[PATCH] Updated Add detailed authentication logging for NTLM authentication.

Andrew Bartlett abartlet at samba.org
Thu Mar 16 08:25:05 UTC 2017 

On Tue, 2017-03-14 at 06:10 +1300, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-03-13 at 09:05 +0100, Stefan Metzmacher via samba-
> technical wrote:
> > Hi Gary,
> > 
> > > Updated to use jansson for the JSON generation, removing the glib
> > > dependencies. We're planning to get the tests written tomorrow,
> > > which
> > > will finish this piece of work off.
> > > 
> > > Samples of the new log lines below, line breaks and indent added
> > > for
> > > clarity.
> > > 
> > > Authorization
> > > 
> > > Human Readable
> > > 	Successful AuthZ: [DCE/RPC,ncacn_np]
> > > 	user [NT AUTHORITY]\[SYSTEM] [S-1-5-18]
> > > 	at [Mon, 13 Mar 2017 16:17:57 NZDT]
> > > 	Remote host [ipv6::::0] local host [ipv6::::0]
> > 
> > Can we get the hires=true timestamp here as well?
> > 
> > 
> > I think we've learned our lesson of having pytalloc_Object
> > as a public structure. Please don't make TeventContext_Object
> > public...
> > 
> > pytevent_Context_AsTeventContext() should be a function.
> > In addition we should have a pytevent_Context_Check() function,
> > which will also be used within pytevent_Context_AsTeventContext()
> > before casting/dereferencing the struct elements.
> 
> That means adding a whole pytevent-util like we have with pytalloc
> and
> pyldb.  I'm not sure it is worth it - the alternative is to just
> extend
> pymessaging to have an tevent_loop_once() wrapper waiting for one
> message.  

Just to let you know, while it is still in our branch, I'll drop the
pytalloc changes tomorrow in favour of a loop_once() in pymessaging. 

We have made some massive progress towards merging this in the past few
days, and I've even got a prototype of Kerberos KDC logging included.  

We now have a working pymessaging layer (it didn't work before as a
server), and we use it to collect messages, formatted as JSON, about
every auth and authZ event.  

We use that to ensure we get the right messages, with the right
details, for a given action (eg bind to ncacn_np, AS-REQ).  These will
be Samba's most tested DEBUG() statements anywhere :-)

(We assert - by hand-waving - that if the correct message was sent over
the message bus that the DEBUG line probably worked out OK as well). 

Already this has found one case in the ntvfs file server where local
and remote addresses were swapped before we even started. 

If tomorrow goes well, we may have something to review over the
weekend!

BTW, While I'll document this JSON auth message target as a developer
feature for now, I'm sure someone will find some really neat way to use
it.  It may also be a good way to test other 'impossible to test' bits
of Samba.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list