[PATCH] Updated Add detailed authentication logging for NTLM authentication.

Andrew Bartlett abartlet at samba.org
Mon Mar 20 07:38:25 UTC 2017


On Thu, 2017-03-16 at 21:25 +1300, Andrew Bartlett via samba-technical
wrote:
> On Tue, 2017-03-14 at 06:10 +1300, Andrew Bartlett via samba-
> technical
> wrote:
> > On Mon, 2017-03-13 at 09:05 +0100, Stefan Metzmacher via samba-
> > technical wrote:
> > > Hi Gary,
> > > 
> > > > Updated to use jansson for the JSON generation, removing the
> > > > glib
> > > > dependencies. We're planning to get the tests written tomorrow,
> > > > which
> > > > will finish this piece of work off.
> > > > 
> > > > Samples of the new log lines below, line breaks and indent
> > > > added
> > > > for
> > > > clarity.
> > > > 
> > > > Authorization
> > > > 
> > > > Human Readable
> > > > 	Successful AuthZ: [DCE/RPC,ncacn_np]
> > > > 	user [NT AUTHORITY]\[SYSTEM] [S-1-5-18]
> > > > 	at [Mon, 13 Mar 2017 16:17:57 NZDT]
> > > > 	Remote host [ipv6::::0] local host [ipv6::::0]
> > > 
> > > Can we get the hires=true timestamp here as well?
> > > 
> > > 
> > > I think we've learned our lesson of having pytalloc_Object
> > > as a public structure. Please don't make TeventContext_Object
> > > public...
> > > 
> > > pytevent_Context_AsTeventContext() should be a function.
> > > In addition we should have a pytevent_Context_Check() function,
> > > which will also be used within pytevent_Context_AsTeventContext()
> > > before casting/dereferencing the struct elements.
> > 
> > That means adding a whole pytevent-util like we have with pytalloc
> > and
> > pyldb.  I'm not sure it is worth it - the alternative is to just
> > extend
> > pymessaging to have an tevent_loop_once() wrapper waiting for one
> > message.  
> 
> Just to let you know, while it is still in our branch, I'll drop the
> pytalloc changes tomorrow in favour of a loop_once() in pymessaging. 
> 
> We have made some massive progress towards merging this in the past
> few
> days, and I've even got a prototype of Kerberos KDC logging
> included. 

I've added KDC logging now. 

> We now have a working pymessaging layer (it didn't work before as a
> server), and we use it to collect messages, formatted as JSON, about
> every auth and authZ event.  
> 
> We use that to ensure we get the right messages, with the right
> details, for a given action (eg bind to ncacn_np, AS-REQ).  These
> will
> be Samba's most tested DEBUG() statements anywhere :-)
> 
> (We assert - by hand-waving - that if the correct message was sent
> over
> the message bus that the DEBUG line probably worked out OK as well). 
> 
> Already this has found one case in the ntvfs file server where local
> and remote addresses were swapped before we even started. 
> 
> If tomorrow goes well, we may have something to review over the
> weekend!

Friday didn't work out (naturally), but the curious may wish to inspect

git://git.catalyst.net.nz/samba.git auth-logging

I've also used the testsuite to test the earlier revisions to ensure
operation as well as compilation while we introduce the new parameters.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list