samba - Jun 2016 - Need IP on failed logins in logfile

I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am
logging samba
messages to /var/log/samba/log.samba with logging set to the following in
smb.conf:

log level = 2 passdb:5 auth:10 winbind:2 lanman:10

I have a script that scans this logfile for message like the following:

auth_check_password_recv: sam_ignoredomain authentication for user
[HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
auth_check_password_recv: sam_ignoredomain authentication for user
[HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD

Usually, these are not a big deal as they are the results of a local domain user
mistyping
either their login ID or password. However, occasionally the attempts are
clearly outsiders
trying to break in.

Is there some way to get the logger to show the IP of the failure? Currently it
shows only the
domain and user.

I think I've read something on this before, but I can't seem to find it.

Thanks, Mark

On 06/25/2016 06:32 PM, Mark Foley wrote:
> I think I've read something on this before, but I can't seem to
find it.
As far as we know, this is impossible. :-(

It a feature we would also VERY much like to see, for exactly the same 
reason.

MJ

Am 25.06.2016 um 22:48 schrieb mj:
>
>
> On 06/25/2016 06:32 PM, Mark Foley wrote:
>> I think I've read something on this before, but I can't seem to
find it.
> As far as we know, this is impossible. :-(
>
> It a feature we would also VERY much like to see, for exactly the same
> reason
why should it be impossible to log the client IP while it's obviously 
possible to spam the samba logs all day long with source-files and 
line-numbers no sysadmin cares until he tries to debug something and 
make anything hard to read and grep by the multi line loglines?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160625/3acea432/signature.sig>

On 25/06/16 21:48, mj wrote:
>
>
> On 06/25/2016 06:32 PM, Mark Foley wrote:
>> I think I've read something on this before, but I can't seem to
find it.
> As far as we know, this is impossible. :-(
>
> It a feature we would also VERY much like to see, for exactly the same 
> reason.
>
> MJ
>
never actually tried this, but couldn't you use pam_tally or pam_tally2 
for this ??

Rowland

I used to also get related log messages of the form:

auth_check_password_send: Checking password for unmapped user
[HPRS]\[mark]@[ROVER]
  auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER]

but now all I get is the auth_check_password_recv in the log.  Perhaps the
change is due to an
upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see
log config in
my original email below mj's). 

Anyway, samba does (or did) have access to the hostname of the offending
computer. The one
shown above, ROVER, is actual my home laptop's host name, said computer
being miles away from
the Samba server and in no way part of the AD/DC domain. If it can know the
hostname, it surely
must have knowledge of the computer's IP?

Perhaps this all can be submitted somewhere as an upgrade request? I think for
the sake of
Internet security in this day-and-age of cyber criminals it would be useful to
know the IP of
attackers so appropriate countermeasures could be taken. 

Rowland, I will investigate pam_tally[2] to see what it does. I've not heard
of it before.

I suppose I could also run tcpdump continuously against the specific port(s)
where such logins
can occur, but that is a bit of work, esp. since the timestamp of the samba log
message is
detached to a separate message preceding the one listing the failed user.

--Mark
> > To: samba at lists.samba.org
> > From: mj <lists at merit.unu.edu>
> > Date: Sat, 25 Jun 2016 22:48:13 +0200
> > Subject: Re: [Samba] Need IP on failed logins in logfile
> >
> >
> > On 06/25/2016 06:32 PM, Mark Foley wrote:
> > > I think I've read something on this before, but I can't
seem to find it.
> > As far as we know, this is impossible. :-(
> >
> > It a feature we would also VERY much like to see, for exactly the same
> > reason.
> >
> > MJ
> >
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> From: Mark Foley <mfoley at ohprs.org>
> Date: Sat, 25 Jun 2016 12:32:54 -0400
> To: samba at lists.samba.org
> Subject: [Samba] Need IP on failed logins in logfile
> 
> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I
am logging samba
> messages to /var/log/samba/log.samba with logging set to the following in
smb.conf:
> 
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> 
> I have a script that scans this logfile for message like the following:
> 
> auth_check_password_recv: sam_ignoredomain authentication for user
[HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
> auth_check_password_recv: sam_ignoredomain authentication for user
[HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
> 
> Usually, these are not a big deal as they are the results of a local domain
user mistyping
> either their login ID or password. However, occasionally the attempts are
clearly outsiders
> trying to break in.
> 
> Is there some way to get the logger to show the IP of the failure?
Currently it shows only the
> domain and user.
> 
> I think I've read something on this before, but I can't seem to
find it.
> 
> Thanks, Mark