[Samba] nitwit's attempt to edit samba source

Fri Nov 27 14:27:34 UTC 2015

On 26.11.2015 03:51, mourik jan heupink wrote:
> Hi,
>
> Since I really would like some more info (specifically: remote ip 
> address) to be logged with failed password attempts, I have tried to 
> edit the samba source code. :-)
>
> Anyway, I changed in source4/auth/ntlm/auth.c
>
>
>>     if (tevent_req_is_nterror(req, &status)) {
>>         DEBUG(2,("auth_check_password_recv: "
>>              "%s authentication for user [%s\\%s] "
>>              "FAILED with error %s\n",
>>              (state->method ? state->method->ops->name : "NO_METHOD"),
>>              state->user_info->mapped.domain_name,
>>              state->user_info->mapped.account_name,
>>              nt_errstr(status)));
>>         tevent_req_received(req);
>>         return status;
>>     }
>
> to:
>
>>     if (tevent_req_is_nterror(req, &status)) {
>>         DEBUG(2,("auth_check_password_recv: "
>>              "%s authentication for user [%s\\%s] on host %s "
>>              "FAILED with error %s\n",
>>              (state->method ? state->method->ops->name : "NO_METHOD"),
>>              state->user_info->mapped.domain_name,
>>              state->user_info->remote_host,
>>              state->user_info->mapped.account_name,
>>              nt_errstr(status)));
>>         tevent_req_received(req);
>>         return status;
>>     }
>
> No idea if that could work or not.... Anyway: my code actually 
> compiled, installed, and I provisioned a test domain/dc.
>
> I was amazed. :-)
>
> Anyway, trying a faulty password generates the following error now:
>
>>   ntlm_password_check: Lanman passwords NOT PERMITTED for user 
>> administrator
>> [2015/11/26 09:30:46.863556,  3] 
>> ../libcli/auth/ntlm_check.c:587(ntlm_password_check)
>>   ntlm_password_check: LM password, NT MD4 password in LM field and 
>> LMv2 failed for user administrator
>> [2015/11/26 09:30:46.864067,  2] 
>> ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
>>   auth_check_password_recv: sam_ignoredomain authentication for 
>> user [SAMDOM\�j�]�] on host administrator FAILED with error 
>> NT_STATUS_WRONG_PASSWORD
>> [2015/11/26 09:30:46.864149,  2] 
>> ../auth/gensec/spnego.c:693(gensec_spnego_server_negTokenTarg)
>>   SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>
> I noticed that I mixed up the order of variables (on host 
> "administrator" is obviously the username instead of the host) but 
> that's easy to correct of course.
>
> My question is: state->user_info->remote_host seems to become "�j�]�". 
> (I guess some binary value)
>
> So this is where my first 'programming attempt' ends. :-(
>
> Anyone with tip how to add a remote-ip (coming from ip) to failed 
> passwords attemp log lines?
>
> MJ
>
My C skills are very basic, and I never even looked at the Samba code 
till just now. Unlike the other two methods/properties, remote_host 
seems to return a structure of the type tsocket_address 
(https://github.com/Memeo/samba-unovero/blob/master/lib/tsocket/tsocket_guide.txt) 
and might need to be typecasted/converted first. Skimming through some 
of the source code, try to use the following line instead: 
state->user_info->remote_host->addr. Really, I'm just guessing. Someone 
else will hopefully give a more appropriate answer.

As a less elegant alternative, you might consider keeping logs of all 
remote connection attempts to Samba via a firewall rule and then just 
cross reference the logs (using timestamps).

Viktor