[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Andrew Bartlett
abartlet at samba.org
Thu Jul 13 09:25:04 UTC 2017
On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
wrote:
> @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
> && ui->password.response.nt.length == 0
> && ui->password.response.lanman.length == 0) {
> password_type = "No-Password";
> + } else if (ui->netlogon_trust_account.negotiate_flags
> + & NETLOGON_NEG_SUPPORTS_AES) {
> + password_type = "HMAC-SHA256";
> + } else if (ui->netlogon_trust_account.negotiate_flags
> + & NETLOGON_NEG_STRONG_KEYS) {
> + ;
> + } else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
> + password_type = "DES";
> }
> return password_type;
G'Day Gary,
I'm sorry, but this hunk looks wrong, and I don't think it is tested.
You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
you don't guard the whole logic with strncmp("NETLOGON"). You should
check that, with just strcmp I think, and check against the
auth_description with "ServerAuthenticate".
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list