[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Mar 29 04:36:03 UTC 2017
The branch, master has been updated
via 12cd7ab WHATSNEW: Add entry for auth audit
via 49f3a92 whitespace: auth_log_pass_change.py python conventions
via 81f8749 ldap_server: Move a variable into a smaller scope
via 49eb475 whitespace: auth_log.c C code conventions
via 3e0a08a whitespace: auth_log.py python conventions
via 67cd3e6 auth log: Add tests for anonymous bind and SamLogon
via 493d886 python: Add bindings for NTLMSSP
via 43f52fc pycredentials: Add bindings for get_ntlm_response()
via f160359 rpc_server: Re-order and rename remote and local address in np_open()
via 8aff845 ldap_server: Log failures to find a valid user in the simple bind
via 638b10a dsdb: Add authentication audit logging for LDAP password change
via 0088434 samr: Add logging of password change success and failure
via a70e944 auth log tests: password change tests
via f498ba7 heimdal: Pass extra information to hdb_auth_status() to log success and failures
via 7cbe1c8 s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
via e9611b4 s3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe{,_p}()
via 7505ae0 s3-rpc_server: pass remote and local address to rpc_pipe_open_external
via 4c9d69f s4-ntvfs: Correct mixup between local/remote addresses
via 3d99831 s3-rpc_server: Rename client -> remote_client and server -> local_server
via 7bb21df s3-rpc_server: Re-order local and remote address in make_server_pipes_struct()
via 689e251 s3-named_pipe_auth: Rename client -> remote_client and server -> local_server
via 3b72863 s4-named_pipe_auth: Rename client -> remote_client and server -> local_server
via 68200d0 named_pipe_auth: Rename client -> remote_client and server -> local_server
via b661e81 selftest: Turn on auth event notification and so allow tests to pass
via d004196 auth: Add hooks for notification of authentication events over the message bus
via 631f1bc auth_log: Improve comment
via a70cde0 auth_log: Prepared to allow logging JSON events to a server over the message bus
via c008687 s4-messaging: split up messaging into a smaller library for send only
via 387eb18 auth_log: Add JSON logging of Authorisation and Authentications
via 366f8cf auth: Log the transport connection for the authorization
via f4a4522 ldap_server: Log access without a bind
via 9a96f90 auth_log: Split up auth/authz logging levels and handle anonymous better
via 2028b84 s3-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
via f6dd784 s4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
via 70a115b ldap_server: Log authorization for simple binds
via 9ab02f8 s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
via d017e2e s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
via 0e50885 auth_log: Also log the final type of authentication (ntlmssp,krb5)
via 46a800f auth_log: Expand to include the type of password used (eg ntlmv2)
via 59ed188 dns: Provide local and remote socket address to GENSEC
via a0ab86d auth: Add logging of service authorization
via 3bc5685 rpc: Always supply both the remote and local address to the auth subsystem
via 85536c1 auth: Always supply both the remote and local address to the auth subsystem
via dc43000 s3-auth: Clarify the role and purpose of the auth_serversupplied_info->security_token
via 8154acf auth: Generate a human readable Authentication log message.
via 0db7719 debug: Add debug class for auth_audit
via 4a99143 s3-auth: Split out get_user_sid_info3_and_extra() from create_local_nt_token_from_info3()
via eacb5ae lib/util: Add functions to escape log lines but not break all non-ascii
via 6adcaf1 s4-rpc_server: Correct comment about where the current iface can be found
via d69187c winbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_logon()
via ea3f00f auth: Add "auth_description" to allow logs to distinguish simple bind (etc)
via 5f5756d ldap_server: Move code into authenticate_ldap_simple_bind()
via 7609c57 auth: Add a reminder about the strings currently used for auditing
via 9ffdb84 s4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times
via 1cca9d6 s4-ldap_server: Set remote and local address values into GENSEC
via 28e0c8d s4-ldap_server: Split gensec setup into a helper function
via c048918 auth: Fill in user_info->service_description from all callers
via 2235982 ntlm_auth: Set ntlm_auth as the service_description into gensec
via d82ac32 s3-auth: Pass service_description into gensec via auth_generic_prepare()
via af9d480 gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
via 2d6066d gensec: Add gensec_{get,set}_target_service_description()
via 9e09e68 s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
via eaa59ed s4-smbd: Remember the original client and server IPs from the SMB connection
via 3ee82de auth_log: Add tests by listening for JSON messages over the message bus
via 41f1da3 TestBase: move insta_creds from password_lockout.py
via 76692fa python net: add username, oldpassword and domain to change_password
via b57e3cf pysmb: Check for credentials using same method as pyrpc
via 6fcb61b pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers
from 60e45a2 s3/smbd: make copy chunk asynchronous
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 12cd7ab60a1d2cf891c061652fbcad6f8fed56d1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 27 13:17:35 2017 +1300
WHATSNEW: Add entry for auth audit
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Mar 29 06:35:12 CEST 2017 on sn-devel-144
commit 49f3a92cb3e23c2233c1a35b7adfc89e667b0420
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 24 13:52:58 2017 +1300
whitespace: auth_log_pass_change.py python conventions
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 81f874974e794e0e1699fd128c04f2edf1bed098
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 24 12:20:19 2017 +1300
ldap_server: Move a variable into a smaller scope
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 49eb47588f6c6b05c0beceb5a7412a21e564bd6b
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 24 11:33:51 2017 +1300
whitespace: auth_log.c C code conventions
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 3e0a08a3d1038b518247d370914aca28f0c33d71
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Mar 24 10:51:05 2017 +1300
whitespace: auth_log.py python conventions
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 67cd3e6cbd37ff0c29a24bde22a61abe0bf6faa5
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 24 11:02:36 2017 +1300
auth log: Add tests for anonymous bind and SamLogon
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 493d886163e3691bf328953c6ae10de2ba7ee482
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 23 16:30:05 2017 +1300
python: Add bindings for NTLMSSP
This is helpful for building NTLMv2 packets in python for testing against the SamLogon server
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 43f52fc425d8b59596a1f3917ac41a0631477393
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 22 16:40:40 2017 +1300
pycredentials: Add bindings for get_ntlm_response()
This should make testing of SamLogon from python practical
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f1603598d6cf956ae9923191371d598288e14cc9
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Mar 23 14:05:56 2017 +1300
rpc_server: Re-order and rename remote and local address in np_open()
We use this order and name consistently eleswhere.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8aff845db8aa30cbd2f6a49f0195d35fc3f48209
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Mar 23 12:39:25 2017 +1300
ldap_server: Log failures to find a valid user in the simple bind
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 638b10adb057794209ddcd4984314aaaf563231c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 17 15:58:17 2017 +1300
dsdb: Add authentication audit logging for LDAP password change
This ensures this particular vector is not forgotten
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 008843463fb2f45ecd287b3c95b9a19b9c767290
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 17 13:26:13 2017 +1300
samr: Add logging of password change success and failure
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit a70e944c80cbacf6d2c323bc661ce1500251d5f1
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Mar 21 09:59:45 2017 +1300
auth log tests: password change tests
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit f498ba77df2313e78863e5f2706840c43e232a96
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 21 14:07:54 2017 +1300
heimdal: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 7cbe1c844ea359b6d5386b3986aa16152e975f3d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 14 11:01:54 2017 +1300
s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
This is triggered in the ncacn_np pass-though case in particular
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e9611b4bd0ab11184ee11f7d134ffd01633093f7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 17 10:29:02 2017 +1300
s3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe{,_p}()
We use this order and name consistently eleswhere.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 7505ae043d5d373d64ef52d385b5bf5310583459
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 17 10:26:03 2017 +1300
s3-rpc_server: pass remote and local address to rpc_pipe_open_external
We want the real client address here for audit purposes, if possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4c9d69f82aa8b2cdb04c5bfe5684dcd1d7ed4cfb
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 10 12:43:42 2017 +1300
s4-ntvfs: Correct mixup between local/remote addresses
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3d99831ec9492d06f86eabae3439450b66007da8
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 10 12:13:24 2017 +1300
s3-rpc_server: Rename client -> remote_client and server -> local_server
This changes struct dcerpc_ncacn_conn
While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.
By using both names we avoid a little of this.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 7bb21df258351ea29c82bc8a86e31b5c33b20755
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 10 12:38:33 2017 +1300
s3-rpc_server: Re-order local and remote address in make_server_pipes_struct()
The rest of the code uses remote before local, and this
often causes bugs
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 689e251056699b20b0610c52ad4dd413f946fa63
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 10 12:33:06 2017 +1300
s3-named_pipe_auth: Rename client -> remote_client and server -> local_server
This brings the callers of named_pipe_auth in line with that subsystem.
Much of Samba uses remote_address and local_address, and this difference
has hidden bugs
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3b72863e001c290b5833b327e5fb9003c6311fc6
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 10 11:38:56 2017 +1300
s4-named_pipe_auth: Rename client -> remote_client and server -> local_server
This brings the callers of named_pipe_auth in line with that subsystem.
While these names may be better, the rest of Samba consistently uses
remote_address and local_address, and this difference has hidden bugs
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 68200d0d88582d7122b1d441376956b2ebfa09d8
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Mar 10 11:37:56 2017 +1300
named_pipe_auth: Rename client -> remote_client and server -> local_server
While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit b661e818b69e5314fa4184ef5dd5b10d5fa1653b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 24 15:19:32 2017 +1300
selftest: Turn on auth event notification and so allow tests to pass
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit d0041960363c981224552d4ce7ac3092679ee2c6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 24 15:18:46 2017 +1300
auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.
We pass in a messaging context from the callers
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 631f1bcce68062e1c8e653024999b79589a80eaf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 24 15:16:34 2017 +1300
auth_log: Improve comment
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit a70cde046a925614978a75359425667fc6de5323
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 7 16:50:38 2017 +1300
auth_log: Prepared to allow logging JSON events to a server over the message bus
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit c008687ffbf18a3327dd4ad41ca5a9e01c30f9d1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 24 15:11:35 2017 +1300
s4-messaging: split up messaging into a smaller library for send only
This will help avoid a dep loop when the low-level auth code relies on the message
code to deliver authentication messages
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 387eb18a1ccdcea3040476efbc2769de40ccf86e
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Mar 6 16:16:51 2017 +1300
auth_log: Add JSON logging of Authorisation and Authentications
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Pair-Programmed: Andrew Bartlett <abartlet at samba.org>
commit 366f8cf0903e3583fda42696df62a5337f22131f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 6 14:10:17 2017 +1300
auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f4a4522d1f8c19fdf142e12760160b15de1557ec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 3 12:53:06 2017 +1300
ldap_server: Log access without a bind
This can be over the privileged ldapi socket, or just as the implicit anonymous access
However, do not log for setting up StartTLS, or a rootDSE search.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9a96f901f5e7369b33c839844d5a2286d4d44b6d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 3 12:40:04 2017 +1300
auth_log: Split up auth/authz logging levels and handle anonymous better
We typically do not want a lot of logging of anonymous access, as this is often
simple a preperation for authenticated access, so we make that level 5.
Bad passwords remain at level 2, successful password authentication is level 3
and successful authorization (eg kerberos login to SMB) is level 4.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 2028b84c1647730a084e02a2ec04ac0d5efc628e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 3 12:03:04 2017 +1300
s3-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit f6dd7848143553b259d5cb7685c2d0cc687e0a0c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 3 11:49:43 2017 +1300
s4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 70a115b310a1d158c2596a5b0b810b83be460a6c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 16:49:01 2017 +1300
ldap_server: Log authorization for simple binds
Existing comment is no longer relevant.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9ab02f8088613dd0e0fba2e3d750187db9c30f5c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 16:28:06 2017 +1300
s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
gensec_session_info() is not called for bare NTLM, so we have to log manually
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit d017e2eb2a69b0f759e9ab912a0a5e8aaef5701d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 16:27:51 2017 +1300
s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
gensec_session_info() is not called for bare NTLM, so we have to log manually
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 0e508853fcb6cc0e8ca2b6ff48d8b5468b339468
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 16:00:03 2017 +1300
auth_log: Also log the final type of authentication (ntlmssp,krb5)
Administrators really care about how their users were authenticated, so make
this clear.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 46a800fae3b054a2e9c2f26f35630cadf11cfe3e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 15:06:25 2017 +1300
auth_log: Expand to include the type of password used (eg ntlmv2)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 59ed188ede42a4bc6534f679fa89dd0fb7f8a3ae
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 14:19:50 2017 +1300
dns: Provide local and remote socket address to GENSEC
This can be used for logging and for Kerberos channel bindings
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit a0ab86dedca2471ca2e4bb222f272d4bd35c85df
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 12:18:49 2017 +1300
auth: Add logging of service authorization
In ntlm_auth.c and authdata.c, the session info will be incomplete
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3bc56854457191ab817bc9a4419b1dee74138b0f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Feb 24 13:29:12 2017 +1300
rpc: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 85536c1ff3513840728ba281de2b6f003e49f227
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 23 14:31:52 2017 +1300
auth: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit dc43000c0e15638cb4bc56ef8bbf6a50e681bb5a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 11:23:28 2017 +1300
s3-auth: Clarify the role and purpose of the auth_serversupplied_info->security_token
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 8154acfd0d0bc00115a1aa65963f4f8c00fe4312
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Feb 23 13:50:14 2017 +1300
auth: Generate a human readable Authentication log message.
Add a human readable authentication log line, to allow
verification that all required details are being passed.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 0db7719071999f3dcf6f45b030f7c3c23f2a72f6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 11:39:17 2017 +1300
debug: Add debug class for auth_audit
This will be an audit stream of authentication and connection-level authorization
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 4a99143a2b2b45e4dfb17695dbfa946d327fea9b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 11:22:43 2017 +1300
s3-auth: Split out get_user_sid_info3_and_extra() from create_local_nt_token_from_info3()
This will allow us to get the SID in another location for logging
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit eacb5aead71299b6bebbddbaf7c9a3d545f9151b
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Mar 1 11:10:29 2017 +1300
lib/util: Add functions to escape log lines but not break all non-ascii
We do not want to turn every non-ascii username into a pile of hex, so we instead focus
on avoding newline insertion attacks and other low control chars
Pair-programmed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 6adcaf16482fbca1ca8eeb80a2a7029d415c423f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 21 16:22:07 2017 +1300
s4-rpc_server: Correct comment about where the current iface can be found
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit d69187c153cab17176a31b5f4462e111cce2a6a3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 21 12:14:12 2017 +1300
winbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_logon()
rpccli_netlogon_password_logon() is called in winbind_samlogon_retry_loop() if interactive
is set, and does not use the hashed passwords.
This is only needed for winbindd_dual_auth_passdb(), and by moving the call we both
avoid the extra work and allow it to also be removed in this code path
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit ea3f00f2b57c1896bc98c5a8e4538f46193b6c53
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 21 11:57:57 2017 +1300
auth: Add "auth_description" to allow logs to distinguish simple bind (etc)
This will allow the authentication log to indicate clearly how the password was
supplied to the server.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 5f5756db714de0c1b00d648a48423fde19a564a1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 15:57:03 2017 +1300
ldap_server: Move code into authenticate_ldap_simple_bind()
This function is only called for simple binds, and by moving the mapping into
the function call we allow the unmapped values to be included in the
user_info and so logged.
We also include the local address and the remote address of the client
for future logging
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 7609c57922f1d5041dd65660e157a1ba3bf1a417
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 15:55:34 2017 +1300
auth: Add a reminder about the strings currently used for auditing
We will soon have a much better replacement, but a note here may help some in the transition
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9ffdb84600bb5b97a31d2407c8901aa3c599d53f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 9 15:10:14 2017 +1300
s4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times
We need this to be valid, right up until a new session_info is created and
it is replaced.
We need this to have a valid value at all times, and we are still anonymous
until the new bind completes
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 1cca9d6dce94f35e8efc17426ea0bf5f77a3ec3d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 21 14:15:05 2017 +1300
s4-ldap_server: Set remote and local address values into GENSEC
This will allow channel bindings and logging of the address values used during
authentication
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 28e0c8d135acaaedaf74126a2c572a3744d84336
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 15:54:47 2017 +1300
s4-ldap_server: Split gensec setup into a helper function
This makes the error handling simpler when we set more
details onto the gensec context.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit c04891895999e2743e5bdbbba4c60254fa0f5820
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 14:52:07 2017 +1300
auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 223598209225162aef42ef20c8a95fecc47837c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 14:18:57 2017 +1300
ntlm_auth: Set ntlm_auth as the service_description into gensec
This allows this use case to be clearly found when logged.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit d82ac32eb744a0e3883b1d09832131ff9bc9bcad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 14:17:34 2017 +1300
s3-auth: Pass service_description into gensec via auth_generic_prepare()
This allows the GENSEC service description to be set from the various callers
that go via this function.
The RPC service description is the name of the interface from the IDL.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit af9d4807399ff73a5d4baab713ef3731de0f5d62
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 14:15:46 2017 +1300
gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
This allows the GENSEC service description to be read at authentication time
for logging, eg that the user authenticated to the SAMR server
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 2d6066dbbfe8f10b95675eedd0f47c492cf29029
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 13:32:47 2017 +1300
gensec: Add gensec_{get,set}_target_service_description()
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9e09e68d4777a722759262e877d443d6bb93b592
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 12:04:52 2017 +1300
s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
This will allow a very verbose JSON line to be logged that others can audit from in the future
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit eaa59ed34528e77e21c4d03c39fe806d918a898f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 20 12:01:37 2017 +1300
s4-smbd: Remember the original client and server IPs from the SMB connection
We need to know in the RPC server the original address the client came from
so that we can log this with the authentication audit information
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3ee82de26df77f97abe1ca70c69f2b7c47421207
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 14 16:43:06 2017 +1300
auth_log: Add tests by listening for JSON messages over the message bus
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 41f1da3a1ae0335ad485118c14394b98b9890abe
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Mar 16 16:24:20 2017 +1300
TestBase: move insta_creds from password_lockout.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 76692faa9f991f7460a778fbaf7e5cd902a9608f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Mar 21 09:58:18 2017 +1300
python net: add username, oldpassword and domain to change_password
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit b57e3cf1dfab2734baf63d06546f28fdf96fab9d
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Mar 21 16:00:38 2017 +1300
pysmb: Check for credentials using same method as pyrpc
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 6fcb61b7919bef76b28377a20c061815b3b4e697
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 22 11:07:49 2017 +1300
pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 20 +-
auth/auth_log.c | 901 ++++++++++++++
auth/common_auth.h | 62 +
auth/credentials/pycredentials.c | 65 +
auth/gensec/gensec.c | 94 +-
auth/gensec/gensec.h | 23 +
auth/gensec/gensec_internal.h | 3 +
auth/gensec/spnego.c | 12 +
auth/ntlmssp/ntlmssp.c | 6 +
auth/ntlmssp/ntlmssp_server.c | 11 +
auth/wscript_build | 9 +-
auth/wscript_configure | 7 +
docs-xml/smbdotconf/logging/loglevel.xml | 23 +
.../smbdotconf/logon/autheventnotification.xml | 26 +
lib/util/debug.c | 2 +
lib/util/debug.h | 3 +-
lib/util/tests/util_str_escape.c | 90 ++
lib/util/util_str_escape.c | 126 ++
lib/util/{unix_match.h => util_str_escape.h} | 14 +-
lib/util/wscript_build | 5 +
libcli/named_pipe_auth/npa_tstream.c | 96 +-
libcli/named_pipe_auth/npa_tstream.h | 28 +-
librpc/idl/named_pipe_auth.idl | 12 +-
librpc/idl/ntlmssp.idl | 12 +-
librpc/wscript_build | 5 +
python/samba/tests/__init__.py | 31 +
python/samba/tests/auth_log.py | 1259 ++++++++++++++++++++
python/samba/tests/auth_log_base.py | 104 ++
python/samba/tests/auth_log_ncalrpc.py | 104 ++
python/samba/tests/auth_log_pass_change.py | 330 +++++
python/samba/tests/credentials.py | 21 +
selftest/knownfail | 4 +
selftest/target/Samba4.pm | 3 +
source3/auth/auth.c | 23 +-
source3/auth/auth_generic.c | 64 +-
source3/auth/auth_ntlmssp.c | 2 +
source3/auth/auth_util.c | 33 +-
source3/auth/proto.h | 20 +-
source3/auth/token_util.c | 41 +-
source3/auth/user_info.c | 17 +
source3/include/auth.h | 9 +-
source3/libads/authdata.c | 3 +
source3/librpc/crypto/gse.c | 16 +
source3/librpc/rpc/dcerpc_ep.c | 1 +
source3/printing/nt_printing_migrate_internal.c | 1 +
source3/printing/printspoolss.c | 2 +
source3/rpc_client/cli_winreg_int.c | 1 +
source3/rpc_server/dcesrv_auth_generic.c | 12 +-
source3/rpc_server/dcesrv_auth_generic.h | 2 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 5 +
source3/rpc_server/rpc_ncacn_np.c | 88 +-
source3/rpc_server/rpc_ncacn_np.h | 12 +-
source3/rpc_server/rpc_server.c | 119 +-
source3/rpc_server/rpc_server.h | 10 +-
source3/rpc_server/spoolss/srv_spoolss_util.c | 1 +
source3/rpc_server/srv_pipe.c | 36 +-
source3/rpc_server/srv_pipe_hnd.c | 10 +-
source3/rpc_server/srv_pipe_hnd.h | 4 +-
source3/rpc_server/wscript_build | 2 +-
source3/smbd/lanman.c | 20 +-
source3/smbd/negprot.c | 9 +
source3/smbd/pipes.c | 2 +-
source3/smbd/reply.c | 1 +
source3/smbd/seal.c | 6 +
source3/smbd/sesssetup.c | 24 +-
source3/smbd/smb2_sesssetup.c | 3 +
source3/torture/pdbtest.c | 16 +-
source3/utils/ntlm_auth.c | 14 +
source3/winbindd/winbindd_cm.c | 2 +
source3/winbindd/winbindd_pam.c | 87 +-
source4/auth/auth.h | 19 +-
source4/auth/gensec/gensec_gssapi.c | 16 +
source4/auth/gensec/gensec_krb5.c | 9 +-
source4/auth/gensec/pygensec.c | 25 +-
source4/auth/kerberos/wscript_build | 2 +-
source4/auth/ntlm/auth.c | 19 +-
source4/auth/ntlm/auth_simple.c | 112 +-
source4/dns_server/dns_query.c | 22 +
source4/dns_server/dns_server.c | 14 +-
source4/dns_server/dns_server.h | 2 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 134 ++-
source4/dsdb/tests/python/password_lockout.py | 63 +-
source4/heimdal/kdc/kerberos5.c | 39 +-
source4/heimdal/lib/hdb/hdb.h | 11 +-
source4/kdc/db-glue.c | 1 +
source4/kdc/hdb-samba4.c | 124 +-
source4/kdc/kdc-heimdal.c | 1 +
source4/kdc/samba_kdc.h | 2 +
source4/kdc/wscript_build | 10 +-
source4/ldap_server/ldap_backend.c | 60 +
source4/ldap_server/ldap_bind.c | 116 +-
source4/ldap_server/ldap_server.h | 1 +
source4/ldap_server/wscript_build | 2 +-
source4/lib/messaging/messaging.c | 80 --
source4/lib/messaging/messaging_send.c | 115 ++
source4/lib/messaging/wscript_build | 6 +
source4/libcli/pysmb.c | 52 +-
source4/libnet/py_net.c | 26 +-
source4/librpc/wscript_build | 6 +
source4/ntvfs/ipc/vfs_ipc.c | 12 +-
source4/rpc_server/dcerpc_server.c | 9 +-
source4/rpc_server/dcesrv_auth.c | 46 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 72 +-
source4/rpc_server/samr/samr_password.c | 138 ++-
source4/selftest/tests.py | 16 +
source4/smb_server/smb/sesssetup.c | 93 +-
source4/smb_server/smb2/sesssetup.c | 40 +
source4/smbd/service_named_pipe.c | 25 +-
source4/torture/local/local.c | 1 +
source4/torture/local/wscript_build | 3 +-
wscript | 1 +
111 files changed, 5181 insertions(+), 593 deletions(-)
create mode 100644 auth/auth_log.c
create mode 100644 auth/wscript_configure
create mode 100644 docs-xml/smbdotconf/logon/autheventnotification.xml
create mode 100644 lib/util/tests/util_str_escape.c
create mode 100644 lib/util/util_str_escape.c
copy lib/util/{unix_match.h => util_str_escape.h} (73%)
create mode 100644 python/samba/tests/auth_log.py
create mode 100644 python/samba/tests/auth_log_base.py
create mode 100644 python/samba/tests/auth_log_ncalrpc.py
create mode 100644 python/samba/tests/auth_log_pass_change.py
create mode 100644 source4/lib/messaging/messaging_send.c
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cda61ef..4216c4f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -22,13 +22,31 @@ obey client requests to synchronize unwritten data in operating
system buffers safely onto disk. This is a safer default setting
for modern SMB1/2/3 clients.
+Authentication and Authorization audit support
+----------------------------------------------
+
+Detailed authentication and authorization audit information is now
+logged to Samba's debug logs under the "auth_audit" debug class,
+including in particular the client IP address triggering the audit
+line. Additionally, if Samba is compiled against the jansson JSON
+library, a JSON representation is logged under the "auth_json_audit"
+debug class.
+
+Audit support is comprehensive for all authentication and
+authorisation of user accounts in the Samba Active Directory Domain
+Controller, as well as the implicit authentication in password
+changes. In the file server and classic/NT4 domain controller, NTLM
+authentication, SMB and RPC authorization is covered, however password
+changes are not at this stage, and this support is not currently
+backed by a testsuite.
+
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
strict sync Default changed yes
-
+ auth event notification New parameter no
KNOWN ISSUES
============
diff --git a/auth/auth_log.c b/auth/auth_log.c
new file mode 100644
index 0000000..9dbf8f2
--- /dev/null
+++ b/auth/auth_log.c
@@ -0,0 +1,901 @@
+/*
+
+ Authentication and authorization logging
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * Debug log levels for authentication logging (these both map to
+ * LOG_NOTICE in syslog)
+ */
+#define AUTH_FAILURE_LEVEL 2
+#define AUTH_SUCCESS_LEVEL 3
+#define AUTHZ_SUCCESS_LEVEL 4
+
+/* 5 is used for both authentication and authorization */
+#define AUTH_ANONYMOUS_LEVEL 5
+#define AUTHZ_ANONYMOUS_LEVEL 5
+
+#define AUTHZ_JSON_TYPE "Authorization"
+#define AUTH_JSON_TYPE "Authentication"
+
+/*
+ * JSON message version numbers
+ *
+ * If adding a field increment the minor version
+ * If removing or changing the format/meaning of a field
+ * increment the major version.
+ */
+#define AUTH_MAJOR 1
+#define AUTH_MINOR 0
+#define AUTHZ_MAJOR 1
+#define AUTHZ_MINOR 0
+
+#include "includes.h"
+#include "../lib/tsocket/tsocket.h"
+#include "common_auth.h"
+#include "lib/util/util_str_escape.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/security/security_token.h"
+#include "librpc/gen_ndr/server_id.h"
+#include "source4/lib/messaging/messaging.h"
+#include "source4/lib/messaging/irpc.h"
+#include "lib/util/server_id_db.h"
+#include "lib/param/param.h"
+
+/*
+ * Get a human readable timestamp.
+ *
+ * Returns the current time formatted as
+ * "Tue, 14 Mar 2017 08:38:42.209028 NZDT"
+ *
+ * The returned string is allocated by talloc in the supplied context.
+ * It is the callers responsibility to free it.
+ *
+ */
+static const char* get_timestamp(TALLOC_CTX *frame)
+{
+ char buffer[40]; /* formatted time less usec and timezone */
+ char tz[10]; /* formatted time zone */
+ struct tm* tm_info; /* current local time */
+ struct timeval tv; /* current system time */
+ int r; /* response code from gettimeofday */
+ const char * ts; /* formatted time stamp */
+
+ r = gettimeofday(&tv, NULL);
+ if (r) {
+ DBG_ERR("Unable to get time of day: (%d) %s\n",
+ errno,
+ strerror(errno));
+ return NULL;
+ }
+
+ tm_info = localtime(&tv.tv_sec);
+ if (tm_info == NULL) {
+ DBG_ERR("Unable to determine local time\n");
+ return NULL;
+ }
+
+ strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
+ strftime(tz, sizeof(tz)-1, "%Z", tm_info);
+ ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
+ if (ts == NULL) {
+ DBG_ERR("Out of memory formatting time stamp\n");
+ }
+ return ts;
+}
+
+/*
+ * Determine the type of the password supplied for the
+ * authorisation attempt.
+ *
+ */
+static const char* get_password_type(const struct auth_usersupplied_info *ui);
+
+#ifdef HAVE_JANSSON
+
+#include <jansson.h>
+#include "system/time.h"
+
+/*
+ * Context required by the JSON generation
+ * routines
+ *
+ */
+struct json_context {
+ json_t *root;
+ bool error;
+};
+
+static NTSTATUS get_auth_event_server(struct imessaging_context *msg_ctx,
+ struct server_id *auth_event_server)
+{
+ NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
+ unsigned num_servers, i;
+ struct server_id *servers;
+
+ status = irpc_servers_byname(msg_ctx, frame,
+ AUTH_EVENT_NAME,
+ &num_servers, &servers);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("Failed to find 'auth_event' registered on the "
+ "message bus to send JSON authentication events to: %s\n",
+ nt_errstr(status));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ /*
+ * Select the first server that is listening, because
+ * we get connection refused as
+ * NT_STATUS_OBJECT_NAME_NOT_FOUND without waiting
+ */
+ for (i = 0; i < num_servers; i++) {
+ status = imessaging_send(msg_ctx, servers[i], MSG_PING,
+ &data_blob_null);
+ if (NT_STATUS_IS_OK(status)) {
+ *auth_event_server = servers[i];
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+ }
+ DBG_NOTICE("Failed to find a running 'auth_event' server "
+ "registered on the message bus to send JSON "
+ "authentication events to\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+static void auth_message_send(struct imessaging_context *msg_ctx,
+ const char *json)
+{
+ struct server_id auth_event_server;
+ NTSTATUS status;
+ DATA_BLOB json_blob = data_blob_string_const(json);
+ if (msg_ctx == NULL) {
+ return;
+ }
+
+ /* Need to refetch the address each time as the destination server may
+ * have disconnected and reconnected in the interim, in which case
+ * messages may get lost, manifests in the auth_log tests
+ */
+ status = get_auth_event_server(msg_ctx, &auth_event_server);
+ if (!NT_STATUS_IS_OK(status)) {
+ return;
+ }
+
+ status = imessaging_send(msg_ctx, auth_event_server, MSG_AUTH_LOG,
+ &json_blob);
+
+ /* If the server crashed, try to find it again */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ status = get_auth_event_server(msg_ctx, &auth_event_server);
+ if (!NT_STATUS_IS_OK(status)) {
+ return;
+ }
+ imessaging_send(msg_ctx, auth_event_server, MSG_AUTH_LOG,
+ &json_blob);
+
+ }
+}
+
+/*
+ * Write the json object to the debug logs.
+ *
+ */
+static void log_json(struct imessaging_context *msg_ctx,
+ struct json_context *context,
+ const char *type, int debug_class, int debug_level)
+{
+ char* json = NULL;
+
+ if (context->error) {
+ return;
+ }
+
+ json = json_dumps(context->root, 0);
+ if (json == NULL) {
+ DBG_ERR("Unable to convert JSON object to string\n");
+ context->error = true;
+ return;
+ }
+
+ DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", type, json));
+ auth_message_send(msg_ctx, json);
+
+ if (json) {
+ free(json);
+ }
+
+}
+
+/*
+ * Create a new json logging context.
