Hi all, I am running a Samba 4.2.14 Active Directory server on Debian and it is working fine. I have Windows workstations, Linux servers and some web services authenticate against the Samba AD. The only thing that I am missing is a proper logging for the authentication events on this system. Especially in case of web services, which are using LDAP authentication against Samba, from the logs I can only see that there is a request for a certain user to authenticate and then the result which might be OK or WRONG.... but no info about the machine or IP initiating the request. Below is an example: *[2017/02/07 10:06:44.584159, 5] ../source4/auth/ntlm/auth.c:438(auth_check_password_recv)* * auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\user] succeeded* Raising the logging level does not seem to help getting any more details. In addition, I would like to have audit logs for important events, like for example when administrators or users themselves change passwords. These do not seem to leave any trace at all in the system. Am I missing something in my config (smb.conf ..) or is this the expected behavior of the system? Is there a way to get more detailed authentication logs? Thanks, Elton
On Tue, 2017-02-07 at 10:15 +0100, Elton Agolli via samba wrote:> Hi all, > > I am running a Samba 4.2.14 Active Directory server on Debian and it > is > working fine. I have Windows workstations, Linux servers and some web > services authenticate against the Samba AD. The only thing that I am > missing is a proper logging for the authentication events on this > system. > Especially in case of web services, which are using LDAP > authentication > against Samba, from the logs I can only see that there is a request > for a > certain user to authenticate and then the result which might be OK or > WRONG.... but no info about the machine or IP initiating the request. > > Below is an example: > > *[2017/02/07 10:06:44.584159, 5] > ../source4/auth/ntlm/auth.c:438(auth_check_password_recv)* > * auth_check_password_recv: sam_ignoredomain authentication for user > [DOMAIN\user] succeeded* > > Raising the logging level does not seem to help getting any more > details. > > In addition, I would like to have audit logs for important events, > like for > example when administrators or users themselves change passwords. > These do > not seem to leave any trace at all in the system. > Am I missing something in my config (smb.conf ..) or is this the > expected > behavior of the system? > Is there a way to get more detailed authentication logs?Sadly not at this stage. You can get more detail as you turn up the debug level, but not a clear picture of all the details you need. I hope to address this soon - I've had requests for this from a couple of clients recently so hopefully Samba 4.7 will finally have decent logging here. I hope this helps a little, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Tuesday, February 7, 2017 3:15:06 AM > Subject: [Samba] Samba authentication logs> Hi all, > > I am running a Samba 4.2.14 Active Directory server on Debian and it is > working fine. I have Windows workstations, Linux servers and some web > services authenticate against the Samba AD. The only thing that I am > missing is a proper logging for the authentication events on this system. > Especially in case of web services, which are using LDAP authentication > against Samba, from the logs I can only see that there is a request for a > certain user to authenticate and then the result which might be OK or > WRONG.... but no info about the machine or IP initiating the request. > > Below is an example: > > *[2017/02/07 10:06:44.584159, 5] > ../source4/auth/ntlm/auth.c:438(auth_check_password_recv)* > * auth_check_password_recv: sam_ignoredomain authentication for user > [DOMAIN\user] succeeded* > > Raising the logging level does not seem to help getting any more details. > > In addition, I would like to have audit logs for important events, like for > example when administrators or users themselves change passwords. These do > not seem to leave any trace at all in the system. > Am I missing something in my config (smb.conf ..) or is this the expected > behavior of the system? > Is there a way to get more detailed authentication logs? >Elton, See my recent post to the mailing list for at least a partial answer: https://lists.samba.org/archive/samba/2017-February/206307.html In short, this type of logging has not been implemented yet. I would also find it very useful. Andrew