On Mon, Nov 18, 2019 at 10:36:44PM +0100, Denis Cardon via samba
wrote:> Hi everyone,
>
> I am looking at a way to easily trace ldap queries to easily single out
computers that have buggy software that download the whole AD (like a getent
passwd with winbind enum users = yes for example). Increasing the debug level to
5 gives me the result I am looking for, however it is very very talkative and it
fills up the log partition way too fast. I wanted to try to single out one debug
class using "debug class = yes" in smb.conf, however the it does not
gives any :
>
> [2019/11/18 22:02:54.687235, 5]
../../source4/ldap_server/ldap_backend.c:783(ldapsrv_SearchRequest)
> ldb_request SUB dn=cn=users,dc=testing,dc=lan
filter=(|(objectClass=*)(distinguishedName=*))
>
> When looking at other items in the log, I do have a debug class
>
> [2019/11/18 22:02:54.682490, 3, class=ldb]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
> ldb_wrap open of privilege.ldb
>
> Is it that debug class is not implemented for thoses queries? Is there a
way to audit the ldap queries without filling up the log partition?
Looks like we don't have a separate debug class
for LDAP queries/processing.
Can you try the following patch - it should add
a new "ldap" debug class to the ldap server code
that should allow you to raise the debug levels
there separately.
Cheers,
Jeremy.
-------------- next part --------------
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 6f081d45110..be113371e8e 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -153,6 +153,7 @@ static const char *default_classname_table[] = {
[DBGC_DSDB_TXN_AUDIT_JSON] = "dsdb_transaction_json_audit",
[DBGC_DSDB_GROUP_AUDIT] = "dsdb_group_audit",
[DBGC_DSDB_GROUP_AUDIT_JSON] = "dsdb_group_json_audit",
+ [DBGC_LDAP] = "ldap",
};
/*
diff --git a/lib/util/debug.h b/lib/util/debug.h
index 67dbf3357e3..c6022e19202 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -97,6 +97,7 @@ bool dbgsetclass(int level, int cls);
#define DBGC_DSDB_TXN_AUDIT_JSON 35
#define DBGC_DSDB_GROUP_AUDIT 36
#define DBGC_DSDB_GROUP_AUDIT_JSON 37
+#define DBGC_LDAP 38
/* So you can define DBGC_CLASS before including debug.h */
#ifndef DBGC_CLASS
diff --git a/source4/ldap_server/ldap_backend.c
b/source4/ldap_server/ldap_backend.c
index bf724335a25..0e22850e0f9 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -34,6 +34,9 @@
#include "lib/tsocket/tsocket.h"
#include "libcli/ldap/ldap_proto.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_LDAP
+
static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
const char *add_err_string, const char **errstring)
{
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 5cddecd79be..32a6ecf443a 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -30,6 +30,9 @@
#include "param/param.h"
#include "../lib/util/tevent_ntstatus.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_LDAP
+
static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx,
HRESULT hresult,
uint32_t DSID,
diff --git a/source4/ldap_server/ldap_extended.c
b/source4/ldap_server/ldap_extended.c
index 2d4a5345460..fcd1dc21599 100644
--- a/source4/ldap_server/ldap_extended.c
+++ b/source4/ldap_server/ldap_extended.c
@@ -24,6 +24,9 @@
#include "smbd/service_stream.h"
#include "../lib/util/tevent_ntstatus.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_LDAP
+
struct ldapsrv_starttls_postprocess_context {
struct ldapsrv_connection *conn;
};
diff --git a/source4/ldap_server/ldap_server.c
b/source4/ldap_server/ldap_server.c
index 709b7bcacfa..a59bc90b901 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -48,6 +48,9 @@
#include "../libcli/util/tstream.h"
#include "libds/common/roles.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_LDAP
+
static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
/*