[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3

Andrew Bartlett abartlet at samba.org
Thu Jul 13 09:25:04 UTC 2017


On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
wrote:
> @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
>  		   && ui->password.response.nt.length == 0
>  		   && ui->password.response.lanman.length == 0) {
>  		password_type = "No-Password";
> +	} else if (ui->netlogon_trust_account.negotiate_flags
> +		   & NETLOGON_NEG_SUPPORTS_AES) {
> +		password_type = "HMAC-SHA256";
> +	} else if (ui->netlogon_trust_account.negotiate_flags
> +		   & NETLOGON_NEG_STRONG_KEYS) {
> +		;
> +	} else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
> +		password_type = "DES";
>  	}
>  	return password_type;

G'Day Gary,

I'm sorry, but this hunk looks wrong, and I don't think it is tested. 
You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
you don't guard the whole logic with strncmp("NETLOGON").  You should
check that, with just strcmp I think, and check against the
auth_description with "ServerAuthenticate". 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list