On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote:> Hey Samba Friends, > > Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file. > > I then purposely failed to log into an account on my Windows 10 machine until the account was locked. > > I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account: > > tail -n 3000 x | grep -A 1 username > > Nothing appears. > > Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it? > > Thanks, > Matthew > >> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <samba at lists.samba.org> wrote: >> >> Hello Samba Friends, >> >> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful? >> >> Thanks, >> Matthew > > ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. > >Take a look at these two threads. https://lists.samba.org/archive/samba/2017-February/206405.html https://lists.samba.org/archive/samba/2016-June/200710.html -- -- James
Matthew Delfino
2017-Apr-24 14:35 UTC
[Samba] Log Level and Failed Authentication Attempts
Hello James, Thank you for pointing me in the right direction. It sounds like Andrew Bartlett is committed to bringing this capability to a future version of Samba. Hopefully, he’ll find the process of adding this feature to be easier then he anticipates, and it’s available to all of us who need to perform forensics on failed logins. Have a great week, Matthew> On 2017.04.24, at 9:19 AM, lingpanda101 via samba <samba at lists.samba.org> wrote: > > On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote: >> Hey Samba Friends, >> >> Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file. >> >> I then purposely failed to log into an account on my Windows 10 machine until the account was locked. >> >> I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account: >> >> tail -n 3000 x | grep -A 1 username >> >> Nothing appears. >> >> Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it? >> >> Thanks, >> Matthew >> >>> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <samba at lists.samba.org> wrote: >>> >>> Hello Samba Friends, >>> >>> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful? >>> >>> Thanks, >>> Matthew >> >> ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. >> >> > > Take a look at these two threads. > > https://lists.samba.org/archive/samba/2017-February/206405.html > > https://lists.samba.org/archive/samba/2016-June/200710.html > > -- > -- > James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
On 4/24/2017 10:35 AM, Matthew Delfino wrote:> Hello James, > > Thank you for pointing me in the right direction. It sounds like Andrew Bartlett is committed to bringing this capability to a future version of Samba. Hopefully, he’ll find the process of adding this feature to be easier then he anticipates, and it’s available to all of us who need to perform forensics on failed logins. > > Have a great week, > Matthew > > >> On 2017.04.24, at 9:19 AM, lingpanda101 via samba <samba at lists.samba.org> wrote: >> >> On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote: >>> Hey Samba Friends, >>> >>> Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file. >>> >>> I then purposely failed to log into an account on my Windows 10 machine until the account was locked. >>> >>> I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account: >>> >>> tail -n 3000 x | grep -A 1 username >>> >>> Nothing appears. >>> >>> Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it? >>> >>> Thanks, >>> Matthew >>> >>>> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <samba at lists.samba.org> wrote: >>>> >>>> Hello Samba Friends, >>>> >>>> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful? >>>> >>>> Thanks, >>>> Matthew >>> ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. >>> >>> >> Take a look at these two threads. >> >> https://lists.samba.org/archive/samba/2017-February/206405.html >> >> https://lists.samba.org/archive/samba/2016-June/200710.html >> >> -- >> -- >> James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. >What I did until then was to send all workstation/server logs to a central syslog server to capture these events. -- -- James
Andrew Bartlett
2017-Apr-24 19:23 UTC
[Samba] Log Level and Failed Authentication Attempts
On Mon, 2017-04-24 at 09:35 -0500, Matthew Delfino via samba wrote:> Hello James, > > Thank you for pointing me in the right direction. It sounds like > Andrew Bartlett is committed to bringing this capability to a future > version of Samba. Hopefully, he’ll find the process of adding this > feature to be easier then he anticipates, and it’s available to all > of us who need to perform forensics on failed logins.The patches for this did land, and will be part of Samba 4.7. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba