[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3
Andrew Bartlett
abartlet at samba.org
Thu Jul 13 21:13:50 UTC 2017
On Fri, 2017-07-14 at 09:07 +1200, Gary Lockyer wrote:
>
> On 13/07/17 21:25, Andrew Bartlett via samba-technical wrote:
> > On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
> > wrote:
> > > @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
> > > && ui->password.response.nt.length == 0
> > > && ui->password.response.lanman.length == 0) {
> > > password_type = "No-Password";
> > > + } else if (ui->netlogon_trust_account.negotiate_flags
> > > + & NETLOGON_NEG_SUPPORTS_AES) {
> > > + password_type = "HMAC-SHA256";
> > > + } else if (ui->netlogon_trust_account.negotiate_flags
> > > + & NETLOGON_NEG_STRONG_KEYS) {
> > > + ;
> > > + } else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
> > > + password_type = "DES";
> > > }
> > > return password_type;
> >
> > G'Day Gary,
> >
> > I'm sorry, but this hunk looks wrong, and I don't think it is tested.
> > You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
> > you don't guard the whole logic with strncmp("NETLOGON"). You should
> > check that, with just strcmp I think, and check against the
> > auth_description with "ServerAuthenticate".
>
> Yeah sadly I did not test it, I really should know better. I've had a
> look at writing the tests. Need to be able to clear the
> NETLOGON_NEG_SUPPORTS_AES and NETLOGON_NEG_STRONG_KEYS. Is there a way
> to do this from Python or should I write a cmocka test to exercise the code.
Manually send the GetChallenge and ServerAuthenticate3 and check for it
in the bad password case (with zero'ed authenticators), rather than the
good password case. That should be mostly practical.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list