Joseph Bell
2022-Feb-24 22:26 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active Directory Domain Controller, and one of my compliance responsibilities is to log and audit user creation, deletion, and modification (group member changes). I thought I could accomplish this with: log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5 in smb.conf, and indeed, I do receive a lot of dsdbChange and groupChange notifications in log.samba. Further testing of this though leads me to believe that I either have something missing or user creation is not logged as a dsdb change. My question is whether or not that is true, in which case how do I log user creation, and if it isn?t true, what am I missing in my configuration? Thanks for any insights. Joe
Andrew Bartlett
2022-Feb-24 22:30 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote:> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active Directory > Domain Controller, and one of my compliance responsibilities is to > log and audit user creation, deletion, and modification (group member > changes). I thought I could accomplish this with: > > log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 > dsdb_group_json_audit:5 dsdb_transaction_json_audit:5 > > in smb.conf, and indeed, I do receive a lot of dsdbChange and > groupChange notifications in log.samba. Further testing of this > though leads me to believe that I either have something missing or > user creation is not logged as a dsdb change. > > My question is whether or not that is true, in which case how do I > log user creation, and if it isn?t true, what am I missing in my > configuration?How do you create the users? If you use command-line tools locally, then local access as root won't be logged to log.samba, it will be logged to the terminal (this wasn't made a priority to address as the root user could just turn off the logs anyway). Perhaps your sudo logging might capture these, or use root less and do remote operations to add users. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions