[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3

Tue Jul 18 23:13:23 UTC 2017

On Tue, 2017-07-18 at 09:54 +0300, Alexander Bokovoy wrote:
> On ti, 18 heinä 2017, Andrew Bartlett via samba-technical wrote:
> > On Tue, 2017-07-18 at 07:43 +1200, Gary Lockyer via samba-technical
> > wrote:
> > > 
> > > On 14/07/17 09:13, Andrew Bartlett via samba-technical wrote:
> > > > On Fri, 2017-07-14 at 09:07 +1200, Gary Lockyer wrote:
> > > > > 
> > > > > On 13/07/17 21:25, Andrew Bartlett via samba-technical wrote:
> > > > > > On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
> > > > > > wrote:
> > > > > > > @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
> > > > > > >  		   && ui->password.response.nt.length == 0
> > > > > > >  		   && ui->password.response.lanman.length == 0) {
> > > > > > >  		password_type = "No-Password";
> > > > > > > +	} else if (ui->netlogon_trust_account.negotiate_flags
> > > > > > > +		   & NETLOGON_NEG_SUPPORTS_AES) {
> > > > > > > +		password_type = "HMAC-SHA256";
> > > > > > > +	} else if (ui->netlogon_trust_account.negotiate_flags
> > > > > > > +		   & NETLOGON_NEG_STRONG_KEYS) {
> > > > > > > +		;
> > > > > > > +	} else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
> > > > > > > +		password_type = "DES";
> > > > > > >  	}
> > > > > > >  	return password_type;
> > > > > > 
> > > > > > G'Day Gary,
> > > > > > 
> > > > > > I'm sorry, but this hunk looks wrong, and I don't think it is tested. 
> > > > > > You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
> > > > > > you don't guard the whole logic with strncmp("NETLOGON").  You should
> > > > > > check that, with just strcmp I think, and check against the
> > > > > > auth_description with "ServerAuthenticate".
> > > > > 
> > > > > Yeah sadly I did not test it, I really should know better. I've had a
> > > > > look at writing the tests.  Need to be able to clear the
> > > > > NETLOGON_NEG_SUPPORTS_AES and NETLOGON_NEG_STRONG_KEYS.  Is there a way
> > > > > to do this from Python or should I write a cmocka test to exercise the code.
> > > > 
> > > > Manually send the GetChallenge and ServerAuthenticate3 and check for it
> > > > in the bad password case (with zero'ed authenticators), rather than the
> > > > good password case.  That should be mostly practical.
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > 
> > > Updated patch set attached, with tests for the get_password_type code.
> > > 
> > > Successful Auth message:
> > > 
> > > { "timestamp": "2017-07-18T06:57:18.044871+1200",
> > >   "type": "Authentication",
> > >   "Authentication": {
> > >     "version": {"major": 1, "minor": 0},
> > >    "becameDomain": "ADDOMAIN",
> > >    "authDescription": "ServerAuthenticate",
> > >    "remoteAddress": "ipv4:127.0.0.11:23613",
> > >    "status": "NT_STATUS_OK",
> > >    "serviceDescription": "NETLOGON",
> > >    "localAddress": "ipv4:127.0.0.30:445",
> > >    "clientDomain": "ADDOMAIN",
> > >    "becameSid": "S-1-5-21-957060844-616297711-1930508676-1000",
> > >    "clientAccount": "ADDC$",
> > >    "workstation": null,
> > >    "becameAccount": "ADDC$",
> > >    "mappedAccount": "ADDC$",
> > >    "mappedDomain": null,
> > >    "netlogonComputer": "ADDC",
> > >    "netlogonTrustAccount": "ADDC$",
> > >    "netlogonNegotiateFlags": "0x610FFFFF",
> > >    "netlogonSecureChannelType": 6,
> > >    "netlogonTrustAccountSid":
> > >       "S-1-5-21-957060844-616297711-1930508676-1000",
> > >    "passwordType": "HMAC-SHA256"
> > >   }
> > > }
> > > 
> > > Unsuccessful auth message.
> > > 
> > > { "timestamp": "2017-07-18T06:58:03.113876+1200",
> > >   "type": "Authentication",
> > >   "Authentication": {
> > >     "version": {"major": 1, "minor": 0},
> > >     "becameDomain": "ADDOMAIN",
> > >     "authDescription": "ServerAuthenticate",
> > >     "remoteAddress": "unix:/root/ncalrpc_as_system",
> > >     "status": "NT_STATUS_OK",
> > >     "serviceDescription": "NETLOGON",
> > >     "localAddress":
> > >        "unix:/home/gary/projects/samba03/st/ad_dc/ncalrpc/DEFAULT",
> > >     "clientDomain": "ADDOMAIN",
> > >     "becameSid": "S-1-5-21-957060844-616297711-1930508676-1115",
> > >     "clientAccount": "SamLogonTest$",
> > >     "workstation": null,
> > >     "becameAccount": "SamLogonTest$",
> > >     "mappedAccount": "SamLogonTest$",
> > >     "mappedDomain": null,
> > >     "netlogonComputer": "ADDC",
> > >     "netlogonTrustAccount": "SamLogonTest$",
> > >     "netlogonNegotiateFlags": "0x610FFFFF",
> > >     "netlogonSecureChannelType": 2,
> > >     "netlogonTrustAccountSid":
> > >        "S-1-5-21-957060844-616297711-1930508676-1115",
> > >     "passwordType": "HMAC-SHA256"
> > >   }
> > > }
> > 
> > Almost there.   I'm running a private autobuild with these 3 patches on
> > top.
> > 
> > With these:
> > 
> > Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> > 
> > Can I get a second team reviewer please?
> 
> RB+ by me except few comments below. You did not add your RB+ or
> signed-off-by on all patches, like the following one. It also has your
> copyright instead of Gary's.  If this is so, you'd need to add your
> signed-off-by too.

Thanks.  We will tidy it up next week. 

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba