Hi, Since I really would like some more info (specifically: remote ip address) to be logged with failed password attempts, I have tried to edit the samba source code. :-) Anyway, I changed in source4/auth/ntlm/auth.c> if (tevent_req_is_nterror(req, &status)) { > DEBUG(2,("auth_check_password_recv: " > "%s authentication for user [%s\\%s] " > "FAILED with error %s\n", > (state->method ? state->method->ops->name : "NO_METHOD"), > state->user_info->mapped.domain_name, > state->user_info->mapped.account_name, > nt_errstr(status))); > tevent_req_received(req); > return status; > }to:> if (tevent_req_is_nterror(req, &status)) { > DEBUG(2,("auth_check_password_recv: " > "%s authentication for user [%s\\%s] on host %s " > "FAILED with error %s\n", > (state->method ? state->method->ops->name : "NO_METHOD"), > state->user_info->mapped.domain_name, > state->user_info->remote_host, > state->user_info->mapped.account_name, > nt_errstr(status))); > tevent_req_received(req); > return status; > }No idea if that could work or not.... Anyway: my code actually compiled, installed, and I provisioned a test domain/dc. I was amazed. :-) Anyway, trying a faulty password generates the following error now:> ntlm_password_check: Lanman passwords NOT PERMITTED for user administrator > [2015/11/26 09:30:46.863556, 3] ../libcli/auth/ntlm_check.c:587(ntlm_password_check) > ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user administrator > [2015/11/26 09:30:46.864067, 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > auth_check_password_recv: sam_ignoredomain authentication for user [SAMDOM\j]] on host administrator FAILED with error NT_STATUS_WRONG_PASSWORD > [2015/11/26 09:30:46.864149, 2] ../auth/gensec/spnego.c:693(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_WRONG_PASSWORDI noticed that I mixed up the order of variables (on host "administrator" is obviously the username instead of the host) but that's easy to correct of course. My question is: state->user_info->remote_host seems to become "j]". (I guess some binary value) So this is where my first 'programming attempt' ends. :-( Anyone with tip how to add a remote-ip (coming from ip) to failed passwords attemp log lines? MJ
On 26.11.2015 03:51, mourik jan heupink wrote:> Hi, > > Since I really would like some more info (specifically: remote ip > address) to be logged with failed password attempts, I have tried to > edit the samba source code. :-) > > Anyway, I changed in source4/auth/ntlm/auth.c > > >> if (tevent_req_is_nterror(req, &status)) { >> DEBUG(2,("auth_check_password_recv: " >> "%s authentication for user [%s\\%s] " >> "FAILED with error %s\n", >> (state->method ? state->method->ops->name : "NO_METHOD"), >> state->user_info->mapped.domain_name, >> state->user_info->mapped.account_name, >> nt_errstr(status))); >> tevent_req_received(req); >> return status; >> } > > to: > >> if (tevent_req_is_nterror(req, &status)) { >> DEBUG(2,("auth_check_password_recv: " >> "%s authentication for user [%s\\%s] on host %s " >> "FAILED with error %s\n", >> (state->method ? state->method->ops->name : "NO_METHOD"), >> state->user_info->mapped.domain_name, >> state->user_info->remote_host, >> state->user_info->mapped.account_name, >> nt_errstr(status))); >> tevent_req_received(req); >> return status; >> } > > No idea if that could work or not.... Anyway: my code actually > compiled, installed, and I provisioned a test domain/dc. > > I was amazed. :-) > > Anyway, trying a faulty password generates the following error now: > >> ntlm_password_check: Lanman passwords NOT PERMITTED for user >> administrator >> [2015/11/26 09:30:46.863556, 3] >> ../libcli/auth/ntlm_check.c:587(ntlm_password_check) >> ntlm_password_check: LM password, NT MD4 password in LM field and >> LMv2 failed for user administrator >> [2015/11/26 09:30:46.864067, 2] >> ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) >> auth_check_password_recv: sam_ignoredomain authentication for >> user [SAMDOM\j]] on host administrator FAILED with error >> NT_STATUS_WRONG_PASSWORD >> [2015/11/26 09:30:46.864149, 2] >> ../auth/gensec/spnego.c:693(gensec_spnego_server_negTokenTarg) >> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD > > I noticed that I mixed up the order of variables (on host > "administrator" is obviously the username instead of the host) but > that's easy to correct of course. > > My question is: state->user_info->remote_host seems to become "j]". > (I guess some binary value) > > So this is where my first 'programming attempt' ends. :-( > > Anyone with tip how to add a remote-ip (coming from ip) to failed > passwords attemp log lines? > > MJ >My C skills are very basic, and I never even looked at the Samba code till just now. Unlike the other two methods/properties, remote_host seems to return a structure of the type tsocket_address (https://github.com/Memeo/samba-unovero/blob/master/lib/tsocket/tsocket_guide.txt) and might need to be typecasted/converted first. Skimming through some of the source code, try to use the following line instead: state->user_info->remote_host->addr. Really, I'm just guessing. Someone else will hopefully give a more appropriate answer. As a less elegant alternative, you might consider keeping logs of all remote connection attempts to Samba via a firewall rule and then just cross reference the logs (using timestamps). Viktor
Hi Viktor! Thanks for your try at this, I am already doing what you suggest: the iptables - timestaps. But that is rather troublesome, and I would very much samba to log this vital info. Anyway, I tried what you suggested, and now it stopped compiling. :-) Does this error perhaps tell you something, or are you just as clueless as I am now:> [1955/4033] Compiling source4/auth/ntlm/auth.c > In file included from ../source4/include/includes.h:62:0, > from ../source4/auth/ntlm/auth.c:21: > ../source4/auth/ntlm/auth.c: In function ‘auth_check_password_recv’: > ../source4/auth/ntlm/auth.c:429:34: error: dereferencing pointer to incomplete type > state->user_info->remote_host->addr, > ^ > ../source4/../lib/util/debug.h:185:20: note: in definition of macro ‘DEBUG’ > && (dbgtext body) ) > ^ > Waf: Leaving directory `/root/samba-4.3.1/bin' > Build failed: -> task failed (err #1): > {task: cc auth.c -> auth_6.o} > Makefile:8: recipe for target 'all' failed > make: *** [all] Error 1Or anyone?