auth log: Add windows event codes

author Gary Lockyer <gary@catalyst.net.nz>

Wed, 12 Dec 2018 21:20:28 +0000 (10:20 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Fri, 14 Dec 2018 17:57:52 +0000 (18:57 +0100)
author Gary Lockyer <gary@catalyst.net.nz>
Wed, 12 Dec 2018 21:20:28 +0000 (10:20 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Fri, 14 Dec 2018 17:57:52 +0000 (18:57 +0100)
diff --git a/auth/auth_log.c b/auth/auth_log.c

index 531709febced0d2eb42f5923763d89626a85af5b..0f32268ffab64cd3dec30971deeef5e30455bc42 100644 (file)
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -57,6 +57,7 @@
  #include "lib/util/server_id_db.h"
  #include "lib/param/param.h"
  #include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/windows_event_ids.h"
  #include "lib/audit_logging/audit_logging.h"
  
  /*
@@ -119,6 +120,7 @@ static void log_authentication_event_json(
         const char *account_name,
         const char *unix_username,
         struct dom_sid *sid,
+       enum event_id_type event_id,
         int debug_level)
  {
         struct json_object wrapper = json_empty_object;
@@ -134,6 +136,12 @@ static void log_authentication_event_json(
         if (rc != 0) {
                 goto failure;
         }
+       rc = json_add_int(&authentication,
+                         "eventId",
+                         event_id);
+       if (rc != 0) {
+               goto failure;
+       }
         rc = json_add_string(&authentication, "status", nt_errstr(status));
         if (rc != 0) {
                 goto failure;
@@ -454,6 +462,7 @@ static void log_authentication_event_json(
         const char *account_name,
         const char *unix_username,
         struct dom_sid *sid,
+       enum event_id_type event_id,
         int debug_level)
  {
         log_no_json(msg_ctx, lp_ctx);
@@ -631,9 +640,11 @@ void log_authentication_event(
  {
         /* set the log level */
         int debug_level = AUTH_FAILURE_LEVEL;
+       enum event_id_type event_id = EVT_ID_UNSUCCESSFUL_LOGON;
  
         if (NT_STATUS_IS_OK(status)) {
                 debug_level = AUTH_SUCCESS_LEVEL;
+               event_id = EVT_ID_SUCCESSFUL_LOGON;
                 if (dom_sid_equal(sid, &global_sid_Anonymous)) {
                         debug_level = AUTH_ANONYMOUS_LEVEL;
                 }
@@ -659,6 +670,7 @@ void log_authentication_event(
                                               account_name,
                                               unix_username,
                                               sid,
+                                             event_id,
                                               debug_level);
         }
  }
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py

index 2b280bcc3c13bc79a6512434401c54c333f89c21..08c8b64bcd5befc22aef2b2e470cf7d3bd82461c 100644 (file)
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -28,6 +28,10 @@ from samba.credentials import DONT_USE_KERBEROS, MUST_USE_KERBEROS
  from samba import NTSTATUSError
  from subprocess import call
  from ldb import LdbError
+from samba.dcerpc.windows_event_ids import (
+    EVT_ID_SUCCESSFUL_LOGON,
+    EVT_ID_UNSUCCESSFUL_LOGON
+)
  import re
  
  
@@ -92,6 +96,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
          msg = messages[0]
          self.assertEquals("Authentication", msg["type"])
          self.assertEquals("NT_STATUS_OK", msg["Authentication"]["status"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
          self._assert_ncacn_np_serviceDescription(binding,
                                                   msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[1],
@@ -121,6 +127,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
  
              self.assertEquals(authTypes[3],
                                msg["Authentication"]["authDescription"])
+            self.assertEquals(
+                EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
      def rpc_ncacn_np_krb5_check(
              self,
@@ -145,6 +153,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[1],
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
          # Check the second message it should be an Authentication
          # This this the TCP Authentication in response to the message too big
@@ -156,6 +166,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[2],
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
          # Check the third message it should be an Authorization
          msg = messages[2]
@@ -303,6 +315,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[2],
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
      def rpc_ncacn_ip_tcp_krb5_check(self, messages, authTypes, service,
                                      binding, protection):
@@ -329,6 +343,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[2],
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
          # Check the third message it should be an Authentication
          msg = messages[2]
@@ -338,6 +354,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[2],
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
      def test_rpc_ncacn_ip_tcp_ntlm_dns_sign(self):
          creds = self.insta_creds(template=self.get_credentials(),
@@ -441,6 +459,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
          self.assertEquals("ENC-TS Pre-authentication",
                            msg["Authentication"]["authDescription"])
          self.assertTrue(msg["Authentication"]["duration"] > 0)
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
          # Check the second message it should be an Authentication
          msg = messages[1]
@@ -451,6 +471,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
          self.assertEquals("ENC-TS Pre-authentication",
                            msg["Authentication"]["authDescription"])
          self.assertTrue(msg["Authentication"]["duration"] > 0)
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
      def test_ldap_ntlm(self):
  
