[PATCH] Fix for Bug 12865 Samba 4.7 auth audit does not track machine account ServerAuthenticate3

[Andrew Bartlett]

On Fri, 2017-07-14 at 09:07 +1200, Gary Lockyer wrote:
> 
> On 13/07/17 21:25, Andrew Bartlett via samba-technical wrote:
> > On Thu, 2017-07-13 at 07:21 +1200, Gary Lockyer via samba-technical
> > wrote:
> > > @@ -661,6 +661,14 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui)
> > >  		   && ui->password.response.nt.length == 0
> > >  		   && ui->password.response.lanman.length == 0) {
> > >  		password_type = "No-Password";
> > > +	} else if (ui->netlogon_trust_account.negotiate_flags
> > > +		   & NETLOGON_NEG_SUPPORTS_AES) {
> > > +		password_type = "HMAC-SHA256";
> > > +	} else if (ui->netlogon_trust_account.negotiate_flags
> > > +		   & NETLOGON_NEG_STRONG_KEYS) {
> > > +		;
> > > +	} else if (strncmp("NETLOGON", ui->service_description, 8) == 0) {
> > > +		password_type = "DES";
> > >  	}
> > >  	return password_type;
> > 
> > G'Day Gary,
> > 
> > I'm sorry, but this hunk looks wrong, and I don't think it is tested. 
> > You don't see password_type to "HMAC-MD5" for the STRONG_KEYS case, and
> > you don't guard the whole logic with strncmp("NETLOGON").  You should
> > check that, with just strcmp I think, and check against the
> > auth_description with "ServerAuthenticate".
> 
> Yeah sadly I did not test it, I really should know better. I've had a
> look at writing the tests.  Need to be able to clear the
> NETLOGON_NEG_SUPPORTS_AES and NETLOGON_NEG_STRONG_KEYS.  Is there a way
> to do this from Python or should I write a cmocka test to exercise the code.

Manually send the GetChallenge and ServerAuthenticate3 and check for it
in the bad password case (with zero'ed authenticators), rather than the
good password case.  That should be mostly practical.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba