auth-logging finally merged!
Andrew Bartlett
abartlet at samba.org
Wed Mar 29 06:38:14 UTC 2017
With this, the AD DC finally has a decent authentication and
authorization audit mechanism!
The file server also has better logging, but it isn't as comprehensive
and doesn't have tests other than via the commonality with the AD DC.
Andrew Bartlett
On Wed, 2017-03-29 at 06:36 +0200, Andrew Bartlett wrote:
> The branch, master has been updated
> via 12cd7ab WHATSNEW: Add entry for auth audit
> via 49f3a92 whitespace: auth_log_pass_change.py python
> conventions
> via 81f8749 ldap_server: Move a variable into a smaller scope
> via 49eb475 whitespace: auth_log.c C code conventions
> via 3e0a08a whitespace: auth_log.py python conventions
> via 67cd3e6 auth log: Add tests for anonymous bind and
> SamLogon
> via 493d886 python: Add bindings for NTLMSSP
> via 43f52fc pycredentials: Add bindings for
> get_ntlm_response()
> via f160359 rpc_server: Re-order and rename remote and local
> address in np_open()
> via 8aff845 ldap_server: Log failures to find a valid user in
> the simple bind
> via 638b10a dsdb: Add authentication audit logging for LDAP
> password change
> via 0088434 samr: Add logging of password change success and
> failure
> via a70e944 auth log tests: password change tests
> via f498ba7 heimdal: Pass extra information to
> hdb_auth_status() to log success and failures
> via 7cbe1c8 s3-rpc_server: Provide hooks required for JSON
> message logging for the no-auth case
> via e9611b4 s3-rpc_server: Re-order and rename remote and
> local address in make_external_rpc_pipe{,_p}()
> via 7505ae0 s3-rpc_server: pass remote and local address to
> rpc_pipe_open_external
> via 4c9d69f s4-ntvfs: Correct mixup between local/remote
> addresses
> via 3d99831 s3-rpc_server: Rename client -> remote_client and
> server -> local_server
> via 7bb21df s3-rpc_server: Re-order local and remote address
> in make_server_pipes_struct()
> via 689e251 s3-named_pipe_auth: Rename client ->
> remote_client and server -> local_server
> via 3b72863 s4-named_pipe_auth: Rename client ->
> remote_client and server -> local_server
> via 68200d0 named_pipe_auth: Rename client -> remote_client
> and server -> local_server
> via b661e81 selftest: Turn on auth event notification and so
> allow tests to pass
> via d004196 auth: Add hooks for notification of
> authentication events over the message bus
> via 631f1bc auth_log: Improve comment
> via a70cde0 auth_log: Prepared to allow logging JSON events
> to a server over the message bus
> via c008687 s4-messaging: split up messaging into a smaller
> library for send only
> via 387eb18 auth_log: Add JSON logging of Authorisation and
> Authentications
> via 366f8cf auth: Log the transport connection for the
> authorization
> via f4a4522 ldap_server: Log access without a bind
> via 9a96f90 auth_log: Split up auth/authz logging levels and
> handle anonymous better
> via 2028b84 s3-rpc_server: Log authorization to DCE/RPC for
> anonymous and ncacn_np pass-though
> via f6dd784 s4-rpc_server: Log authorization to DCE/RPC for
> anonymous and ncacn_np pass-though
> via 70a115b ldap_server: Log authorization for simple binds
> via 9ab02f8 s4-auth: Log SMB authorization for bare NTLM
> (NTLMSSP/krb5 already done)
> via d017e2e s3-auth: Log SMB authorization for bare NTLM
> (NTLMSSP/krb5 already done)
> via 0e50885 auth_log: Also log the final type of
> authentication (ntlmssp,krb5)
> via 46a800f auth_log: Expand to include the type of password
> used (eg ntlmv2)
> via 59ed188 dns: Provide local and remote socket address to
> GENSEC
> via a0ab86d auth: Add logging of service authorization
> via 3bc5685 rpc: Always supply both the remote and local
> address to the auth subsystem
> via 85536c1 auth: Always supply both the remote and local
> address to the auth subsystem
> via dc43000 s3-auth: Clarify the role and purpose of the
> auth_serversupplied_info->security_token
> via 8154acf auth: Generate a human readable Authentication
> log message.
> via 0db7719 debug: Add debug class for auth_audit
> via 4a99143 s3-auth: Split out get_user_sid_info3_and_extra()
> from create_local_nt_token_from_info3()
> via eacb5ae lib/util: Add functions to escape log lines but
> not break all non-ascii
> via 6adcaf1 s4-rpc_server: Correct comment about where the
> current iface can be found
> via d69187c winbindd: Clarify that we do not pre-hash the
> password for rpccli_netlogon_password_logon()
> via ea3f00f auth: Add "auth_description" to allow logs to
> distinguish simple bind (etc)
> via 5f5756d ldap_server: Move code into
> authenticate_ldap_simple_bind()
> via 7609c57 auth: Add a reminder about the strings currently
> used for auditing
> via 9ffdb84 s4-ldap_server: Do not set conn->session_info to
> NULL, keep valid at all times
> via 1cca9d6 s4-ldap_server: Set remote and local address
> values into GENSEC
> via 28e0c8d s4-ldap_server: Split gensec setup into a helper
> function
> via c048918 auth: Fill in user_info->service_description from
> all callers
> via 2235982 ntlm_auth: Set ntlm_auth as the
> service_description into gensec
> via d82ac32 s3-auth: Pass service_description into gensec via
> auth_generic_prepare()
> via af9d480 gensec: Pass service_description into
> auth_usersuppliedinfo during NTLMSSP
> via 2d6066d gensec: Add
> gensec_{get,set}_target_service_description()
> via 9e09e68 s4-netlogon: Remember many more details in the
> auth_usersupplied info for future logs
> via eaa59ed s4-smbd: Remember the original client and server
> IPs from the SMB connection
> via 3ee82de auth_log: Add tests by listening for JSON
> messages over the message bus
> via 41f1da3 TestBase: move insta_creds from
> password_lockout.py
> via 76692fa python net: add username, oldpassword and domain
> to change_password
> via b57e3cf pysmb: Check for credentials using same method as
> pyrpc
> via 6fcb61b pysmb: Extend py_smb_new to allow use_ntlmv2 and
> use_spnego to be set by callers
> from 60e45a2 s3/smbd: make copy chunk asynchronous
>
> https://git.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> - Log -------------------------------------------------------------
> ----
> commit 12cd7ab60a1d2cf891c061652fbcad6f8fed56d1
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Mar 27 13:17:35 2017 +1300
>
> WHATSNEW: Add entry for auth audit
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
> Autobuild-Date(master): Wed Mar 29 06:35:12 CEST 2017 on sn-
> devel-144
>
> commit 49f3a92cb3e23c2233c1a35b7adfc89e667b0420
> Author: Garming Sam <garming at catalyst.net.nz>
> Date: Fri Mar 24 13:52:58 2017 +1300
>
> whitespace: auth_log_pass_change.py python conventions
>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
>
> commit 81f874974e794e0e1699fd128c04f2edf1bed098
> Author: Garming Sam <garming at catalyst.net.nz>
> Date: Fri Mar 24 12:20:19 2017 +1300
>
> ldap_server: Move a variable into a smaller scope
>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
>
> commit 49eb47588f6c6b05c0beceb5a7412a21e564bd6b
> Author: Garming Sam <garming at catalyst.net.nz>
> Date: Fri Mar 24 11:33:51 2017 +1300
>
> whitespace: auth_log.c C code conventions
>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
>
> commit 3e0a08a3d1038b518247d370914aca28f0c33d71
> Author: Garming Sam <garming at catalyst.net.nz>
> Date: Fri Mar 24 10:51:05 2017 +1300
>
> whitespace: auth_log.py python conventions
>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
>
> commit 67cd3e6cbd37ff0c29a24bde22a61abe0bf6faa5
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 24 11:02:36 2017 +1300
>
> auth log: Add tests for anonymous bind and SamLogon
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 493d886163e3691bf328953c6ae10de2ba7ee482
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Thu Mar 23 16:30:05 2017 +1300
>
> python: Add bindings for NTLMSSP
>
> This is helpful for building NTLMv2 packets in python for testing
> against the SamLogon server
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 43f52fc425d8b59596a1f3917ac41a0631477393
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 22 16:40:40 2017 +1300
>
> pycredentials: Add bindings for get_ntlm_response()
>
> This should make testing of SamLogon from python practical
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit f1603598d6cf956ae9923191371d598288e14cc9
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Thu Mar 23 14:05:56 2017 +1300
>
> rpc_server: Re-order and rename remote and local address in
> np_open()
>
> We use this order and name consistently eleswhere.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 8aff845db8aa30cbd2f6a49f0195d35fc3f48209
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Thu Mar 23 12:39:25 2017 +1300
>
> ldap_server: Log failures to find a valid user in the simple bind
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 638b10adb057794209ddcd4984314aaaf563231c
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 17 15:58:17 2017 +1300
>
> dsdb: Add authentication audit logging for LDAP password change
>
> This ensures this particular vector is not forgotten
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 008843463fb2f45ecd287b3c95b9a19b9c767290
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 17 13:26:13 2017 +1300
>
> samr: Add logging of password change success and failure
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit a70e944c80cbacf6d2c323bc661ce1500251d5f1
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Tue Mar 21 09:59:45 2017 +1300
>
> auth log tests: password change tests
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit f498ba77df2313e78863e5f2706840c43e232a96
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Feb 21 14:07:54 2017 +1300
>
> heimdal: Pass extra information to hdb_auth_status() to log
> success and failures
>
> We now pass on the original client name and the client address to
> allow
> consistent audit logging in Samba across multiple protocols.
>
> We use config->db[0] to find the first database to record
> incorrect
> users.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 7cbe1c844ea359b6d5386b3986aa16152e975f3d
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Mar 14 11:01:54 2017 +1300
>
> s3-rpc_server: Provide hooks required for JSON message logging
> for the no-auth case
>
> This is triggered in the ncacn_np pass-though case in particular
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit e9611b4bd0ab11184ee11f7d134ffd01633093f7
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 17 10:29:02 2017 +1300
>
> s3-rpc_server: Re-order and rename remote and local address in
> make_external_rpc_pipe{,_p}()
>
> We use this order and name consistently eleswhere.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 7505ae043d5d373d64ef52d385b5bf5310583459
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 17 10:26:03 2017 +1300
>
> s3-rpc_server: pass remote and local address to
> rpc_pipe_open_external
>
> We want the real client address here for audit purposes, if
> possible.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 4c9d69f82aa8b2cdb04c5bfe5684dcd1d7ed4cfb
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 10 12:43:42 2017 +1300
>
> s4-ntvfs: Correct mixup between local/remote addresses
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 3d99831ec9492d06f86eabae3439450b66007da8
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 10 12:13:24 2017 +1300
>
> s3-rpc_server: Rename client -> remote_client and server ->
> local_server
>
> This changes struct dcerpc_ncacn_conn
>
> While these names may have been clear, much of Samba uses
> remote_address and local_address, and this difference has hidden
> bugs.
>
> By using both names we avoid a little of this.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 7bb21df258351ea29c82bc8a86e31b5c33b20755
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 10 12:38:33 2017 +1300
>
> s3-rpc_server: Re-order local and remote address in
> make_server_pipes_struct()
>
> The rest of the code uses remote before local, and this
> often causes bugs
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 689e251056699b20b0610c52ad4dd413f946fa63
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 10 12:33:06 2017 +1300
>
> s3-named_pipe_auth: Rename client -> remote_client and server ->
> local_server
>
> This brings the callers of named_pipe_auth in line with that
> subsystem.
>
> Much of Samba uses remote_address and local_address, and this
> difference
> has hidden bugs
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 3b72863e001c290b5833b327e5fb9003c6311fc6
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 10 11:38:56 2017 +1300
>
> s4-named_pipe_auth: Rename client -> remote_client and server ->
> local_server
>
> This brings the callers of named_pipe_auth in line with that
> subsystem.
>
> While these names may be better, the rest of Samba consistently
> uses
> remote_address and local_address, and this difference has hidden
> bugs
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 68200d0d88582d7122b1d441376956b2ebfa09d8
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Mar 10 11:37:56 2017 +1300
>
> named_pipe_auth: Rename client -> remote_client and server ->
> local_server
>
> While these names may have been clear, much of Samba uses
> remote_address and local_address, and this difference has hidden
> bugs.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit b661e818b69e5314fa4184ef5dd5b10d5fa1653b
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 24 15:19:32 2017 +1300
>
> selftest: Turn on auth event notification and so allow tests to
> pass
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit d0041960363c981224552d4ce7ac3092679ee2c6
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 24 15:18:46 2017 +1300
>
> auth: Add hooks for notification of authentication events over
> the message bus
>
> This will allow tests to be written to confirm the correct events
> are triggered.
>
> We pass in a messaging context from the callers
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 631f1bcce68062e1c8e653024999b79589a80eaf
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 24 15:16:34 2017 +1300
>
> auth_log: Improve comment
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit a70cde046a925614978a75359425667fc6de5323
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Mar 7 16:50:38 2017 +1300
>
> auth_log: Prepared to allow logging JSON events to a server over
> the message bus
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit c008687ffbf18a3327dd4ad41ca5a9e01c30f9d1
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 24 15:11:35 2017 +1300
>
> s4-messaging: split up messaging into a smaller library for send
> only
>
> This will help avoid a dep loop when the low-level auth code
> relies on the message
> code to deliver authentication messages
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 387eb18a1ccdcea3040476efbc2769de40ccf86e
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Mon Mar 6 16:16:51 2017 +1300
>
> auth_log: Add JSON logging of Authorisation and Authentications
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> Pair-Programmed: Andrew Bartlett <abartlet at samba.org>
>
> commit 366f8cf0903e3583fda42696df62a5337f22131f
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Mar 6 14:10:17 2017 +1300
>
> auth: Log the transport connection for the authorization
>
> We also log if a simple bind was over TLS, as this particular
> case matters to a lot of folks
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit f4a4522d1f8c19fdf142e12760160b15de1557ec
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 3 12:53:06 2017 +1300
>
> ldap_server: Log access without a bind
>
> This can be over the privileged ldapi socket, or just as the
> implicit anonymous access
>
> However, do not log for setting up StartTLS, or a rootDSE search.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 9a96f901f5e7369b33c839844d5a2286d4d44b6d
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 3 12:40:04 2017 +1300
>
> auth_log: Split up auth/authz logging levels and handle anonymous
> better
>
> We typically do not want a lot of logging of anonymous access, as
> this is often
> simple a preperation for authenticated access, so we make that
> level 5.
>
> Bad passwords remain at level 2, successful password
> authentication is level 3
> and successful authorization (eg kerberos login to SMB) is level
> 4.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 2028b84c1647730a084e02a2ec04ac0d5efc628e
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 3 12:03:04 2017 +1300
>
> s3-rpc_server: Log authorization to DCE/RPC for anonymous and
> ncacn_np pass-though
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit f6dd7848143553b259d5cb7685c2d0cc687e0a0c
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Fri Mar 3 11:49:43 2017 +1300
>
> s4-rpc_server: Log authorization to DCE/RPC for anonymous and
> ncacn_np pass-though
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 70a115b310a1d158c2596a5b0b810b83be460a6c
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 16:49:01 2017 +1300
>
> ldap_server: Log authorization for simple binds
>
> Existing comment is no longer relevant.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 9ab02f8088613dd0e0fba2e3d750187db9c30f5c
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 16:28:06 2017 +1300
>
> s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5
> already done)
>
> gensec_session_info() is not called for bare NTLM, so we have to
> log manually
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit d017e2eb2a69b0f759e9ab912a0a5e8aaef5701d
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 16:27:51 2017 +1300
>
> s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5
> already done)
>
> gensec_session_info() is not called for bare NTLM, so we have to
> log manually
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 0e508853fcb6cc0e8ca2b6ff48d8b5468b339468
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 16:00:03 2017 +1300
>
> auth_log: Also log the final type of authentication
> (ntlmssp,krb5)
>
> Administrators really care about how their users were
> authenticated, so make
> this clear.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 46a800fae3b054a2e9c2f26f35630cadf11cfe3e
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 15:06:25 2017 +1300
>
> auth_log: Expand to include the type of password used (eg ntlmv2)
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 59ed188ede42a4bc6534f679fa89dd0fb7f8a3ae
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 14:19:50 2017 +1300
>
> dns: Provide local and remote socket address to GENSEC
>
> This can be used for logging and for Kerberos channel bindings
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit a0ab86dedca2471ca2e4bb222f272d4bd35c85df
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 12:18:49 2017 +1300
>
> auth: Add logging of service authorization
>
> In ntlm_auth.c and authdata.c, the session info will be
> incomplete
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 3bc56854457191ab817bc9a4419b1dee74138b0f
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Fri Feb 24 13:29:12 2017 +1300
>
> rpc: Always supply both the remote and local address to the auth
> subsystem
>
> This ensures that gensec, and then the NTLM auth subsystem under
> it, always gets the
> remote and local address pointers for potential logging.
>
> The local address allows us to know which interface an
> authentication is on
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 85536c1ff3513840728ba281de2b6f003e49f227
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Thu Feb 23 14:31:52 2017 +1300
>
> auth: Always supply both the remote and local address to the auth
> subsystem
>
> This ensures that gensec, and then the NTLM auth subsystem under
> it, always gets the
> remote and local address pointers for potential logging.
>
> The local address allows us to know which interface an
> authentication is on
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit dc43000c0e15638cb4bc56ef8bbf6a50e681bb5a
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 11:23:28 2017 +1300
>
> s3-auth: Clarify the role and purpose of the
> auth_serversupplied_info->security_token
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 8154acfd0d0bc00115a1aa65963f4f8c00fe4312
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Thu Feb 23 13:50:14 2017 +1300
>
> auth: Generate a human readable Authentication log message.
>
> Add a human readable authentication log line, to allow
> verification that all required details are being passed.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 0db7719071999f3dcf6f45b030f7c3c23f2a72f6
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 11:39:17 2017 +1300
>
> debug: Add debug class for auth_audit
>
> This will be an audit stream of authentication and connection-
> level authorization
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 4a99143a2b2b45e4dfb17695dbfa946d327fea9b
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 1 11:22:43 2017 +1300
>
> s3-auth: Split out get_user_sid_info3_and_extra() from
> create_local_nt_token_from_info3()
>
> This will allow us to get the SID in another location for logging
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit eacb5aead71299b6bebbddbaf7c9a3d545f9151b
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed Mar 1 11:10:29 2017 +1300
>
> lib/util: Add functions to escape log lines but not break all
> non-ascii
>
> We do not want to turn every non-ascii username into a pile of
> hex, so we instead focus
> on avoding newline insertion attacks and other low control chars
>
> Pair-programmed-by: Andrew Bartlett <abartlet at samba.org>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> commit 6adcaf16482fbca1ca8eeb80a2a7029d415c423f
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Feb 21 16:22:07 2017 +1300
>
> s4-rpc_server: Correct comment about where the current iface can
> be found
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit d69187c153cab17176a31b5f4462e111cce2a6a3
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Feb 21 12:14:12 2017 +1300
>
> winbindd: Clarify that we do not pre-hash the password for
> rpccli_netlogon_password_logon()
>
> rpccli_netlogon_password_logon() is called in
> winbind_samlogon_retry_loop() if interactive
> is set, and does not use the hashed passwords.
>
> This is only needed for winbindd_dual_auth_passdb(), and by
> moving the call we both
> avoid the extra work and allow it to also be removed in this code
> path
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit ea3f00f2b57c1896bc98c5a8e4538f46193b6c53
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Feb 21 11:57:57 2017 +1300
>
> auth: Add "auth_description" to allow logs to distinguish simple
> bind (etc)
>
> This will allow the authentication log to indicate clearly how
> the password was
> supplied to the server.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 5f5756db714de0c1b00d648a48423fde19a564a1
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 15:57:03 2017 +1300
>
> ldap_server: Move code into authenticate_ldap_simple_bind()
>
> This function is only called for simple binds, and by moving the
> mapping into
> the function call we allow the unmapped values to be included in
> the
> user_info and so logged.
>
> We also include the local address and the remote address of the
> client
> for future logging
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 7609c57922f1d5041dd65660e157a1ba3bf1a417
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 15:55:34 2017 +1300
>
> auth: Add a reminder about the strings currently used for
> auditing
>
> We will soon have a much better replacement, but a note here may
> help some in the transition
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 9ffdb84600bb5b97a31d2407c8901aa3c599d53f
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Thu Mar 9 15:10:14 2017 +1300
>
> s4-ldap_server: Do not set conn->session_info to NULL, keep valid
> at all times
>
> We need this to be valid, right up until a new session_info is
> created and
> it is replaced.
>
> We need this to have a valid value at all times, and we are still
> anonymous
> until the new bind completes
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 1cca9d6dce94f35e8efc17426ea0bf5f77a3ec3d
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Feb 21 14:15:05 2017 +1300
>
> s4-ldap_server: Set remote and local address values into GENSEC
>
> This will allow channel bindings and logging of the address
> values used during
> authentication
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 28e0c8d135acaaedaf74126a2c572a3744d84336
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 15:54:47 2017 +1300
>
> s4-ldap_server: Split gensec setup into a helper function
>
> This makes the error handling simpler when we set more
> details onto the gensec context.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit c04891895999e2743e5bdbbba4c60254fa0f5820
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 14:52:07 2017 +1300
>
> auth: Fill in user_info->service_description from all callers
>
> This will allow the logging code to make clear which protocol an
> authentication was for.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 223598209225162aef42ef20c8a95fecc47837c9
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 14:18:57 2017 +1300
>
> ntlm_auth: Set ntlm_auth as the service_description into gensec
>
> This allows this use case to be clearly found when logged.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit d82ac32eb744a0e3883b1d09832131ff9bc9bcad
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 14:17:34 2017 +1300
>
> s3-auth: Pass service_description into gensec via
> auth_generic_prepare()
>
> This allows the GENSEC service description to be set from the
> various callers
> that go via this function.
>
> The RPC service description is the name of the interface from the
> IDL.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit af9d4807399ff73a5d4baab713ef3731de0f5d62
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 14:15:46 2017 +1300
>
> gensec: Pass service_description into auth_usersuppliedinfo
> during NTLMSSP
>
> This allows the GENSEC service description to be read at
> authentication time
> for logging, eg that the user authenticated to the SAMR server
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 2d6066dbbfe8f10b95675eedd0f47c492cf29029
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 13:32:47 2017 +1300
>
> gensec: Add gensec_{get,set}_target_service_description()
>
> This allows a free text description of what the server-side
> service is for logging
> purposes where the various services may be using the same
> Kerberos service or not
> use Kerberos.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 9e09e68d4777a722759262e877d443d6bb93b592
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 12:04:52 2017 +1300
>
> s4-netlogon: Remember many more details in the auth_usersupplied
> info for future logs
>
> This will allow a very verbose JSON line to be logged that others
> can audit from in the future
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit eaa59ed34528e77e21c4d03c39fe806d918a898f
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Feb 20 12:01:37 2017 +1300
>
> s4-smbd: Remember the original client and server IPs from the SMB
> connection
>
> We need to know in the RPC server the original address the client
> came from
> so that we can log this with the authentication audit information
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 3ee82de26df77f97abe1ca70c69f2b7c47421207
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Tue Mar 14 16:43:06 2017 +1300
>
> auth_log: Add tests by listening for JSON messages over the
> message bus
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> Pair-programmed-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 41f1da3a1ae0335ad485118c14394b98b9890abe
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Thu Mar 16 16:24:20 2017 +1300
>
> TestBase: move insta_creds from password_lockout.py
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 76692faa9f991f7460a778fbaf7e5cd902a9608f
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Tue Mar 21 09:58:18 2017 +1300
>
> python net: add username, oldpassword and domain to
> change_password
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit b57e3cf1dfab2734baf63d06546f28fdf96fab9d
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date: Tue Mar 21 16:00:38 2017 +1300
>
> pysmb: Check for credentials using same method as pyrpc
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>
> commit 6fcb61b7919bef76b28377a20c061815b3b4e697
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Wed Mar 22 11:07:49 2017 +1300
>
> pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be
> set by callers
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>
> -------------------------------------------------------------------
> ----
>
> Summary of changes:
> WHATSNEW.txt | 20 +-
> auth/auth_log.c | 901
> ++++++++++++++
> auth/common_auth.h | 62 +
> auth/credentials/pycredentials.c | 65 +
> auth/gensec/gensec.c | 94 +-
> auth/gensec/gensec.h | 23 +
> auth/gensec/gensec_internal.h | 3 +
> auth/gensec/spnego.c | 12 +
> auth/ntlmssp/ntlmssp.c | 6 +
> auth/ntlmssp/ntlmssp_server.c | 11 +
> auth/wscript_build | 9 +-
> auth/wscript_configure | 7 +
> docs-xml/smbdotconf/logging/loglevel.xml | 23 +
> .../smbdotconf/logon/autheventnotification.xml | 26 +
> lib/util/debug.c | 2 +
> lib/util/debug.h | 3 +-
> lib/util/tests/util_str_escape.c | 90 ++
> lib/util/util_str_escape.c | 126 ++
> lib/util/{unix_match.h => util_str_escape.h} | 14 +-
> lib/util/wscript_build | 5 +
> libcli/named_pipe_auth/npa_tstream.c | 96 +-
> libcli/named_pipe_auth/npa_tstream.h | 28 +-
> librpc/idl/named_pipe_auth.idl | 12 +-
> librpc/idl/ntlmssp.idl | 12 +-
> librpc/wscript_build | 5 +
> python/samba/tests/__init__.py | 31 +
> python/samba/tests/auth_log.py | 1259
> ++++++++++++++++++++
> python/samba/tests/auth_log_base.py | 104 ++
> python/samba/tests/auth_log_ncalrpc.py | 104 ++
> python/samba/tests/auth_log_pass_change.py | 330 +++++
> python/samba/tests/credentials.py | 21 +
> selftest/knownfail | 4 +
> selftest/target/Samba4.pm | 3 +
> source3/auth/auth.c | 23 +-
> source3/auth/auth_generic.c | 64 +-
> source3/auth/auth_ntlmssp.c | 2 +
> source3/auth/auth_util.c | 33 +-
> source3/auth/proto.h | 20 +-
> source3/auth/token_util.c | 41 +-
> source3/auth/user_info.c | 17 +
> source3/include/auth.h | 9 +-
> source3/libads/authdata.c | 3 +
> source3/librpc/crypto/gse.c | 16 +
> source3/librpc/rpc/dcerpc_ep.c | 1 +
> source3/printing/nt_printing_migrate_internal.c | 1 +
> source3/printing/printspoolss.c | 2 +
> source3/rpc_client/cli_winreg_int.c | 1 +
> source3/rpc_server/dcesrv_auth_generic.c | 12 +-
> source3/rpc_server/dcesrv_auth_generic.h | 2 +
> source3/rpc_server/netlogon/srv_netlog_nt.c | 5 +
> source3/rpc_server/rpc_ncacn_np.c | 88 +-
> source3/rpc_server/rpc_ncacn_np.h | 12 +-
> source3/rpc_server/rpc_server.c | 119 +-
> source3/rpc_server/rpc_server.h | 10 +-
> source3/rpc_server/spoolss/srv_spoolss_util.c | 1 +
> source3/rpc_server/srv_pipe.c | 36 +-
> source3/rpc_server/srv_pipe_hnd.c | 10 +-
> source3/rpc_server/srv_pipe_hnd.h | 4 +-
> source3/rpc_server/wscript_build | 2 +-
> source3/smbd/lanman.c | 20 +-
> source3/smbd/negprot.c | 9 +
> source3/smbd/pipes.c | 2 +-
> source3/smbd/reply.c | 1 +
> source3/smbd/seal.c | 6 +
> source3/smbd/sesssetup.c | 24 +-
> source3/smbd/smb2_sesssetup.c | 3 +
> source3/torture/pdbtest.c | 16 +-
> source3/utils/ntlm_auth.c | 14 +
> source3/winbindd/winbindd_cm.c | 2 +
> source3/winbindd/winbindd_pam.c | 87 +-
> source4/auth/auth.h | 19 +-
> source4/auth/gensec/gensec_gssapi.c | 16 +
> source4/auth/gensec/gensec_krb5.c | 9 +-
> source4/auth/gensec/pygensec.c | 25 +-
> source4/auth/kerberos/wscript_build | 2 +-
> source4/auth/ntlm/auth.c | 19 +-
> source4/auth/ntlm/auth_simple.c | 112 +-
> source4/dns_server/dns_query.c | 22 +
> source4/dns_server/dns_server.c | 14 +-
> source4/dns_server/dns_server.h | 2 +
> source4/dsdb/samdb/ldb_modules/password_hash.c | 134 ++-
> source4/dsdb/tests/python/password_lockout.py | 63 +-
> source4/heimdal/kdc/kerberos5.c | 39 +-
> source4/heimdal/lib/hdb/hdb.h | 11 +-
> source4/kdc/db-glue.c | 1 +
> source4/kdc/hdb-samba4.c | 124 +-
> source4/kdc/kdc-heimdal.c | 1 +
> source4/kdc/samba_kdc.h | 2 +
> source4/kdc/wscript_build | 10 +-
> source4/ldap_server/ldap_backend.c | 60 +
> source4/ldap_server/ldap_bind.c | 116 +-
> source4/ldap_server/ldap_server.h | 1 +
> source4/ldap_server/wscript_build | 2 +-
> source4/lib/messaging/messaging.c | 80 --
> source4/lib/messaging/messaging_send.c | 115 ++
> source4/lib/messaging/wscript_build | 6 +
> source4/libcli/pysmb.c | 52 +-
> source4/libnet/py_net.c | 26 +-
> source4/librpc/wscript_build | 6 +
> source4/ntvfs/ipc/vfs_ipc.c | 12 +-
> source4/rpc_server/dcerpc_server.c | 9 +-
> source4/rpc_server/dcesrv_auth.c | 46 +
> source4/rpc_server/netlogon/dcerpc_netlogon.c | 72 +-
> source4/rpc_server/samr/samr_password.c | 138 ++-
> source4/selftest/tests.py | 16 +
> source4/smb_server/smb/sesssetup.c | 93 +-
> source4/smb_server/smb2/sesssetup.c | 40 +
> source4/smbd/service_named_pipe.c | 25 +-
> source4/torture/local/local.c | 1 +
> source4/torture/local/wscript_build | 3 +-
> wscript | 1 +
> 111 files changed, 5181 insertions(+), 593 deletions(-)
> create mode 100644 auth/auth_log.c
> create mode 100644 auth/wscript_configure
> create mode 100644 docs-
> xml/smbdotconf/logon/autheventnotification.xml
> create mode 100644 lib/util/tests/util_str_escape.c
> create mode 100644 lib/util/util_str_escape.c
> copy lib/util/{unix_match.h => util_str_escape.h} (73%)
> create mode 100644 python/samba/tests/auth_log.py
> create mode 100644 python/samba/tests/auth_log_base.py
> create mode 100644 python/samba/tests/auth_log_ncalrpc.py
> create mode 100644 python/samba/tests/auth_log_pass_change.py
> create mode 100644 source4/lib/messaging/messaging_send.c
>
>
> Changeset truncated at 500 lines:
>
> diff --git a/WHATSNEW.txt b/WHATSNEW.txt
> index cda61ef..4216c4f 100644
> --- a/WHATSNEW.txt
> +++ b/WHATSNEW.txt
> @@ -22,13 +22,31 @@ obey client requests to synchronize unwritten
> data in operating
> system buffers safely onto disk. This is a safer default setting
> for modern SMB1/2/3 clients.
>
> +Authentication and Authorization audit support
> +----------------------------------------------
> +
> +Detailed authentication and authorization audit information is now
> +logged to Samba's debug logs under the "auth_audit" debug class,
> +including in particular the client IP address triggering the audit
> +line. Additionally, if Samba is compiled against the jansson JSON
> +library, a JSON representation is logged under the "auth_json_audit"
> +debug class.
> +
> +Audit support is comprehensive for all authentication and
> +authorisation of user accounts in the Samba Active Directory Domain
> +Controller, as well as the implicit authentication in password
> +changes. In the file server and classic/NT4 domain controller, NTLM
> +authentication, SMB and RPC authorization is covered, however
> password
> +changes are not at this stage, and this support is not currently
> +backed by a testsuite.
> +
> smb.conf changes
> ================
>
> Parameter Name Description Default
> -------------- ----------- -------
> strict sync Default changed
> yes
> -
> + auth event notification New parameter no
>
> KNOWN ISSUES
> ============
> diff --git a/auth/auth_log.c b/auth/auth_log.c
> new file mode 100644
> index 0000000..9dbf8f2
> --- /dev/null
> +++ b/auth/auth_log.c
> @@ -0,0 +1,901 @@
> +/*
> +
> + Authentication and authorization logging
> +
> + Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
> +
> + This program is free software; you can redistribute it and/or
> modify
> + it under the terms of the GNU General Public License as published
> by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/license
> s/>.
> +*/
> +
> +/*
> + * Debug log levels for authentication logging (these both map to
> + * LOG_NOTICE in syslog)
> + */
> +#define AUTH_FAILURE_LEVEL 2
> +#define AUTH_SUCCESS_LEVEL 3
> +#define AUTHZ_SUCCESS_LEVEL 4
> +
> +/* 5 is used for both authentication and authorization */
> +#define AUTH_ANONYMOUS_LEVEL 5
> +#define AUTHZ_ANONYMOUS_LEVEL 5
> +
> +#define AUTHZ_JSON_TYPE "Authorization"
> +#define AUTH_JSON_TYPE "Authentication"
> +
> +/*
> + * JSON message version numbers
> + *
> + * If adding a field increment the minor version
> + * If removing or changing the format/meaning of a field
> + * increment the major version.
> + */
> +#define AUTH_MAJOR 1
> +#define AUTH_MINOR 0
> +#define AUTHZ_MAJOR 1
> +#define AUTHZ_MINOR 0
> +
> +#include "includes.h"
> +#include "../lib/tsocket/tsocket.h"
> +#include "common_auth.h"
> +#include "lib/util/util_str_escape.h"
> +#include "libcli/security/dom_sid.h"
> +#include "libcli/security/security_token.h"
> +#include "librpc/gen_ndr/server_id.h"
> +#include "source4/lib/messaging/messaging.h"
> +#include "source4/lib/messaging/irpc.h"
> +#include "lib/util/server_id_db.h"
> +#include "lib/param/param.h"
> +
> +/*
> + * Get a human readable timestamp.