@@ -476,6 +498,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals("NTLMSSP", msg["Authentication"]["authDescription"])
          self.assertTrue(msg["Authentication"]["duration"] > 0)
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
      def test_ldap_simple_bind(self):
          def isLastExpectedMessage(msg):
@@ -505,6 +529,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals("simple bind",
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(
+            EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
  
      def test_ldap_simple_bind_bad_password(self):
          def isLastExpectedMessage(msg):
@@ -512,7 +538,10 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["serviceDescription"] == "LDAP" and
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_WRONG_PASSWORD") and
-                    msg["Authentication"]["authDescription"] == "simple bind")
+                    (msg["Authentication"]["authDescription"] ==
+                        "simple bind") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
          creds.set_password("badPassword")
@@ -539,7 +568,10 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["serviceDescription"] == "LDAP" and
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_NO_SUCH_USER") and
-                    msg["Authentication"]["authDescription"] == "simple bind")
+                    (msg["Authentication"]["authDescription"] ==
+                        "simple bind") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
          creds.set_bind_dn("%s\\%s" % (creds.get_domain(), "badUser"))
@@ -564,7 +596,10 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["serviceDescription"] == "LDAP" and
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_NO_SUCH_USER") and
-                    msg["Authentication"]["authDescription"] == "simple bind")
+                    (msg["Authentication"]["authDescription"] ==
+                        "simple bind") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
          creds.set_bind_dn("%s\\%s" % (creds.get_domain(), "abdcef"))
@@ -656,6 +691,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals("ENC-TS Pre-authentication",
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
          # Check the second message it should be an Authentication
          msg = messages[1]
@@ -665,6 +702,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals("ENC-TS Pre-authentication",
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_smb_bad_password(self):
          def isLastExpectedMessage(msg):
@@ -702,7 +741,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_NO_SUCH_USER") and
                      (msg["Authentication"]["authDescription"] ==
-                        "ENC-TS Pre-authentication"))
+                        "ENC-TS Pre-authentication") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
          creds.set_username("badUser")
@@ -752,6 +793,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["authDescription"])
          self.assertEquals("No-Password",
                            msg["Authentication"]["passwordType"])
+        self.assertEquals(EVT_ID_UNSUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
          # Check the second message it should be an Authentication
          msg = messages[1]
@@ -766,6 +809,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["passwordType"])
          self.assertEquals("ANONYMOUS LOGON",
                            msg["Authentication"]["becameAccount"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_smb2_anonymous(self):
          def isLastExpectedMessage(msg):
@@ -797,6 +842,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["authDescription"])
          self.assertEquals("No-Password",
                            msg["Authentication"]["passwordType"])
+        self.assertEquals(EVT_ID_UNSUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
          # Check the second message it should be an Authentication
          msg = messages[1]
@@ -811,6 +858,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["passwordType"])
          self.assertEquals("ANONYMOUS LOGON",
                            msg["Authentication"]["becameAccount"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_smb_no_krb_spnego(self):
          def isLastExpectedMessage(msg):
@@ -840,6 +889,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["authDescription"])
          self.assertEquals("NTLMv2",
                            msg["Authentication"]["passwordType"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_smb_no_krb_spnego_bad_password(self):
          def isLastExpectedMessage(msg):
@@ -848,7 +899,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["authDescription"] == "NTLMSSP" and
                      msg["Authentication"]["passwordType"] == "NTLMv2" and
                      (msg["Authentication"]["status"] ==
-                        "NT_STATUS_WRONG_PASSWORD"))
+                        "NT_STATUS_WRONG_PASSWORD") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials(),
                                   kerberos_state=DONT_USE_KERBEROS)
@@ -876,7 +929,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["authDescription"] == "NTLMSSP" and
                      msg["Authentication"]["passwordType"] == "NTLMv2" and
                      (msg["Authentication"]["status"] ==
-                        "NT_STATUS_NO_SUCH_USER"))
+                        "NT_STATUS_NO_SUCH_USER") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials(),
                                   kerberos_state=DONT_USE_KERBEROS)
@@ -927,6 +982,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["authDescription"])
          self.assertEquals("NTLMv1",
                            msg["Authentication"]["passwordType"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_smb_no_krb_no_spnego_no_ntlmv2_bad_password(self):
          def isLastExpectedMessage(msg):
@@ -935,7 +992,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["authDescription"] == "bare-NTLM" and
                      msg["Authentication"]["passwordType"] == "NTLMv1" and
                      (msg["Authentication"]["status"] ==
-                        "NT_STATUS_WRONG_PASSWORD"))
+                        "NT_STATUS_WRONG_PASSWORD") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials(),
                                   kerberos_state=DONT_USE_KERBEROS)
@@ -965,7 +1024,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["authDescription"] == "bare-NTLM" and
                      msg["Authentication"]["passwordType"] == "NTLMv1" and
                      (msg["Authentication"]["status"] ==
-                        "NT_STATUS_NO_SUCH_USER"))
+                        "NT_STATUS_NO_SUCH_USER") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials(),
                                   kerberos_state=DONT_USE_KERBEROS)
@@ -1000,7 +1061,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                          "interactive") and
                      msg["Authentication"]["status"] == "NT_STATUS_OK" and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1029,7 +1092,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_WRONG_PASSWORD") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1058,7 +1123,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_NO_SUCH_USER") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = "badUser"
@@ -1085,7 +1152,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      msg["Authentication"]["authDescription"] == "network" and
                      msg["Authentication"]["status"] == "NT_STATUS_OK" and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1113,7 +1182,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_WRONG_PASSWORD") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1141,7 +1212,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_NO_SUCH_USER") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = "badUser"
@@ -1169,7 +1242,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] == "NT_STATUS_OK") and
                      (msg["Authentication"]["passwordType"] == "MSCHAPv2") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1199,7 +1274,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                          "NT_STATUS_WRONG_PASSWORD") and
                      (msg["Authentication"]["passwordType"] == "MSCHAPv2") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1229,7 +1306,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                          "NT_STATUS_NO_SUCH_USER") and
                      (msg["Authentication"]["passwordType"] == "MSCHAPv2") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = "badUser"
@@ -1257,7 +1336,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["authDescription"] == "network") and
                      (msg["Authentication"]["status"] == "NT_STATUS_OK") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
@@ -1295,7 +1376,9 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["authDescription"] == "network") and
                      (msg["Authentication"]["status"] == "NT_STATUS_OK") and
                      (msg["Authentication"]["workstation"] ==
-                        r"\\%s" % workstation))
+                        r"\\%s" % workstation) and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          server   = os.environ["SERVER"]
          user     = os.environ["USERNAME"]
diff --git a/python/samba/tests/auth_log_ncalrpc.py b/python/samba/tests/auth_log_ncalrpc.py

index 849cee7a40993c2dbeaa8dd3ecf6fa0f38462701..7d6e3a1372837fa1b9c31864bd08b3622fab57f6 100644 (file)
--- a/python/samba/tests/auth_log_ncalrpc.py
+++ b/python/samba/tests/auth_log_ncalrpc.py
@@ -23,6 +23,7 @@ from samba.credentials import DONT_USE_KERBEROS
  from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
  from samba.dcerpc import samr
  import samba.tests.auth_log_base
+from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
  
  
  class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase):
@@ -75,6 +76,8 @@ class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["serviceDescription"])
          self.assertEquals(authTypes[2],
                            msg["Authentication"]["authDescription"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_ncalrpc_ntlm_dns_sign(self):
  
diff --git a/python/samba/tests/auth_log_netlogon.py b/python/samba/tests/auth_log_netlogon.py

index 5d47d22f57adeb117c259427b27d74521ac4cea8..23c9442b73a53000f08351e51c55af6294c48b04 100644 (file)
--- a/python/samba/tests/auth_log_netlogon.py
+++ b/python/samba/tests/auth_log_netlogon.py
@@ -36,6 +36,7 @@ from samba.tests import delete_force
  from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
  from samba.dcerpc.misc import SEC_CHAN_WKSTA
  from samba.compat import text_type
+from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
  
  
  class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase):
@@ -126,6 +127,8 @@ class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase):
                            msg["Authentication"]["status"])
          self.assertEquals("HMAC-SHA256",
                            msg["Authentication"]["passwordType"])
+        self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
+                          msg["Authentication"]["eventId"])
  
      def test_netlogon(self):
          self._test_netlogon("SEAL", self.netlogon_check)
diff --git a/python/samba/tests/auth_log_netlogon_bad_creds.py b/python/samba/tests/auth_log_netlogon_bad_creds.py

index d850bd1c1b4f881212597a3d2c8ade0e7ff63ab5..73e3555fbafa6fc3d0190a202c2b5f94e4aad793 100644 (file)
--- a/python/samba/tests/auth_log_netlogon_bad_creds.py
+++ b/python/samba/tests/auth_log_netlogon_bad_creds.py
@@ -38,6 +38,7 @@ from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
  from samba.dcerpc.misc import SEC_CHAN_WKSTA
  from samba.dcerpc.netlogon import NETLOGON_NEG_STRONG_KEYS
  from samba.compat import get_string
+from samba.dcerpc.windows_event_ids import EVT_ID_UNSUCCESSFUL_LOGON
  
  
  class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
@@ -74,7 +75,7 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
          super(AuthLogTestsNetLogonBadCreds, self).tearDown()
          delete_force(self.ldb, self.dn)
  
-    def _test_netlogon(self, name, pwd, status, checkFunction):
+    def _test_netlogon(self, name, pwd, status, checkFunction, event_id):
  
          def isLastExpectedMessage(msg):
              return (
@@ -82,7 +83,8 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
                  msg["Authentication"]["serviceDescription"] == "NETLOGON" and
                  msg["Authentication"]["authDescription"] ==
                  "ServerAuthenticate" and
-                msg["Authentication"]["status"] == status)
+                msg["Authentication"]["status"] == status and
+                msg["Authentication"]["eventId"] == event_id)
  
          machine_creds = Credentials()
          machine_creds.guess(self.get_loadparm())
@@ -121,13 +123,15 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
          self._test_netlogon("bad_name",
                              self.machinepass,
                              "NT_STATUS_NO_TRUST_SAM_ACCOUNT",
-                            self.netlogon_check)
+                            self.netlogon_check,
+                            EVT_ID_UNSUCCESSFUL_LOGON)
  
      def test_netlogon_bad_password(self):
          self._test_netlogon(self.netbios_name,
                              "badpass",
                              "NT_STATUS_ACCESS_DENIED",
-                            self.netlogon_check)
+                            self.netlogon_check,
+                            EVT_ID_UNSUCCESSFUL_LOGON)
  
      def test_netlogon_password_DES(self):
          """Logon failure that exercises the "DES" passwordType path.
@@ -138,7 +142,8 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
                  msg["Authentication"]["serviceDescription"] == "NETLOGON" and
                  msg["Authentication"]["authDescription"] ==
                  "ServerAuthenticate" and
-                msg["Authentication"]["passwordType"] == "DES")
+                msg["Authentication"]["passwordType"] == "DES" and
+                msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON)
  
          c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm())
          creds = netlogon.netr_Credential()
@@ -163,7 +168,9 @@ class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
                  msg["Authentication"]["serviceDescription"] == "NETLOGON" and
                  msg["Authentication"]["authDescription"] ==
                  "ServerAuthenticate" and
-                msg["Authentication"]["passwordType"] == "HMAC-MD5")
+                msg["Authentication"]["passwordType"] == "HMAC-MD5" and
+                msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON)
+
          c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm())
          creds = netlogon.netr_Credential()
          c.netr_ServerReqChallenge(self.server, self.netbios_name, creds)
diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py

index a6b3868fa045a31b578b344ace15daab58f1341c..f99d9d86f39737bed858ebb8ba884c5d2836d98e 100644 (file)
--- a/python/samba/tests/auth_log_pass_change.py
+++ b/python/samba/tests/auth_log_pass_change.py
@@ -30,6 +30,10 @@ import samba
  from subprocess import call
  from ldb import LdbError
  from samba.tests.password_test import PasswordCommon
+from samba.dcerpc.windows_event_ids import (
+    EVT_ID_SUCCESSFUL_LOGON,
+    EVT_ID_UNSUCCESSFUL_LOGON
+)
  
