Kees van Vloten
2024-Nov-25 10:44 UTC
[Samba] samba log level: ldap log file remains empty
Op 25-11-2024 om 11:35 schreef Rowland Penny via samba:> On Mon, 25 Nov 2024 09:48:19 +0000 > "Hoefle, Marco \(Avnet Silica\) via samba" <samba at lists.samba.org> > wrote: > >> Hello, >> I have different services using ldap for user/passwd queries. I am >> using the LDAP server integrated in the samba domain controller. For >> debugging and login attempts I wanted to have all requests in a >> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9 (standard >> ubuntu 24.04 package) samba package. >> >> >> This is the relevant samba dc config: >> >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES >> idmap_ldb:use rfc2307 = yes >> allow dns updates = nonsecure and secure >> log level = 2 >> auth_json_audit:3@/var/log/samba/domain_join.log >> ldap:10@/var/log/samba/ldap.log auth:5 passdb:5 rpc_srv:5 rpc_parse:5 >> dnsupdate:10@/var/log/samba/dnsupdate.log log file >> /var/log/samba/log.%m >> >> The domain join log file ( /var/log/samba/domain_join.log) is created >> and works (I see each domain join approach). The LDAP queries are not >> in the file. /var/log/samba/ldap.log is created but remains empty >> even after a successful LDAP query. >> >> Generally, I cannot see any ldap requests in the other log files >> either. > Sorry, but this is because there is no 'ldap' debug class. If you read > 'man smb.conf' under 'log level', you will find a full list of > available debug classes. There is 'ldb' if you can use the ldb-tools > instead (note: this may work with ldapsearch etc, but I haven't tried > it.).In 4.21 there is "ldapsrv" to log ldap queries. - Kees.> > Rowland >
On Mon, 25 Nov 2024 11:44:28 +0100 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > Op 25-11-2024 om 11:35 schreef Rowland Penny via samba: > > On Mon, 25 Nov 2024 09:48:19 +0000 > > "Hoefle, Marco \(Avnet Silica\) via samba" <samba at lists.samba.org> > > wrote: > > > >> Hello, > >> I have different services using ldap for user/passwd queries. I am > >> using the LDAP server integrated in the samba domain controller. > >> For debugging and login attempts I wanted to have all requests in a > >> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9 (standard > >> ubuntu 24.04 package) samba package. > >> > >> > >> This is the relevant samba dc config: > >> > >> server role = active directory domain controller > >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES > >> idmap_ldb:use rfc2307 = yes > >> allow dns updates = nonsecure and secure > >> log level = 2 > >> auth_json_audit:3@/var/log/samba/domain_join.log > >> ldap:10@/var/log/samba/ldap.log auth:5 passdb:5 rpc_srv:5 > >> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log log file > >> /var/log/samba/log.%m > >> > >> The domain join log file ( /var/log/samba/domain_join.log) is > >> created and works (I see each domain join approach). The LDAP > >> queries are not in the file. /var/log/samba/ldap.log is created > >> but remains empty even after a successful LDAP query. > >> > >> Generally, I cannot see any ldap requests in the other log files > >> either. > > Sorry, but this is because there is no 'ldap' debug class. If you > > read 'man smb.conf' under 'log level', you will find a full list of > > available debug classes. There is 'ldb' if you can use the ldb-tools > > instead (note: this may work with ldapsearch etc, but I haven't > > tried it.). > > In 4.21 there is "ldapsrv" to log ldap queries. >Well, yes there is, but the OP may not be able to update or is not allowed to use external repos, but if they can, I would always recommend using the latest Samba version possible. However, the OP seems to be using Samba AD for authentication via ldap, they may be able to use kerberos instead, but this would entail joining the domain. Rowland