> + *
> + * Returns the current time formatted as
> + * "Tue, 14 Mar 2017 08:38:42.209028 NZDT"
> + *
> + * The returned string is allocated by talloc in the supplied
> context.
> + * It is the callers responsibility to free it.
> + *
> + */
> +static const char* get_timestamp(TALLOC_CTX *frame)
> +{
> + char buffer[40]; /* formatted time less usec and
> timezone */
> + char tz[10]; /* formatted time zone
> */
> + struct tm* tm_info; /* current local time
> */
> + struct timeval tv; /* current system time
> */
> + int r; /* response code from
> gettimeofday */
> + const char * ts; /* formatted time stamp
> */
> +
> + r = gettimeofday(&tv, NULL);
> + if (r) {
> + DBG_ERR("Unable to get time of day: (%d) %s\n",
> + errno,
> + strerror(errno));
> + return NULL;
> + }
> +
> + tm_info = localtime(&tv.tv_sec);
> + if (tm_info == NULL) {
> + DBG_ERR("Unable to determine local time\n");
> + return NULL;
> + }
> +
> + strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S",
> tm_info);
> + strftime(tz, sizeof(tz)-1, "%Z", tm_info);
> + ts = talloc_asprintf(frame, "%s.%06ld %s", buffer,
> tv.tv_usec, tz);
> + if (ts == NULL) {
> + DBG_ERR("Out of memory formatting time stamp\n");
> + }
> + return ts;
> +}
> +
> +/*
> + * Determine the type of the password supplied for the
> + * authorisation attempt.
> + *
> + */
> +static const char* get_password_type(const struct
> auth_usersupplied_info *ui);
> +
> +#ifdef HAVE_JANSSON
> +
> +#include <jansson.h>
> +#include "system/time.h"
> +
> +/*
> + * Context required by the JSON generation
> + * routines
> + *
> + */
> +struct json_context {
> + json_t *root;
> + bool error;
> +};
> +
> +static NTSTATUS get_auth_event_server(struct imessaging_context
> *msg_ctx,
> + struct server_id
> *auth_event_server)
> +{
> + NTSTATUS status;
> + TALLOC_CTX *frame = talloc_stackframe();
> + unsigned num_servers, i;
> + struct server_id *servers;
> +
> + status = irpc_servers_byname(msg_ctx, frame,
> + AUTH_EVENT_NAME,
> + &num_servers, &servers);
> +
> + if (!NT_STATUS_IS_OK(status)) {
> + DBG_NOTICE("Failed to find 'auth_event' registered
> on the "
> + "message bus to send JSON authentication
> events to: %s\n",
> + nt_errstr(status));
> + TALLOC_FREE(frame);
> + return status;
> + }
> +
> + /*
> + * Select the first server that is listening, because
> + * we get connection refused as
> + * NT_STATUS_OBJECT_NAME_NOT_FOUND without waiting
> + */
> + for (i = 0; i < num_servers; i++) {
> + status = imessaging_send(msg_ctx, servers[i],
> MSG_PING,
> + &data_blob_null);
> + if (NT_STATUS_IS_OK(status)) {
> + *auth_event_server = servers[i];
> + TALLOC_FREE(frame);
> + return NT_STATUS_OK;
> + }
> + }
> + DBG_NOTICE("Failed to find a running 'auth_event' server "
> + "registered on the message bus to send JSON "
> + "authentication events to\n");
> + TALLOC_FREE(frame);
> + return NT_STATUS_OBJECT_NAME_NOT_FOUND;
> +}
> +
> +static void auth_message_send(struct imessaging_context *msg_ctx,
> + const char *json)
> +{
> + struct server_id auth_event_server;
> + NTSTATUS status;
> + DATA_BLOB json_blob = data_blob_string_const(json);
> + if (msg_ctx == NULL) {
> + return;
> + }
> +
> + /* Need to refetch the address each time as the destination
> server may
> + * have disconnected and reconnected in the interim, in
> which case
> + * messages may get lost, manifests in the auth_log tests
> + */
> + status = get_auth_event_server(msg_ctx, &auth_event_server);
> + if (!NT_STATUS_IS_OK(status)) {
> + return;
> + }
> +
> + status = imessaging_send(msg_ctx, auth_event_server,
> MSG_AUTH_LOG,
> + &json_blob);
> +
> + /* If the server crashed, try to find it again */
> + if (NT_STATUS_EQUAL(status,
> NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
> + status = get_auth_event_server(msg_ctx,
> &auth_event_server);
> + if (!NT_STATUS_IS_OK(status)) {
> + return;
> + }
> + imessaging_send(msg_ctx, auth_event_server,
> MSG_AUTH_LOG,
> + &json_blob);
> +
> + }
> +}
> +
> +/*
> + * Write the json object to the debug logs.
> + *
> + */
> +static void log_json(struct imessaging_context *msg_ctx,
> + struct json_context *context,
> + const char *type, int debug_class, int
> debug_level)
> +{
> + char* json = NULL;
> +
> + if (context->error) {
> + return;
> + }
> +
> + json = json_dumps(context->root, 0);
> + if (json == NULL) {
> + DBG_ERR("Unable to convert JSON object to
> string\n");
> + context->error = true;
> + return;
> + }
> +
> + DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", type,
> json));
> + auth_message_send(msg_ctx, json);
> +
> + if (json) {
> + free(json);
> + }
> +
> +}
> +
> +/*
> + * Create a new json logging context.
