From d9a1d572c2bb8cb04bd7c823f191e09696283f33 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 26 Jun 2017 19:24:40 +1200
Subject: [PATCH] s4-netlogon: Provide logs for machine account success and
 failures

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 31 +++++++++++++++++--
 source4/rpc_server/wscript_build              |  3 +-
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 3f70a3eccc4..df0b730757b 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -43,6 +43,7 @@
 #include "librpc/gen_ndr/ndr_winbind_c.h"
 #include "lib/socket/netif.h"
 #include "rpc_server/common/sid_helper.h"
+#include "lib/util/util_str_escape.h"
 
 #define DCESRV_INTERFACE_NETLOGON_BIND(call, iface) \
        dcesrv_interface_netlogon_bind(call, iface)
@@ -467,8 +468,34 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 						   r->out.return_credentials,
 						   negotiate_flags);
 	}
-	if (creds == NULL) {
-		return NT_STATUS_ACCESS_DENIED;
+
+	{
+		char* local  = NULL;
+		char* remote = NULL;
+		TALLOC_CTX *frame = talloc_stackframe();
+
+		remote = tsocket_address_string(dce_call->conn->remote_address,
+						frame);
+		local  = tsocket_address_string(dce_call->conn->local_address,
+						frame);
+		if (creds == NULL) {
+			DEBUG(2, ("Failed to authenticate NETLOGON "
+				  "account[%s] workstation[%s] "
+				  "remote[%s] local[%s]\n",
+				  log_escape(frame, r->in.account_name),
+				  log_escape(frame, r->in.computer_name),
+				  remote, local));
+			TALLOC_FREE(frame);
+			return NT_STATUS_ACCESS_DENIED;
+		} else {
+			DEBUG(3, ("Successful authenticate of NETLOGON "
+				  "account[%s] workstation[%s] "
+				  "remote[%s] local[%s]\n",
+				  log_escape(frame, r->in.account_name),
+				  log_escape(frame, r->in.computer_name),
+				  remote, local));
+			TALLOC_FREE(frame);
+		}
 	}
 
 	creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 966e07ee641..31a5696e270 100644
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -105,7 +105,8 @@ bld.SAMBA_MODULE('dcerpc_netlogon',
 	source='netlogon/dcerpc_netlogon.c',
 	subsystem='dcerpc_server',
 	init_function='dcerpc_server_netlogon_init',
-	deps='DCERPC_COMMON RPC_NDR_IRPC COMMON_SCHANNEL ndr-standard auth4_sam samba-hostconfig DSDB_MODULE_HELPERS'
+	deps='''DCERPC_COMMON RPC_NDR_IRPC COMMON_SCHANNEL ndr-standard auth4_sam samba-hostconfig DSDB_MODULE_HELPERS
+        util_str_escape'''
 	)
 
 
-- 
2.47.2