[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Gary Lockyer
gary at catalyst.net.nz
Thu Jul 13 21:07:24 UTC 2017
On 13/07/17 21:25, Andrew Bartlett via samba-technical wrote:
> On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
> wrote:
>> @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
>> && ui->password.response.nt.length == 0
>> && ui->password.response.lanman.length == 0) {
>> password_type = "No-Password";
>> + } else if (ui->netlogon_trust_account.negotiate_flags
>> + & NETLOGON_NEG_SUPPORTS_AES) {
>> + password_type = "HMAC-SHA256";
>> + } else if (ui->netlogon_trust_account.negotiate_flags
>> + & NETLOGON_NEG_STRONG_KEYS) {
>> + ;
>> + } else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
>> + password_type = "DES";
>> }
>> return password_type;
>
> G'Day Gary,
>
> I'm sorry, but this hunk looks wrong, and I don't think it is tested.
> You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
> you don't guard the whole logic with strncmp("NETLOGON"). You should
> check that, with just strcmp I think, and check against the
> auth_description with "ServerAuthenticate".
Yeah sadly I did not test it, I really should know better. I've had a
look at writing the tests. Need to be able to clear the
NETLOGON_NEG_SUPPORTS_AES and NETLOGON_NEG_STRONG_KEYS. Is there a way
to do this from Python or should I write a cmocka test to exercise the code.
>
> Thanks,
>
> Andrew Bartlett
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170714/87be5212/signature.sig>
More information about the samba-technical
mailing list