On Fri, 2018-03-23 at 14:21 -0400, lingpanda101 via samba
wrote:> On 3/23/2018 12:49 PM, Vinicius Bones Silva via samba wrote:
> > Hi,
> >
> > I'm trying to track random account lockouts on the domain. Is
there
> > any recommendations for log level or log handling that let me see what
> > machines/servers are locking the account?
> >
> > I'm using samba 4.5.5. as a DC (3 DCs).
> >
> > My current logging settings are:
> >
> > logging = syslog
> > log level = 1 auth:5 passdb:5 winbind:5
> >
> > Att,
> > Vinicius
> >
> >
> >
> >
>
> Hello,
>
> You should see in your samba log file an entry similar to this on
> wrong password attempts.
>
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[username at DOMAIN] at [Fri, 23 Mar 2018 14:06:07.272789 EDT]
> with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD]
> workstation [(null)] remote host [ipv4:172.16.26.11:53449] mapped to
> [DOMAIN]\[username]. local host [NULL]
>
> You can see it provides the remote host IP user was on. It looks as if
> you are not using the correct parameter in your smb.conf. It should be
>
> log level = 1 auth_audit:3 passdb:5 winbind:5
>
> See the Wiki for details
> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
Thanks James.
Vinicius,
You need to upgrade to Samba 4.7 to get this feature.
With Samba 4.8 the 'auth' debug level also works for the AD DC part, so
you can more easily find the message when the final lockout occurs.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba