source4 netlogon: Add authentication logging for ServerAuthenticate3

author Gary Lockyer <gary@catalyst.net.nz>

Sun, 9 Jul 2017 19:48:08 +0000 (07:48 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Mon, 24 Jul 2017 21:29:23 +0000 (23:29 +0200)
author Gary Lockyer <gary@catalyst.net.nz>
Sun, 9 Jul 2017 19:48:08 +0000 (07:48 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Mon, 24 Jul 2017 21:29:23 +0000 (23:29 +0200)
diff --git a/auth/auth_log.c b/auth/auth_log.c

index 9dbf8f210fcd952b7abf2fa035059979dc21dfd4..d4c6c445bed8dd05ef39c3a4be26f6a672d50e69 100644 (file)
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -639,6 +639,18 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
  
         if (ui->password_type != NULL) {
                 password_type = ui->password_type;
  
         if (ui->password_type != NULL) {
                 password_type = ui->password_type;
+       } else if (ui->auth_description != NULL &&
+                  strncmp("ServerAuthenticate", ui->auth_description, 18) == 0)
+       {
+               if (ui->netlogon_trust_account.negotiate_flags
+                   & NETLOGON_NEG_SUPPORTS_AES) {
+                       password_type = "HMAC-SHA256";
+               } else if (ui->netlogon_trust_account.negotiate_flags
+                          & NETLOGON_NEG_STRONG_KEYS) {
+                       password_type = "HMAC-MD5";
+               } else {
+                       password_type = "DES";
+               }
         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE &&
                    (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) &&
                    ui->password.response.nt.length == 24) {
         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE &&
                    (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) &&
                    ui->password.response.nt.length == 24) {
diff --git a/selftest/knownfail.d/auth-logging b/selftest/knownfail.d/auth-logging

deleted file mode 100644 (file)

index 1f3532d..0000000
--- a/selftest/knownfail.d/auth-logging
+++ /dev/null
@@ -1,8 +0,0 @@
-# NETLOGON authentication logging tests, currently fail as the
-# code has not been implemented
-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc_ntvfs:local\)
-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc_ntvfs:local\)
-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_password\(ad_dc:local\)
-^samba.tests.auth_log_netlogon_bad_creds.samba.tests.auth_log_netlogon_bad_creds.AuthLogTestsNetLogonBadCreds.test_netlogon_bad_machine_name\(ad_dc:local\)
-^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc_ntvfs:local\)
-^samba.tests.auth_log_netlogon.samba.tests.auth_log_netlogon.AuthLogTestsNetLogon.test_netlogon\(ad_dc:local\)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c

index b50b7a529801ca531d2ecb743b78a637f9b939db..c140ee8e162614b339dbe307635cc2c5a5b6186e 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -105,8 +105,15 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
         return NT_STATUS_OK;
  }
  
         return NT_STATUS_OK;
  }
  
-static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                                        struct netr_ServerAuthenticate3 *r)
+/*
+ * Do the actual processing of a netr_ServerAuthenticate3 message.
+ * called from dcesrv_netr_ServerAuthenticate3, which handles the logging.
+ */
+static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
+       struct dcesrv_call_state *dce_call,
+        TALLOC_CTX *mem_ctx,
+       struct netr_ServerAuthenticate3 *r,
+       struct dom_sid **sid)
  {
         struct netlogon_server_pipe_state *pipe_state =
                 talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
  {
         struct netlogon_server_pipe_state *pipe_state =
                 talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
@@ -469,36 +476,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
                                                    negotiate_flags);
         }
  
                                                    negotiate_flags);
         }
  
-       {
-               char* local  = NULL;
-               char* remote = NULL;
-               TALLOC_CTX *frame = talloc_stackframe();
-
-               remote = tsocket_address_string(dce_call->conn->remote_address,
-                                               frame);
-               local  = tsocket_address_string(dce_call->conn->local_address,
-                                               frame);
-               if (creds == NULL) {
-                       DEBUG(2, ("Failed to authenticate NETLOGON "
-                                 "account[%s] workstation[%s] "
-                                 "remote[%s] local[%s]\n",
-                                 log_escape(frame, r->in.account_name),
-                                 log_escape(frame, r->in.computer_name),
-                                 remote, local));
-                       TALLOC_FREE(frame);
-                       return NT_STATUS_ACCESS_DENIED;
-               } else {
-                       DEBUG(3, ("Successful authenticate of NETLOGON "
-                                 "account[%s] workstation[%s] "
-                                 "remote[%s] local[%s]\n",
-                                 log_escape(frame, r->in.account_name),
-                                 log_escape(frame, r->in.computer_name),
-                                 remote, local));
-                       TALLOC_FREE(frame);
-               }
+       if (creds == NULL) {
+               return NT_STATUS_ACCESS_DENIED;
         }
         }
-
         creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
         creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
+       *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid));
  
         nt_status = schannel_save_creds_state(mem_ctx,
                                               dce_call->conn->dce_ctx->lp_ctx,
  
         nt_status = schannel_save_creds_state(mem_ctx,
                                               dce_call->conn->dce_ctx->lp_ctx,
@@ -514,6 +496,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
         return NT_STATUS_OK;
  }
  
         return NT_STATUS_OK;
  }
  
+/*
+ * Log a netr_ServerAuthenticate3 request, and then invoke
+ * dcesrv_netr_ServerAuthenticate3_helper to perform the actual processing
+ */
+static NTSTATUS dcesrv_netr_ServerAuthenticate3(
+       struct dcesrv_call_state *dce_call,
+       TALLOC_CTX *mem_ctx,
+       struct netr_ServerAuthenticate3 *r)
+{
+       NTSTATUS status;
+       struct dom_sid *sid = NULL;
+       struct auth_usersupplied_info ui = {
+               .local_host = dce_call->conn->local_address,
+               .remote_host = dce_call->conn->remote_address,
+               .client = {
+                       .account_name = r->in.account_name,
+                       .domain_name = lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx),
+               },
+               .service_description = "NETLOGON",
+               .auth_description = "ServerAuthenticate",
+               .netlogon_trust_account = {
+                       .computer_name = r->in.computer_name,
+                       .account_name = r->in.account_name,
+                       .negotiate_flags = *r->in.negotiate_flags,
+                       .secure_channel_type = r->in.secure_channel_type,
+               },
+               .mapped = {
+                       .account_name = r->in.account_name,
+               }
+       };
+
+       status = dcesrv_netr_ServerAuthenticate3_helper(dce_call,
+                                                       mem_ctx,
+                                                       r,
+                                                       &sid);
+       ui.netlogon_trust_account.sid = sid;
+       log_authentication_event(
+               dce_call->conn->msg_ctx,
+               dce_call->conn->dce_ctx->lp_ctx,
+               &ui,
+               status,
+               lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx),
+               r->in.account_name,
+               NULL,
+               sid);
+
+       return status;
+}
  static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                         struct netr_ServerAuthenticate *r)
  {
  static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                         struct netr_ServerAuthenticate *r)
  {
author	Gary Lockyer <gary@catalyst.net.nz>
	Sun, 9 Jul 2017 19:48:08 +0000 (07:48 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 24 Jul 2017 21:29:23 +0000 (23:29 +0200)
auth/auth_log.c		patch \| blob \| history
selftest/knownfail.d/auth-logging	[deleted file]	patch \| blob \| history
source4/rpc_server/netlogon/dcerpc_netlogon.c		patch \| blob \| history