Skip to content

Use the LogonId in NETLOGON_LOGON_IDENTITY_INFO to link winbind authentication and SamLogon

Gary Lockyer requested to merge samba-team/devel/samba:gary-nelogon-logon-id into master

This change: Folds the two 32 bit values logon_id_high and logon_id_low into a single 64 bit logon_id in netr_identity_info. Samba currently sets this to 0xdeadbeef.

Populates this with a random value in winbind and passes it in the SamLogon calls.

Adds Authentication logging in winbind for PAM_AUTH and PAM_AUTH_CRAP authentication.

Logs the logonId in JSON Authentication messages.

Log message for a winbind PAM_AUTH request. { "timestamp": "2019-02-08T08:45:20.677535+1300", "type": "Authentication", "Authentication": { "version": { "major": 1, "minor": 2 }, "eventId": 4624, "logonId": "7f0fb6cb17b1b2eb", "logonType": 8, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "PAM_AUTH, ntlm_auth, 14269", "clientDomain": "SAMBADOMAIN", "clientAccount": "Administrator", "workstation": null, "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "duration": 122573 } }

Log message for the corresponding SamLogon. { "timestamp": "2019-02-08T08:45:20.560851+1300", "type": "Authentication", "Authentication": { "version": { "major": 1, "minor": 2 }, "eventId": 4624, "logonId": "7f0fb6cb17b1b2eb", "logonType": 2, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.21:1026", "remoteAddress": "ipv4:127.0.0.23:24297", "serviceDescription": "SamLogon", "authDescription": "interactive", "clientDomain": "SAMBADOMAIN", "clientAccount": "Administrator", "workstation": "\\S4MEMBER", "becameAccount": "Administrator", "becameDomain": "SAMBADOMAIN", "becameSid": "S-1-5-21-1560481212-3295640397-1679667293-500", "mappedAccount": "Administrator", "mappedDomain": "SAMBADOMAIN", "netlogonComputer": "S4MEMBER", "netlogonTrustAccount": "S4MEMBER$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": "S-1-5-21-1560481212-3295640397-1679667293-1109", "passwordType": "Supplied-NT-Hash", "duration": 5528 } }

Merge request reports