  USER_NAME = "authlogtestuser"
  USER_PASS = samba.generate_random_password(32, 32)
@@ -81,7 +85,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["serviceDescription"] ==
                          "SAMR Password Change") and
                      (msg["Authentication"]["authDescription"] ==
-                        "samr_ChangePasswordUser3"))
+                        "samr_ChangePasswordUser3") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
  
@@ -107,7 +113,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["serviceDescription"] ==
                          "SAMR Password Change") and
                      (msg["Authentication"]["authDescription"] ==
-                        "samr_ChangePasswordUser3"))
+                        "samr_ChangePasswordUser3") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
  
@@ -138,7 +146,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["serviceDescription"] ==
                          "SAMR Password Change") and
                      (msg["Authentication"]["authDescription"] ==
-                        "samr_ChangePasswordUser3"))
+                        "samr_ChangePasswordUser3") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
  
@@ -169,7 +179,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["serviceDescription"] ==
                          "SAMR Password Change") and
                      (msg["Authentication"]["authDescription"] ==
-                        "samr_ChangePasswordUser3"))
+                        "samr_ChangePasswordUser3") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          creds = self.insta_creds(template=self.get_credentials())
  
@@ -204,7 +216,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["status"] ==
                          "NT_STATUS_WRONG_PASSWORD") and
                      (msg["Authentication"]["authDescription"] ==
-                        "OemChangePasswordUser2"))
+                        "OemChangePasswordUser2") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          username = os.environ["USERNAME"]
          server = os.environ["SERVER"]
@@ -227,7 +241,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["serviceDescription"] ==
                          "LDAP Password Change") and
                      (msg["Authentication"]["authDescription"] ==
-                        "LDAP Modify"))
+                        "LDAP Modify") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_SUCCESSFUL_LOGON))
  
          new_password = samba.generate_random_password(32, 32)
          self.ldb.modify_ldif(
@@ -282,7 +298,9 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
                      (msg["Authentication"]["serviceDescription"] ==
                          "LDAP Password Change") and
                      (msg["Authentication"]["authDescription"] ==
-                        "LDAP Modify"))
+                        "LDAP Modify") and
+                    (msg["Authentication"]["eventId"] ==
+                        EVT_ID_UNSUCCESSFUL_LOGON))
  
          new_password = samba.generate_random_password(32, 32)
          try:
diff --git a/python/samba/tests/auth_log_samlogon.py b/python/samba/tests/auth_log_samlogon.py

index 00e105c991a5d362e7983a23b492f4837e19b430..8abdc8dac0b29c23e35241454e8c415901b95698 100644 (file)
--- a/python/samba/tests/auth_log_samlogon.py
+++ b/python/samba/tests/auth_log_samlogon.py
@@ -36,6 +36,7 @@ from samba.tests import delete_force
  from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
  from samba.dcerpc.misc import SEC_CHAN_WKSTA
  from samba.compat import text_type
+from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
  
  
  class AuthLogTestsSamLogon(samba.tests.auth_log_base.AuthLogTestBase):
@@ -70,7 +71,8 @@ class AuthLogTestsSamLogon(samba.tests.auth_log_base.AuthLogTestBase):
                  msg["type"] == "Authentication" and
                  msg["Authentication"]["serviceDescription"]  == "SamLogon" and
                  msg["Authentication"]["authDescription"]     == "network" and
-                msg["Authentication"]["passwordType"]        == "NTLMv2")
+                msg["Authentication"]["passwordType"]        == "NTLMv2" and
+                msg["Authentication"]["eventId"] == EVT_ID_SUCCESSFUL_LOGON)
  
          if binding:
              binding = "[schannel,%s]" % binding
author	Gary Lockyer <gary@catalyst.net.nz>
	Wed, 12 Dec 2018 21:20:28 +0000 (10:20 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Fri, 14 Dec 2018 17:57:52 +0000 (18:57 +0100)
auth/auth_log.c		patch \| blob \| history
python/samba/tests/auth_log.py		patch \| blob \| history
python/samba/tests/auth_log_ncalrpc.py		patch \| blob \| history
python/samba/tests/auth_log_netlogon.py		patch \| blob \| history
python/samba/tests/auth_log_netlogon_bad_creds.py		patch \| blob \| history
python/samba/tests/auth_log_pass_change.py		patch \| blob \| history
python/samba/tests/auth_log_samlogon.py		patch \| blob \| history