> + *
> + * Free with a call to free_json_context
> + *
> + */
> +static struct json_context get_json_context(void) {
> +
> + struct json_context context;
> + context.error = false;
> +
> + context.root = json_object();
> + if (context.root == NULL) {
> + context.error = true;
> + DBG_ERR("Unable to create json_object\n");
> + }
> + return context;
> +}
> +
> +/*
> + * free a previously created json_context
> + *
> + */
> +static void free_json_context(struct json_context *context)
> +{
> + if (context->root) {
> + json_decref(context->root);
> + }
> +}
> +
> +/*
> + * Output a JSON pair with name name and integer value value
> + *
> + */
> +static void add_int(struct json_context *context,
> + const char* name,
> + const int value)
> +{
> + int rc = 0;
> +
> + if (context->error) {
> + return;
> + }
> +
> + rc = json_object_set_new(context->root, name,
> json_integer(value));
> + if (rc) {
> + DBG_ERR("Unable to set name [%s] value [%d]\n",
> name, value);
> + context->error = true;
> + }
> +
> +}
> +
> +/*
> + * Output a JSON pair with name name and string value value
> + *
> + */
> +static void add_string(struct json_context *context,
> + const char* name,
> + const char* value)
> +{
> + int rc = 0;
> +
> + if (context->error) {
> + return;
> + }
> +
> + if (value) {
> + rc = json_object_set_new(context->root, name,
> json_string(value));
> + } else {
> + rc = json_object_set_new(context->root, name,
> json_null());
> + }
> + if (rc) {
> + DBG_ERR("Unable to set name [%s] value [%s]\n",
> name, value);
> + context->error = true;
> + }
> +}
> +
> +
> +/*
> + * Output a JSON pair with name name and object value
> + *
> + */
> +static void add_object(struct json_context *context,
> + const char* name,
> + struct json_context *value)
> +{
> + int rc = 0;
> +
> + if (value->error) {
> + context->error = true;
> + }
> + if (context->error) {
> + return;
> + }
> + rc = json_object_set_new(context->root, name, value->root);
> + if (rc) {
> + DBG_ERR("Unable to add object [%s]\n", name);
> + context->error = true;
> + }
> +}
> +
> +/*
> + * Output a version object
> + *
> + * "version":{"major":1,"minor":0}
> + *
> + */
> +static void add_version(struct json_context *context, int major, int
> minor)
> +{
> + struct json_context version = get_json_context();
> + add_int(&version, "major", major);
> + add_int(&version, "minor", minor);
> + add_object(context, "version", &version);
> +}
> +
> +/*
> + * Output the current date and time as a timestamp in ISO 8601
> format
> + *
> + * "timestamp":"2017-03-06T17:18:04.455081+1300"
> + *
> + */
> +static void add_timestamp(struct json_context *context)
> +{
> + char buffer[40]; /* formatted time less usec and
> timezone */
> + char timestamp[50]; /* the formatted ISO 8601 time
> stamp */
> + char tz[10]; /* formatted time zone
> */
> + struct tm* tm_info; /* current local time
> */
> + struct timeval tv; /* current system time
> */
> + int r; /* response code from
> gettimeofday */
> +
> + if (context->error) {
> + return;
> + }
> +
> + r = gettimeofday(&tv, NULL);
> + if (r) {
> + DBG_ERR("Unable to get time of day: (%d) %s\n",
> + errno,
> + strerror(errno));
> + context->error = true;
> + return;
> + }
> +
> + tm_info = localtime(&tv.tv_sec);
> + if (tm_info == NULL) {
> + DBG_ERR("Unable to determine local time\n");
> + context->error = true;
> + return;
> + }
> +
> + strftime(buffer, sizeof(buffer)-1, "%Y-%m-%dT%T", tm_info);
> + strftime(tz, sizeof(tz)-1, "%z", tm_info);
> + snprintf(timestamp, sizeof(timestamp),"%s.%06ld%s",
> + buffer, tv.tv_usec, tz);
> + add_string(context,"timestamp", timestamp);
> +}
> +
> +
> +/*
> + * Output an address pair, with name name.
> + *
> + * "localAddress":"ipv6::::0"
> + *
> + */
> +static void add_address(struct json_context *context,
> + const char *name,
> + const struct tsocket_address *address)
> +{
> + char *s = NULL;
> + TALLOC_CTX *frame = talloc_stackframe();
> +
> + if (context->error) {
> + return;
> + }
> +
> + s = tsocket_address_string(address, frame);
> + add_string(context, name, s);
> + talloc_free(frame);
> +
> +}
> +
> +/*
> + * Output a SID with name name
> + *
> + * "sid":"S-1-5-18"
> + *
> + */
> +static void add_sid(struct json_context *context,
> + const char *name,
> + const struct dom_sid *sid)
> +{
> + char sid_buf[DOM_SID_STR_BUFLEN];
> +
> + if (context->error) {
> + return;
> + }
> +
> + dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
> + add_string(context, name, sid_buf);
> +}
> +
> +/*
> + * Write a machine parsable json formatted authentication log entry.
> + *
> + * IF removing or changing the format/meaning of a field please
> update the
> + * major version number AUTH_MAJOR
> + *
> + * IF adding a new field please update the minor version number
> AUTH_MINOR
> + *
> + * To process the resulting log lines from the commend line use jq
> to
> + * parse the json.
> + *
> + * grep "JSON Authentication" log file |
> + * sed 's;^[^{]*;;' |
> + * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
> + * \(.Authentication.clientDomain)\t
> + * \(.Authentication.clientAccount)
> + * \t\(.Authentication.workstation)
> + * \t\(.Authentication.remoteAddress)
> + * \t\(.Authentication.localAddress)"'
> + */
> +static void log_authentication_event_json(
> + struct imessaging_context *msg_ctx,
> + struct loadparm_context *lp_ctx,
> + const struct auth_usersupplied_info *ui,
> + NTSTATUS status,
> + const char *domain_name,
> + const char *account_name,
> + const char *unix_username,
>
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list