba.credentials import DONT_USE_KERBEROS, MUST_USE_KERBEROS from samba import NTSTATUSError from subprocess import call from ldb import LdbError +from samba.dcerpc.windows_event_ids import ( + EVT_ID_SUCCESSFUL_LOGON, + EVT_ID_UNSUCCESSFUL_LOGON +) import re @@ -92,6 +96,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg = messages[0] self.assertEquals("Authentication", msg["type"]) self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) self._assert_ncacn_np_serviceDescription(binding, msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[1], @@ -121,6 +127,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): self.assertEquals(authTypes[3], msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) def rpc_ncacn_np_krb5_check( self, @@ -145,6 +153,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[1], msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) # Check the second message it should be an Authentication # This this the TCP Authentication in response to the message too big @@ -156,6 +166,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) # Check the third message it should be an Authorization msg = messages[2] @@ -303,6 +315,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) def rpc_ncacn_ip_tcp_krb5_check(self, messages, authTypes, service, binding, protection): @@ -329,6 +343,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) # Check the third message it should be an Authentication msg = messages[2] @@ -338,6 +354,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) def test_rpc_ncacn_ip_tcp_ntlm_dns_sign(self): creds = self.insta_creds(template=self.get_credentials(), @@ -441,6 +459,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): self.assertEquals("ENC-TS Pre-authentication", msg["Authentication"]["authDescription"]) self.assertTrue(msg["Authentication"]["duration"] > 0) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) # Check the second message it should be an Authentication msg = messages[1] @@ -451,6 +471,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): self.assertEquals("ENC-TS Pre-authentication", msg["Authentication"]["authDescription"]) self.assertTrue(msg["Authentication"]["duration"] > 0) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) def test_ldap_ntlm(self): @@ -476,6 +498,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals("NTLMSSP", msg["Authentication"]["authDescription"]) self.assertTrue(msg["Authentication"]["duration"] > 0) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) def test_ldap_simple_bind(self): def isLastExpectedMessage(msg): @@ -505,6 +529,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals("simple bind", msg["Authentication"]["authDescription"]) + self.assertEquals( + EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"]) def test_ldap_simple_bind_bad_password(self): def isLastExpectedMessage(msg): @@ -512,7 +538,10 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"] == "LDAP" and (msg["Authentication"]["status"] == "NT_STATUS_WRONG_PASSWORD") and - msg["Authentication"]["authDescription"] == "simple bind") + (msg["Authentication"]["authDescription"] == + "simple bind") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) creds.set_password("badPassword") @@ -539,7 +568,10 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"] == "LDAP" and (msg["Authentication"]["status"] == "NT_STATUS_NO_SUCH_USER") and - msg["Authentication"]["authDescription"] == "simple bind") + (msg["Authentication"]["authDescription"] == + "simple bind") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) creds.set_bind_dn("%s\\%s" % (creds.get_domain(), "badUser")) @@ -564,7 +596,10 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"] == "LDAP" and (msg["Authentication"]["status"] == "NT_STATUS_NO_SUCH_USER") and - msg["Authentication"]["authDescription"] == "simple bind") + (msg["Authentication"]["authDescription"] == + "simple bind") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) creds.set_bind_dn("%s\\%s" % (creds.get_domain(), "abdcef")) @@ -656,6 +691,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals("ENC-TS Pre-authentication", msg["Authentication"]["authDescription"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) # Check the second message it should be an Authentication msg = messages[1] @@ -665,6 +702,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals("ENC-TS Pre-authentication", msg["Authentication"]["authDescription"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_smb_bad_password(self): def isLastExpectedMessage(msg): @@ -702,7 +741,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_NO_SUCH_USER") and (msg["Authentication"]["authDescription"] == - "ENC-TS Pre-authentication")) + "ENC-TS Pre-authentication") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) creds.set_username("badUser") @@ -752,6 +793,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"]) self.assertEquals("No-Password", msg["Authentication"]["passwordType"]) + self.assertEquals(EVT_ID_UNSUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) # Check the second message it should be an Authentication msg = messages[1] @@ -766,6 +809,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["passwordType"]) self.assertEquals("ANONYMOUS LOGON", msg["Authentication"]["becameAccount"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_smb2_anonymous(self): def isLastExpectedMessage(msg): @@ -797,6 +842,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"]) self.assertEquals("No-Password", msg["Authentication"]["passwordType"]) + self.assertEquals(EVT_ID_UNSUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) # Check the second message it should be an Authentication msg = messages[1] @@ -811,6 +858,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["passwordType"]) self.assertEquals("ANONYMOUS LOGON", msg["Authentication"]["becameAccount"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_smb_no_krb_spnego(self): def isLastExpectedMessage(msg): @@ -840,6 +889,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"]) self.assertEquals("NTLMv2", msg["Authentication"]["passwordType"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_smb_no_krb_spnego_bad_password(self): def isLastExpectedMessage(msg): @@ -848,7 +899,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"] == "NTLMSSP" and msg["Authentication"]["passwordType"] == "NTLMv2" and (msg["Authentication"]["status"] == - "NT_STATUS_WRONG_PASSWORD")) + "NT_STATUS_WRONG_PASSWORD") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials(), kerberos_state=DONT_USE_KERBEROS) @@ -876,7 +929,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"] == "NTLMSSP" and msg["Authentication"]["passwordType"] == "NTLMv2" and (msg["Authentication"]["status"] == - "NT_STATUS_NO_SUCH_USER")) + "NT_STATUS_NO_SUCH_USER") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials(), kerberos_state=DONT_USE_KERBEROS) @@ -927,6 +982,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"]) self.assertEquals("NTLMv1", msg["Authentication"]["passwordType"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_smb_no_krb_no_spnego_no_ntlmv2_bad_password(self): def isLastExpectedMessage(msg): @@ -935,7 +992,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"] == "bare-NTLM" and msg["Authentication"]["passwordType"] == "NTLMv1" and (msg["Authentication"]["status"] == - "NT_STATUS_WRONG_PASSWORD")) + "NT_STATUS_WRONG_PASSWORD") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials(), kerberos_state=DONT_USE_KERBEROS) @@ -965,7 +1024,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"] == "bare-NTLM" and msg["Authentication"]["passwordType"] == "NTLMv1" and (msg["Authentication"]["status"] == - "NT_STATUS_NO_SUCH_USER")) + "NT_STATUS_NO_SUCH_USER") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials(), kerberos_state=DONT_USE_KERBEROS) @@ -1000,7 +1061,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): "interactive") and msg["Authentication"]["status"] == "NT_STATUS_OK" and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1029,7 +1092,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_WRONG_PASSWORD") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1058,7 +1123,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_NO_SUCH_USER") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = "badUser" @@ -1085,7 +1152,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["authDescription"] == "network" and msg["Authentication"]["status"] == "NT_STATUS_OK" and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1113,7 +1182,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_WRONG_PASSWORD") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1141,7 +1212,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_NO_SUCH_USER") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = "badUser" @@ -1169,7 +1242,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_OK") and (msg["Authentication"]["passwordType"] == "MSCHAPv2") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1199,7 +1274,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): "NT_STATUS_WRONG_PASSWORD") and (msg["Authentication"]["passwordType"] == "MSCHAPv2") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1229,7 +1306,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): "NT_STATUS_NO_SUCH_USER") and (msg["Authentication"]["passwordType"] == "MSCHAPv2") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = "badUser" @@ -1257,7 +1336,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["authDescription"] == "network") and (msg["Authentication"]["status"] == "NT_STATUS_OK") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] @@ -1295,7 +1376,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["authDescription"] == "network") and (msg["Authentication"]["status"] == "NT_STATUS_OK") and (msg["Authentication"]["workstation"] == - r"\\%s" % workstation)) + r"\\%s" % workstation) and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) server = os.environ["SERVER"] user = os.environ["USERNAME"] diff --git a/python/samba/tests/auth_log_ncalrpc.py b/python/samba/tests/auth_log_ncalrpc.py index 849cee7a409..7d6e3a13728 100644 --- a/python/samba/tests/auth_log_ncalrpc.py +++ b/python/samba/tests/auth_log_ncalrpc.py @@ -23,6 +23,7 @@ from samba.credentials import DONT_USE_KERBEROS from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN from samba.dcerpc import samr import samba.tests.auth_log_base +from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase): @@ -75,6 +76,8 @@ class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"]) self.assertEquals(authTypes[2], msg["Authentication"]["authDescription"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_ncalrpc_ntlm_dns_sign(self): diff --git a/python/samba/tests/auth_log_netlogon.py b/python/samba/tests/auth_log_netlogon.py index 5d47d22f57a..23c9442b73a 100644 --- a/python/samba/tests/auth_log_netlogon.py +++ b/python/samba/tests/auth_log_netlogon.py @@ -36,6 +36,7 @@ from samba.tests import delete_force from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD from samba.dcerpc.misc import SEC_CHAN_WKSTA from samba.compat import text_type +from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase): @@ -126,6 +127,8 @@ class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["status"]) self.assertEquals("HMAC-SHA256", msg["Authentication"]["passwordType"]) + self.assertEquals(EVT_ID_SUCCESSFUL_LOGON, + msg["Authentication"]["eventId"]) def test_netlogon(self): self._test_netlogon("SEAL", self.netlogon_check) diff --git a/python/samba/tests/auth_log_netlogon_bad_creds.py b/python/samba/tests/auth_log_netlogon_bad_creds.py index d850bd1c1b4..73e3555fbaf 100644 --- a/python/samba/tests/auth_log_netlogon_bad_creds.py +++ b/python/samba/tests/auth_log_netlogon_bad_creds.py @@ -38,6 +38,7 @@ from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD from samba.dcerpc.misc import SEC_CHAN_WKSTA from samba.dcerpc.netlogon import NETLOGON_NEG_STRONG_KEYS from samba.compat import get_string +from samba.dcerpc.windows_event_ids import EVT_ID_UNSUCCESSFUL_LOGON class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase): @@ -74,7 +75,7 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase): super(AuthLogTestsNetLogonBadCreds, self).tearDown() delete_force(self.ldb, self.dn) - def _test_netlogon(self, name, pwd, status, checkFunction): + def _test_netlogon(self, name, pwd, status, checkFunction, event_id): def isLastExpectedMessage(msg): return ( @@ -82,7 +83,8 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"] == "NETLOGON" and msg["Authentication"]["authDescription"] == "ServerAuthenticate" and - msg["Authentication"]["status"] == status) + msg["Authentication"]["status"] == status and + msg["Authentication"]["eventId"] == event_id) machine_creds = Credentials() machine_creds.guess(self.get_loadparm()) @@ -121,13 +123,15 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase): self._test_netlogon("bad_name", self.machinepass, "NT_STATUS_NO_TRUST_SAM_ACCOUNT", - self.netlogon_check) + self.netlogon_check, + EVT_ID_UNSUCCESSFUL_LOGON) def test_netlogon_bad_password(self): self._test_netlogon(self.netbios_name, "badpass", "NT_STATUS_ACCESS_DENIED", - self.netlogon_check) + self.netlogon_check, + EVT_ID_UNSUCCESSFUL_LOGON) def test_netlogon_password_DES(self): """Logon failure that exercises the "DES" passwordType path. @@ -138,7 +142,8 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"] == "NETLOGON" and msg["Authentication"]["authDescription"] == "ServerAuthenticate" and - msg["Authentication"]["passwordType"] == "DES") + msg["Authentication"]["passwordType"] == "DES" and + msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON) c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm()) creds = netlogon.netr_Credential() @@ -163,7 +168,9 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase): msg["Authentication"]["serviceDescription"] == "NETLOGON" and msg["Authentication"]["authDescription"] == "ServerAuthenticate" and - msg["Authentication"]["passwordType"] == "HMAC-MD5") + msg["Authentication"]["passwordType"] == "HMAC-MD5" and + msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON) + c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm()) creds = netlogon.netr_Credential() c.netr_ServerReqChallenge(self.server, self.netbios_name, creds) diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py index a6b3868fa04..f99d9d86f39 100644 --- a/python/samba/tests/auth_log_pass_change.py +++ b/python/samba/tests/auth_log_pass_change.py @@ -30,6 +30,10 @@ import samba from subprocess import call from ldb import LdbError from samba.tests.password_test import PasswordCommon +from samba.dcerpc.windows_event_ids import ( + EVT_ID_SUCCESSFUL_LOGON, + EVT_ID_UNSUCCESSFUL_LOGON +) USER_NAME = "authlogtestuser" USER_PASS = samba.generate_random_password(32, 32) @@ -81,7 +85,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["serviceDescription"] == "SAMR Password Change") and (msg["Authentication"]["authDescription"] == - "samr_ChangePasswordUser3")) + "samr_ChangePasswordUser3") and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) @@ -107,7 +113,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["serviceDescription"] == "SAMR Password Change") and (msg["Authentication"]["authDescription"] == - "samr_ChangePasswordUser3")) + "samr_ChangePasswordUser3") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) @@ -138,7 +146,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["serviceDescription"] == "SAMR Password Change") and (msg["Authentication"]["authDescription"] == - "samr_ChangePasswordUser3")) + "samr_ChangePasswordUser3") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) @@ -169,7 +179,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["serviceDescription"] == "SAMR Password Change") and (msg["Authentication"]["authDescription"] == - "samr_ChangePasswordUser3")) + "samr_ChangePasswordUser3") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) creds = self.insta_creds(template=self.get_credentials()) @@ -204,7 +216,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["status"] == "NT_STATUS_WRONG_PASSWORD") and (msg["Authentication"]["authDescription"] == - "OemChangePasswordUser2")) + "OemChangePasswordUser2") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) username = os.environ["USERNAME"] server = os.environ["SERVER"] @@ -227,7 +241,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["serviceDescription"] == "LDAP Password Change") and (msg["Authentication"]["authDescription"] == - "LDAP Modify")) + "LDAP Modify") and + (msg["Authentication"]["eventId"] == + EVT_ID_SUCCESSFUL_LOGON)) new_password = samba.generate_random_password(32, 32) self.ldb.modify_ldif( @@ -282,7 +298,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): (msg["Authentication"]["serviceDescription"] == "LDAP Password Change") and (msg["Authentication"]["authDescription"] == - "LDAP Modify")) + "LDAP Modify") and + (msg["Authentication"]["eventId"] == + EVT_ID_UNSUCCESSFUL_LOGON)) new_password = samba.generate_random_password(32, 32) try: diff --git a/python/samba/tests/auth_log_samlogon.py b/python/samba/tests/auth_log_samlogon.py index 00e105c991a..8abdc8dac0b 100644 --- a/python/samba/tests/auth_log_samlogon.py +++ b/python/samba/tests/auth_log_samlogon.py @@ -36,6 +36,7 @@ from samba.tests import delete_force from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD from samba.dcerpc.misc import SEC_CHAN_WKSTA from samba.compat import text_type +from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON class AuthLogTestsSamLogon(samba.tests.auth_log_base.AuthLogTestBase): @@ -70,7 +71,8 @@ class AuthLogTestsSamLogon(samba.tests.auth_log_base.AuthLogTestBase): msg["type"] == "Authentication" and msg["Authentication"]["serviceDescription"] == "SamLogon" and msg["Authentication"]["authDescription"] == "network" and - msg["Authentication"]["passwordType"] == "NTLMv2") + msg["Authentication"]["passwordType"] == "NTLMv2" and + msg["Authentication"]["eventId"] == EVT_ID_SUCCESSFUL_LOGON) if binding: binding = "[schannel,%s]" % binding -- cgit v1.2.1