Maurik, You are right. I am currently using 4.1.17 and have the same failed login messages as you describe. There is, however, a bit more information further down in the logfile: [2015/10/07 16:51:24.076283, 2] authentication for user [HPRS/Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD auth_check_password_send: Checking password for unmapped user [HPRS]\[Administrator]@[ROVER] This latter string (with no timestamp, making it hard to find/correlate) does give the hostname of the offending computer, but not the IP. Yes, the IP would be very useful. In this case ROVER is my personal laptop, but all it gives me is the hostname. The IP would indicate if the miscreant was connecting from inside the domain (probably OK), or outside the domain (probably very bad). An IP would also give us a clue as to which IP[range] to firewall if needed. --Mark -----Original Message-----> To: samba at lists.samba.org > From: mourik jan heupink <heupink at merit.unu.edu> > Date: Mon, 28 Sep 2015 09:32:11 +0200 > Subject: Re: [Samba] Sernet 4.3.X package is no longer free :/ > > Hi Birgit, > > Most (i guess all) of the things you're asking about will work fine, > with 4.1.17 and more recent as well. > > One thing will NOT work fine, as we are currently experiencing ourselves: > > > * some basic monitoring for samba, e.g. failed AD logins attempts > > The only monitoring that currently seems to be possible (someone PLEASE > correct us if we're wrong) is a log line like this: > > > auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\username] FAILED with error NT_STATUS_WRONG_PASSWORD > > No context, nothing else... so NO ip address what machine the attempt > came from, no info about used ports, nothing else. I would REALLY like > to see SOME more info than just the above. > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
mourik jan heupink
2015-Oct-08 12:35 UTC
[Samba] Sernet 4.3.X package is no longer free :/
Hi Mark, list, On 10/08/2015 05:29 AM, Mark Foley wrote:> Maurik, > > You are right. I am currently using 4.1.17 and have the same failed login > messages as you describe. There is, however, a bit more information further down > in the logfile: > > [2015/10/07 16:51:24.076283, 2] authentication for user [HPRS/Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD > auth_check_password_send: Checking password for unmapped user [HPRS]\[Administrator]@[ROVER] > > This latter string (with no timestamp, making it hard to find/correlate) does > give the hostname of the offending computer, but not the IP. Yes, the IP would > be very useful. In this case ROVER is my personal laptop, but all it gives me is > the hostname. The IP would indicate if the miscreant was connecting from inside the > domain (probably OK), or outside the domain (probably very bad). An IP would > also give us a clue as to which IP[range] to firewall if needed. > > --MarkYes, agreed. However, for many of the failed logins I see [username]@[(null)] I'm guessing that a (null) hostname basically means that it was an ldap authentication attempt, and not a regular windows pc logon. (interactive logon, as microsoft seems to call it) It would be nice if this kind of (in my opinion) vital info could be logged in more useful way/format. Would not even be much work I guess, but unfortunately I have no programming skills at all. :-( Mourik Jan
oeh univie edv lists
2015-Oct-08 19:08 UTC
[Samba] Sernet 4.3.X package is no longer free :/
hey Mark and Maurik, I agree with you... to implement better logging would be great! (no programming skills here neither)... i would also need to adapt my firewall properly and to know the IP would be a good thing... I got 4.1.17 running now and logins work perfectly well till now. Had no time to check the logs till yet. Shares, home shares, profiles are still to be implemented... kinda great work load at the moment... kind regards, birgit mourik jan heupink <heupink at merit.unu.edu> schreibt:>Hi Mark, list, > >On 10/08/2015 05:29 AM, Mark Foley wrote: >> Maurik, >> >> You are right. I am currently using 4.1.17 and have the same failed >login >> messages as you describe. There is, however, a bit more information >further down >> in the logfile: >> >> [2015/10/07 16:51:24.076283, 2] authentication for user >[HPRS/Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD >> auth_check_password_send: Checking password for unmapped user >[HPRS]\[Administrator]@[ROVER] >> >> This latter string (with no timestamp, making it hard to >find/correlate) does >> give the hostname of the offending computer, but not the IP. Yes, the >IP would >> be very useful. In this case ROVER is my personal laptop, but all it >gives me is >> the hostname. The IP would indicate if the miscreant was connecting >from inside the >> domain (probably OK), or outside the domain (probably very bad). An IP >would >> also give us a clue as to which IP[range] to firewall if needed. >> >> --Mark > >Yes, agreed. However, for many of the failed logins I see >[username]@[(null)] > >I'm guessing that a (null) hostname basically means that it was an ldap >authentication attempt, and not a regular windows pc logon. (interactive >logon, as microsoft seems to call it) > >It would be nice if this kind of (in my opinion) vital info could be >logged in more useful way/format. Would not even be much work I guess, >but unfortunately I have no programming skills at all. :-( > >Mourik Jan > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba