[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Gary Lockyer
gary at catalyst.net.nz
Mon Jul 17 19:43:39 UTC 2017
On 14/07/17 09:13, Andrew Bartlett via samba-technical wrote:
> On Fri, 2017-07-14 at 09:07 +1200, Gary Lockyer wrote:
>>
>> On 13/07/17 21:25, Andrew Bartlett via samba-technical wrote:
>>> On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
>>> wrote:
>>>> @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
>>>> && ui->password.response.nt.length == 0
>>>> && ui->password.response.lanman.length == 0) {
>>>> password_type = "No-Password";
>>>> + } else if (ui->netlogon_trust_account.negotiate_flags
>>>> + & NETLOGON_NEG_SUPPORTS_AES) {
>>>> + password_type = "HMAC-SHA256";
>>>> + } else if (ui->netlogon_trust_account.negotiate_flags
>>>> + & NETLOGON_NEG_STRONG_KEYS) {
>>>> + ;
>>>> + } else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
>>>> + password_type = "DES";
>>>> }
>>>> return password_type;
>>>
>>> G'Day Gary,
>>>
>>> I'm sorry, but this hunk looks wrong, and I don't think it is tested.
>>> You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
>>> you don't guard the whole logic with strncmp("NETLOGON"). You should
>>> check that, with just strcmp I think, and check against the
>>> auth_description with "ServerAuthenticate".
>>
>> Yeah sadly I did not test it, I really should know better. I've had a
>> look at writing the tests. Need to be able to clear the
>> NETLOGON_NEG_SUPPORTS_AES and NETLOGON_NEG_STRONG_KEYS. Is there a way
>> to do this from Python or should I write a cmocka test to exercise the code.
>
> Manually send the GetChallenge and ServerAuthenticate3 and check for it
> in the bad password case (with zero'ed authenticators), rather than the
> good password case. That should be mostly practical.
>
> Andrew Bartlett
>
Updated patch set attached, with tests for the get_password_type code.
Successful Auth message:
{ "timestamp": "2017-07-18T06:57:18.044871+1200",
"type": "Authentication",
"Authentication": {
"version": {"major": 1, "minor": 0},
"becameDomain": "ADDOMAIN",
"authDescription": "ServerAuthenticate",
"remoteAddress": "ipv4:127.0.0.11:23613",
"status": "NT_STATUS_OK",
"serviceDescription": "NETLOGON",
"localAddress": "ipv4:127.0.0.30:445",
"clientDomain": "ADDOMAIN",
"becameSid": "S-1-5-21-957060844-616297711-1930508676-1000",
"clientAccount": "ADDC$",
"workstation": null,
"becameAccount": "ADDC$",
"mappedAccount": "ADDC$",
"mappedDomain": null,
"netlogonComputer": "ADDC",
"netlogonTrustAccount": "ADDC$",
"netlogonNegotiateFlags": "0x610FFFFF",
"netlogonSecureChannelType": 6,
"netlogonTrustAccountSid":
"S-1-5-21-957060844-616297711-1930508676-1000",
"passwordType": "HMAC-SHA256"
}
}
Unsuccessful auth message.
{ "timestamp": "2017-07-18T06:58:03.113876+1200",
"type": "Authentication",
"Authentication": {
"version": {"major": 1, "minor": 0},
"becameDomain": "ADDOMAIN",
"authDescription": "ServerAuthenticate",
"remoteAddress": "unix:/root/ncalrpc_as_system",
"status": "NT_STATUS_OK",
"serviceDescription": "NETLOGON",
"localAddress":
"unix:/home/gary/projects/samba03/st/ad_dc/ncalrpc/DEFAULT",
"clientDomain": "ADDOMAIN",
"becameSid": "S-1-5-21-957060844-616297711-1930508676-1115",
"clientAccount": "SamLogonTest$",
"workstation": null,
"becameAccount": "SamLogonTest$",
"mappedAccount": "SamLogonTest$",
"mappedDomain": null,
"netlogonComputer": "ADDC",
"netlogonTrustAccount": "SamLogonTest$",
"netlogonNegotiateFlags": "0x610FFFFF",
"netlogonSecureChannelType": 2,
"netlogonTrustAccountSid":
"S-1-5-21-957060844-616297711-1930508676-1115",
"passwordType": "HMAC-SHA256"
}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-tests-auth_log-Modify-existing-tests-to-handle-NETLO.patch
Type: text/x-patch
Size: 7182 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170718/18e3b9d9/0001-tests-auth_log-Modify-existing-tests-to-handle-NETLO.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-tests-auth_log-Add-new-tests-for-NETLOGON.patch
Type: text/x-patch
Size: 16810 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170718/18e3b9d9/0002-tests-auth_log-Add-new-tests-for-NETLOGON.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-source4-netlogon-Add-authentication-logging-for-Serv.patch
Type: text/x-patch
Size: 6722 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170718/18e3b9d9/0003-source4-netlogon-Add-authentication-logging-for-Serv.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170718/18e3b9d9/signature.sig>
More information about the samba-technical
mailing list