samba - Sep 2018 - kpasswd_samdb_set_password: domain\user (S-...) is changing password of user@domain

Is there a way to translate the userSid into a human readable format, so I
don't have to look it up each time?

For now, my workaround for now is to set my log level to 5, but then turn
lots of stuff down to 1 manually. Like this:

log level = 5 tdb:1 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1
rpc_cli:1 passdb:1 sam:1 auth:1 winbind:1 vfs:1 idmap:1 quota:1 acls:1
locking:1 msdfs:1  dmapi:1 registry:1 scavenger:1  dns:1 ldb:1 tevent:1
auth_audit:5 auth_json_audit:5 kerberos:1 drs_repl:1 smb2:1 smb2_credits:1
dsdb_audit:5 dsdb_json_audit:5 dsdb_password_audit:5
dsdb_password_json_audit:5 dsdb_transaction_audit:5
dsdb_transaction_json_audit:5 dsdb_group_audit:5 dsdb_group_json_audit:5


On Fri, Sep 14, 2018 at 1:17 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2018-09-14 at 13:00 -0400, Bill Baird via samba wrote:
> > I have  dsdb_password_audit:5 & dsdb_password_json_audit:5
enabled,
> > but I
> > don't get the message I included.
>
> Correct, that message is generated by a different system.
>
> > I instead get an audit log that a password was changed...but not by
> > who.
>
> The userSid element should be the who.
>
> > Was hoping to get more info in a single log entry, so I can track who
> > on my
> > staff is doing password resets and setup email alerts via my logging
> > system.
>
> Certainly, that is what this was built for.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
-- 
*Bill Baird*
Chief Technology Officer
Office: 845-876-8228 x311
Mobile: 203-545-0437
www.phoenixmi.com
*To create an IT ticket, please email itsupport at phoenixmi.com
<itsupport at phoenixmi.com> or call 845-943-4222.*

-- 
--
This electronic message, including its attachments (if any), is 
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.

On Fri, 2018-09-14 at 13:19 -0400, Bill Baird wrote:
> Is there a way to translate the userSid into a human readable format,
> so I don't have to look it up each time?
Not in that log, while we understand the desire here these logs could
be stored for quite some time and the meaning of the username could
have changed in the meantime.  

SIDs and GUIDs are good long-term stable and predictably formatted
identifiers. 

It shouldn't be hard to convert using wbinfo for example, these are
intended for machine parsing and machines are good at doing that kind
of thing.
> For now, my workaround for now is to set my log level to 5, but then
> turn lots of stuff down to 1 manually. Like this:
> 
> log level = 5 tdb:1 printdrivers:1 lanman:1 smb:1 rpc_parse:1
> rpc_srv:1 rpc_cli:1 passdb:1 sam:1 auth:1 winbind:1 vfs:1 idmap:1
> quota:1 acls:1 locking:1 msdfs:1  dmapi:1 registry:1 scavenger:1 
> dns:1 ldb:1 tevent:1 auth_audit:5 auth_json_audit:5 kerberos:1
> drs_repl:1 smb2:1 smb2_credits:1 dsdb_audit:5 dsdb_json_audit:5
> dsdb_password_audit:5 dsdb_password_json_audit:5
> dsdb_transaction_audit:5 dsdb_transaction_json_audit:5
> dsdb_group_audit:5 dsdb_group_json_audit:5
The message you were looking at won't show all password resets, only
some that are via kerberos.  That is why we added the new logs.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hmph, okay. I appreciate the explanation, thanks for your time!

On Fri, Sep 14, 2018 at 1:27 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2018-09-14 at 13:19 -0400, Bill Baird wrote:
> > Is there a way to translate the userSid into a human readable format,
> > so I don't have to look it up each time?
>
> Not in that log, while we understand the desire here these logs could
> be stored for quite some time and the meaning of the username could
> have changed in the meantime.
>
> SIDs and GUIDs are good long-term stable and predictably formatted
> identifiers.
>
> It shouldn't be hard to convert using wbinfo for example, these are
> intended for machine parsing and machines are good at doing that kind
> of thing.
>
> > For now, my workaround for now is to set my log level to 5, but then
> > turn lots of stuff down to 1 manually. Like this:
> >
> > log level = 5 tdb:1 printdrivers:1 lanman:1 smb:1 rpc_parse:1
> > rpc_srv:1 rpc_cli:1 passdb:1 sam:1 auth:1 winbind:1 vfs:1 idmap:1
> > quota:1 acls:1 locking:1 msdfs:1  dmapi:1 registry:1 scavenger:1
> > dns:1 ldb:1 tevent:1 auth_audit:5 auth_json_audit:5 kerberos:1
> > drs_repl:1 smb2:1 smb2_credits:1 dsdb_audit:5 dsdb_json_audit:5
> > dsdb_password_audit:5 dsdb_password_json_audit:5
> > dsdb_transaction_audit:5 dsdb_transaction_json_audit:5
> > dsdb_group_audit:5 dsdb_group_json_audit:5
>
> The message you were looking at won't show all password resets, only
> some that are via kerberos.  That is why we added the new logs.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
-- 
*Bill Baird*
Chief Technology Officer
Office: 845-876-8228 x311
Mobile: 203-545-0437
www.phoenixmi.com
*To create an IT ticket, please email itsupport at phoenixmi.com
<itsupport at phoenixmi.com> or call 845-943-4222.*

-- 
--
This electronic message, including its attachments (if any), is 
CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.