[Samba] nitwit's attempt to edit samba source
Viktor Trojanovic
viktor at troja.ch
Fri Nov 27 14:27:34 UTC 2015
On 26.11.2015 03:51, mourik jan heupink wrote:
> Hi,
>
> Since I really would like some more info (specifically: remote ip
> address) to be logged with failed password attempts, I have tried to
> edit the samba source code. :-)
>
> Anyway, I changed in source4/auth/ntlm/auth.c
>
>
>> if (tevent_req_is_nterror(req, &status)) {
>> DEBUG(2,("auth_check_password_recv: "
>> "%s authentication for user [%s\\%s] "
>> "FAILED with error %s\n",
>> (state->method ? state->method->ops->name : "NO_METHOD"),
>> state->user_info->mapped.domain_name,
>> state->user_info->mapped.account_name,
>> nt_errstr(status)));
>> tevent_req_received(req);
>> return status;
>> }
>
> to:
>
>> if (tevent_req_is_nterror(req, &status)) {
>> DEBUG(2,("auth_check_password_recv: "
>> "%s authentication for user [%s\\%s] on host %s "
>> "FAILED with error %s\n",
>> (state->method ? state->method->ops->name : "NO_METHOD"),
>> state->user_info->mapped.domain_name,
>> state->user_info->remote_host,
>> state->user_info->mapped.account_name,
>> nt_errstr(status)));
>> tevent_req_received(req);
>> return status;
>> }
>
> No idea if that could work or not.... Anyway: my code actually
> compiled, installed, and I provisioned a test domain/dc.
>
> I was amazed. :-)
>
> Anyway, trying a faulty password generates the following error now:
>
>> ntlm_password_check: Lanman passwords NOT PERMITTED for user
>> administrator
>> [2015/11/26 09:30:46.863556, 3]
>> ../libcli/auth/ntlm_check.c:587(ntlm_password_check)
>> ntlm_password_check: LM password, NT MD4 password in LM field and
>> LMv2 failed for user administrator
>> [2015/11/26 09:30:46.864067, 2]
>> ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
>> auth_check_password_recv: sam_ignoredomain authentication for
>> user [SAMDOM\�j�]�] on host administrator FAILED with error
>> NT_STATUS_WRONG_PASSWORD
>> [2015/11/26 09:30:46.864149, 2]
>> ../auth/gensec/spnego.c:693(gensec_spnego_server_negTokenTarg)
>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>
> I noticed that I mixed up the order of variables (on host
> "administrator" is obviously the username instead of the host) but
> that's easy to correct of course.
>
> My question is: state->user_info->remote_host seems to become "�j�]�".
> (I guess some binary value)
>
> So this is where my first 'programming attempt' ends. :-(
>
> Anyone with tip how to add a remote-ip (coming from ip) to failed
> passwords attemp log lines?
>
> MJ
>
My C skills are very basic, and I never even looked at the Samba code
till just now. Unlike the other two methods/properties, remote_host
seems to return a structure of the type tsocket_address
(https://github.com/Memeo/samba-unovero/blob/master/lib/tsocket/tsocket_guide.txt)
and might need to be typecasted/converted first. Skimming through some
of the source code, try to use the following line instead:
state->user_info->remote_host->addr. Really, I'm just guessing. Someone
else will hopefully give a more appropriate answer.
As a less elegant alternative, you might consider keeping logs of all
remote connection attempts to Samba via a firewall rule and then just
cross reference the logs (using timestamps).
Viktor
More information about the samba
mailing list