Arianna Brandstetter
2020-Apr-07 18:48 UTC
[Samba] Best way to verify LDAP connections to Samba in AD mode
I am running Samba in AD mode with 3 Samba DCs. I am trying to verify that I really am seeing all incoming connections in the log files to help trouble shooting. We work with Sernet who are AWESOME people, especially Bjorn, but I was wondering if there were any other ideas. Right now we have "log level = 1 auth_audit:3 auth_json_audit:3" set in our smb.conf. Are there any other ways that I should be checking if someone attempts to bind via LDAP and whether that attempt fails or succeeds? Arianna Brandstetter (She/Her/Hers) (Web) VMWare/Linux/SAN Administrator Nebraska Wesleyan University 5000 St. Paul Avenue Lincoln, NE 68504 PGP Key: C525667AA7C9ACBCD8BCC72072DB36F69811F7FF
Andrew Bartlett
2020-Apr-07 20:11 UTC
[Samba] Best way to verify LDAP connections to Samba in AD mode
On Tue, 2020-04-07 at 18:48 +0000, Arianna Brandstetter via samba wrote:> I am running Samba in AD mode with 3 Samba DCs. I am trying to > verify that I really am seeing all incoming connections in the log > files to help trouble shooting. We work with Sernet who are AWESOME > people, especially Bjorn, but I was wondering if there were any other > ideas. Right now we have "log level = 1 auth_audit:3 > auth_json_audit:3" set in our smb.conf. Are there any other ways > that I should be checking if someone attempts to bind via LDAP and > whether that attempt fails or succeeds?G'Day Arianna, The auth_audit and auth_json_audit logging classes are intended (and tested) to be comprehensive for the AD DC side of things. Turn up the log level to get successful binds via Kerberised LDAP (where the authentication was done and logged on the KDC). Normally you don't need both auth_audit and auth_audit_json (but we had a bug in the earliest versions of this feature). #define AUTH_FAILURE_LEVEL 2 #define AUTH_SUCCESS_LEVEL 3 #define AUTHZ_SUCCESS_LEVEL 4 /* 5 is used for both authentication and authorization */ #define AUTH_ANONYMOUS_LEVEL 5 #define AUTHZ_ANONYMOUS_LEVEL 5 I'm glad to hear the feature is so valuable. We think having such a clear authentication and authorization logging framework is a really neat Samba-only feature. While we think we have this one pretty comprehensive, if there are other aspects of Samba that you would like to contribute similar tooling for, where it would make your life was a Systems Administrator easier or allow Samba to integrate into other systems, do let us know! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba