Skip to content

Commit

Permalink
auth log: Add windows logon type codes
Browse files Browse the repository at this point in the history 
Add a new "logonType" element to the Authorisation JSON log messages.
This contains a Windows Logon Type, the supported logon types are:
	2	Interactive
	3	Network
	8	NetworkCleartext

Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
  • Loading branch information
@GaryWL @abartlet
GaryWL authored and abartlet committed Dec 14, 2018
1 parent b7baf96 commit ac51f15
Show file tree
Hide file tree
Showing 7 changed files with 182 additions and 36 deletions.
29 changes: 29 additions & 0 deletions auth/auth_log.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,31 @@ static void log_json(struct imessaging_context *msg_ctx,
}
}

/*
* Determine the Windows logon type for the current authorisation attempt.
*
* Currently Samba only supports
*
* 2 Interactive A user logged on to this computer.
* 3 Network A user or computer logged on to this computer from
* the network.
* 8 NetworkCleartext A user logged on to this computer from the network.
* The user's password was passed to the authentication
* package in its unhashed form.
*
*/
static enum event_logon_type get_logon_type(
const struct auth_usersupplied_info *ui)
{
if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED)
|| (ui->password_state == AUTH_PASSWORD_PLAIN)) {
return EVT_LOGON_NETWORK_CLEAR_TEXT;
} else if (ui->flags & USER_INFO_INTERACTIVE_LOGON) {
return EVT_LOGON_INTERACTIVE;
}
return EVT_LOGON_NETWORK;
}

/*
* Write a machine parsable json formatted authentication log entry.
*
Expand Down Expand Up @@ -142,6 +167,10 @@ static void log_authentication_event_json(
if (rc != 0) {
goto failure;
}
rc = json_add_int(&authentication, "logonType", get_logon_type(ui));
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authentication, "status", nt_errstr(status));
if (rc != 0) {
goto failure;
Expand Down
119 changes: 99 additions & 20 deletions python/samba/tests/auth_log.py
View file

Large diffs are not rendered by default.

7 changes: 6 additions & 1 deletion python/samba/tests/auth_log_ncalrpc.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@
from samba.dcerpc.dcerpc import AS_SYSTEM_MAGIC_PATH_TOKEN
from samba.dcerpc import samr
import samba.tests.auth_log_base
from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
from samba.dcerpc.windows_event_ids import (
EVT_ID_SUCCESSFUL_LOGON,
EVT_LOGON_NETWORK
)


class AuthLogTestsNcalrpc(samba.tests.auth_log_base.AuthLogTestBase):
Expand Down Expand Up @@ -78,6 +81,8 @@ def rpc_ncacn_np_ntlm_check(self, messages, authTypes, protection):
msg["Authentication"]["authDescription"])
self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
msg["Authentication"]["eventId"])
self.assertEquals(EVT_LOGON_NETWORK,
msg["Authentication"]["logonType"])

def test_ncalrpc_ntlm_dns_sign(self):

Expand Down
7 changes: 6 additions & 1 deletion python/samba/tests/auth_log_netlogon.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,10 @@
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
from samba.dcerpc.misc import SEC_CHAN_WKSTA
from samba.compat import text_type
from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
from samba.dcerpc.windows_event_ids import (
EVT_ID_SUCCESSFUL_LOGON,
EVT_LOGON_NETWORK
)


class AuthLogTestsNetLogon(samba.tests.auth_log_base.AuthLogTestBase):
Expand Down Expand Up @@ -129,6 +132,8 @@ def netlogon_check(self, messages):
msg["Authentication"]["passwordType"])
self.assertEquals(EVT_ID_SUCCESSFUL_LOGON,
msg["Authentication"]["eventId"])
self.assertEquals(EVT_LOGON_NETWORK,
msg["Authentication"]["logonType"])

def test_netlogon(self):
self._test_netlogon("SEAL", self.netlogon_check)
16 changes: 12 additions & 4 deletions python/samba/tests/auth_log_netlogon_bad_creds.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,10 @@
from samba.dcerpc.misc import SEC_CHAN_WKSTA
from samba.dcerpc.netlogon import NETLOGON_NEG_STRONG_KEYS
from samba.compat import get_string
from samba.dcerpc.windows_event_ids import EVT_ID_UNSUCCESSFUL_LOGON
from samba.dcerpc.windows_event_ids import (
EVT_ID_UNSUCCESSFUL_LOGON,
EVT_LOGON_NETWORK
)


class AuthLogTestsNetLogonBadCreds(samba.tests.auth_log_base.AuthLogTestBase):
Expand Down Expand Up @@ -84,7 +87,8 @@ def isLastExpectedMessage(msg):
msg["Authentication"]["authDescription"] ==
"ServerAuthenticate" and
msg["Authentication"]["status"] == status and
msg["Authentication"]["eventId"] == event_id)
msg["Authentication"]["eventId"] == event_id and
msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK)

machine_creds = Credentials()
machine_creds.guess(self.get_loadparm())
Expand Down Expand Up @@ -143,7 +147,9 @@ def isLastExpectedMessage(msg):
msg["Authentication"]["authDescription"] ==
"ServerAuthenticate" and
msg["Authentication"]["passwordType"] == "DES" and
msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON)
msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON and
msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK)

c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm())
creds = netlogon.netr_Credential()
Expand All @@ -169,7 +175,9 @@ def isLastExpectedMessage(msg):
msg["Authentication"]["authDescription"] ==
"ServerAuthenticate" and
msg["Authentication"]["passwordType"] == "HMAC-MD5" and
msg["Authentication"]["eventId"] == EVT_ID_UNSUCCESSFUL_LOGON)
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON) and
msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK)

c = netlogon.netlogon("ncalrpc:[schannel]", self.get_loadparm())
creds = netlogon.netr_Credential()
Expand Down
31 changes: 23 additions & 8 deletions python/samba/tests/auth_log_pass_change.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@
from samba.tests.password_test import PasswordCommon
from samba.dcerpc.windows_event_ids import (
EVT_ID_SUCCESSFUL_LOGON,
EVT_ID_UNSUCCESSFUL_LOGON
EVT_ID_UNSUCCESSFUL_LOGON,
EVT_LOGON_NETWORK
)

USER_NAME = "authlogtestuser"
Expand Down Expand Up @@ -87,7 +88,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"samr_ChangePasswordUser3") and
(msg["Authentication"]["eventId"] ==
EVT_ID_SUCCESSFUL_LOGON))
EVT_ID_SUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

creds = self.insta_creds(template=self.get_credentials())

Expand Down Expand Up @@ -115,7 +118,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"samr_ChangePasswordUser3") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON))
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

creds = self.insta_creds(template=self.get_credentials())

Expand Down Expand Up @@ -148,7 +153,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"samr_ChangePasswordUser3") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON))
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

creds = self.insta_creds(template=self.get_credentials())

Expand Down Expand Up @@ -181,7 +188,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"samr_ChangePasswordUser3") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON))
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

creds = self.insta_creds(template=self.get_credentials())

Expand Down Expand Up @@ -218,7 +227,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"OemChangePasswordUser2") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON))
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

username = os.environ["USERNAME"]
server = os.environ["SERVER"]
Expand All @@ -243,7 +254,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"LDAP Modify") and
(msg["Authentication"]["eventId"] ==
EVT_ID_SUCCESSFUL_LOGON))
EVT_ID_SUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

new_password = samba.generate_random_password(32, 32)
self.ldb.modify_ldif(
Expand Down Expand Up @@ -300,7 +313,9 @@ def isLastExpectedMessage(msg):
(msg["Authentication"]["authDescription"] ==
"LDAP Modify") and
(msg["Authentication"]["eventId"] ==
EVT_ID_UNSUCCESSFUL_LOGON))
EVT_ID_UNSUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] ==
EVT_LOGON_NETWORK))

new_password = samba.generate_random_password(32, 32)
try:
Expand Down
9 changes: 7 additions & 2 deletions python/samba/tests/auth_log_samlogon.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,10 @@
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_PASSWD_NOTREQD
from samba.dcerpc.misc import SEC_CHAN_WKSTA
from samba.compat import text_type
from samba.dcerpc.windows_event_ids import EVT_ID_SUCCESSFUL_LOGON
from samba.dcerpc.windows_event_ids import (
EVT_ID_SUCCESSFUL_LOGON,
EVT_LOGON_NETWORK
)


class AuthLogTestsSamLogon(samba.tests.auth_log_base.AuthLogTestBase):
Expand Down Expand Up @@ -72,7 +75,9 @@ def isLastExpectedMessage(msg):
msg["Authentication"]["serviceDescription"] == "SamLogon" and
msg["Authentication"]["authDescription"] == "network" and
msg["Authentication"]["passwordType"] == "NTLMv2" and
msg["Authentication"]["eventId"] == EVT_ID_SUCCESSFUL_LOGON)
(msg["Authentication"]["eventId"] ==
EVT_ID_SUCCESSFUL_LOGON) and
(msg["Authentication"]["logonType"] == EVT_LOGON_NETWORK))

if binding:
binding = "[schannel,%s]" % binding
Expand Down

0 comments on commit ac51f15

Please sign in to comment.