Hi, I am trying to capture from the logs the moment that samba locks an account. (because of too many failed logon attempts) This is samba 4.7.2, with:> log level = 1 auth_audit:3What we see in the logs is like this:> Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:45.102695 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40436] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] > Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:47.203867 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40437] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] > Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:48.538162 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40438] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] > Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:52.457240 CET] with [Plaintext] status [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [(null)] remote host [ipv4:192.168.2.8:40439] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]So, nothing is logged *when* the actual lock happens. We are using swatch to monitor the logs, and we would like to send an email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT Does anyone know what log level for what 'component' is required, to get a samba to log the actual LOCK when it takes place? MJ
Andrew Bartlett
2017-Dec-02 18:20 UTC
[Samba] logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT
On Sat, 2017-12-02 at 15:27 +0100, mj via samba wrote:> Hi, > > I am trying to capture from the logs the moment that samba locks an > account. (because of too many failed logon attempts) > > This is samba 4.7.2, with: > > log level = 1 auth_audit:3> We are using swatch to monitor the logs, and we would like to send an > email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT > > Does anyone know what log level for what 'component' is required, to get > a samba to log the actual LOCK when it takes place?I'm sorry, but while we do log it, the news isn't good. DEBUG(5, ("Locked out user %s after %d wrong passwords\n", ldb_dn_get_linearized(user_msg->dn), badPwdCount)); That will show up with level 5 globally. Patches (with tests) to have it moved to the auth_audit infrastructure would be most welcome :-) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, On 12/02/2017 07:20 PM, Andrew Bartlett via samba wrote:> I'm sorry, but while we do log it, the news isn't good. > > DEBUG(5, ("Locked out user %s after %d wrong passwords\n", > ldb_dn_get_linearized(user_msg->dn), badPwdCount)); > > That will show up with level 5 globally.Ok, patches are difficult now, as we've sponsored quite a lot this year. But would it also be an idea to move this to a (much) lower log level? Perhaps even at 1 or 2? Locking accounts is such a *major* event, and log level 5 is SO high... Thanks for your reply, Andrew! MJ