+ *
+ * Free with a call to free_json_context
+ *
+ */
+static struct json_context get_json_context(void) {
+
+ struct json_context context;
+ context.error = false;
+
+ context.root = json_object();
+ if (context.root == NULL) {
+ context.error = true;
+ DBG_ERR("Unable to create json_object\n");
+ }
+ return context;
+}
+
+/*
+ * free a previously created json_context
+ *
+ */
+static void free_json_context(struct json_context *context)
+{
+ if (context->root) {
+ json_decref(context->root);
+ }
+}
+
+/*
+ * Output a JSON pair with name name and integer value value
+ *
+ */
+static void add_int(struct json_context *context,
+ const char* name,
+ const int value)
+{
+ int rc = 0;
+
+ if (context->error) {
+ return;
+ }
+
+ rc = json_object_set_new(context->root, name, json_integer(value));
+ if (rc) {
+ DBG_ERR("Unable to set name [%s] value [%d]\n", name, value);
+ context->error = true;
+ }
+
+}
+
+/*
+ * Output a JSON pair with name name and string value value
+ *
+ */
+static void add_string(struct json_context *context,
+ const char* name,
+ const char* value)
+{
+ int rc = 0;
+
+ if (context->error) {
+ return;
+ }
+
+ if (value) {
+ rc = json_object_set_new(context->root, name, json_string(value));
+ } else {
+ rc = json_object_set_new(context->root, name, json_null());
+ }
+ if (rc) {
+ DBG_ERR("Unable to set name [%s] value [%s]\n", name, value);
+ context->error = true;
+ }
+}
+
+
+/*
+ * Output a JSON pair with name name and object value
+ *
+ */
+static void add_object(struct json_context *context,
+ const char* name,
+ struct json_context *value)
+{
+ int rc = 0;
+
+ if (value->error) {
+ context->error = true;
+ }
+ if (context->error) {
+ return;
+ }
+ rc = json_object_set_new(context->root, name, value->root);
+ if (rc) {
+ DBG_ERR("Unable to add object [%s]\n", name);
+ context->error = true;
+ }
+}
+
+/*
+ * Output a version object
+ *
+ * "version":{"major":1,"minor":0}
+ *
+ */
+static void add_version(struct json_context *context, int major, int minor)
+{
+ struct json_context version = get_json_context();
+ add_int(&version, "major", major);
+ add_int(&version, "minor", minor);
+ add_object(context, "version", &version);
+}
+
+/*
+ * Output the current date and time as a timestamp in ISO 8601 format
+ *
+ * "timestamp":"2017-03-06T17:18:04.455081+1300"
+ *
+ */
+static void add_timestamp(struct json_context *context)
+{
+ char buffer[40]; /* formatted time less usec and timezone */
+ char timestamp[50]; /* the formatted ISO 8601 time stamp */
+ char tz[10]; /* formatted time zone */
+ struct tm* tm_info; /* current local time */
+ struct timeval tv; /* current system time */
+ int r; /* response code from gettimeofday */
+
+ if (context->error) {
+ return;
+ }
+
+ r = gettimeofday(&tv, NULL);
+ if (r) {
+ DBG_ERR("Unable to get time of day: (%d) %s\n",
+ errno,
+ strerror(errno));
+ context->error = true;
+ return;
+ }
+
+ tm_info = localtime(&tv.tv_sec);
+ if (tm_info == NULL) {
+ DBG_ERR("Unable to determine local time\n");
+ context->error = true;
+ return;
+ }
+
+ strftime(buffer, sizeof(buffer)-1, "%Y-%m-%dT%T", tm_info);
+ strftime(tz, sizeof(tz)-1, "%z", tm_info);
+ snprintf(timestamp, sizeof(timestamp),"%s.%06ld%s",
+ buffer, tv.tv_usec, tz);
+ add_string(context,"timestamp", timestamp);
+}
+
+
+/*
+ * Output an address pair, with name name.
+ *
+ * "localAddress":"ipv6::::0"
+ *
+ */
+static void add_address(struct json_context *context,
+ const char *name,
+ const struct tsocket_address *address)
+{
+ char *s = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (context->error) {
+ return;
+ }
+
+ s = tsocket_address_string(address, frame);
+ add_string(context, name, s);
+ talloc_free(frame);
+
+}
+
+/*
+ * Output a SID with name name
+ *
+ * "sid":"S-1-5-18"
+ *
+ */
+static void add_sid(struct json_context *context,
+ const char *name,
+ const struct dom_sid *sid)
+{
+ char sid_buf[DOM_SID_STR_BUFLEN];
+
+ if (context->error) {
+ return;
+ }
+
+ dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
+ add_string(context, name, sid_buf);
+}
+
+/*
+ * Write a machine parsable json formatted authentication log entry.
+ *
+ * IF removing or changing the format/meaning of a field please update the
+ * major version number AUTH_MAJOR
+ *
+ * IF adding a new field please update the minor version number AUTH_MINOR
+ *
+ * To process the resulting log lines from the commend line use jq to
+ * parse the json.
+ *
+ * grep "JSON Authentication" log file |
+ * sed 's;^[^{]*;;' |
+ * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
+ * \(.Authentication.clientDomain)\t
+ * \(.Authentication.clientAccount)
+ * \t\(.Authentication.workstation)
+ * \t\(.Authentication.remoteAddress)
+ * \t\(.Authentication.localAddress)"'
+ */
+static void log_authentication_event_json(
+ struct imessaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ const struct auth_usersupplied_info *ui,
+ NTSTATUS status,
+ const char *domain_name,
+ const char *account_name,
+ const char *unix_username,
--
Samba Shared Repository
More information about the samba-cvs
mailing list