Matthew Delfino
2017-Apr-20 16:49 UTC
[Samba] Log Level and Failed Authentication Attempts
Hello Samba Friends, For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful? Thanks, Matthew ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
Matthew Delfino
2017-Apr-21 17:28 UTC
[Samba] Log Level and Failed Authentication Attempts
Hey Samba Friends, Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file. I then purposely failed to log into an account on my Windows 10 machine until the account was locked. I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account: tail -n 3000 x | grep -A 1 username Nothing appears. Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it? Thanks, Matthew> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <samba at lists.samba.org> wrote: > > Hello Samba Friends, > > For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful? > > Thanks, > Matthew©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote:> Hey Samba Friends, > > Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file. > > I then purposely failed to log into an account on my Windows 10 machine until the account was locked. > > I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account: > > tail -n 3000 x | grep -A 1 username > > Nothing appears. > > Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it? > > Thanks, > Matthew > >> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <samba at lists.samba.org> wrote: >> >> Hello Samba Friends, >> >> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful? >> >> Thanks, >> Matthew > > ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. > >Take a look at these two threads. https://lists.samba.org/archive/samba/2017-February/206405.html https://lists.samba.org/archive/samba/2016-June/200710.html -- -- James