Greetings. Samba documentation states: Password changes and Password resets are logged under dsdb_password_audit and a JSON representation is logged under the dsdb_password_json_audit. I have enabled log level = 0 dsdb_password_json_audit:4@/var/log/samba/password.log and then tried a password change using samba-tool user setpassword <user> but no log entry was added. I wonder if samba-tool generated password changes aren't logged because it wasn't generated by one of the AD RPC calls. I am trying to detect if some rogue sysadmin is changing passwords. Thanks in advance.
On Thu, 2020-08-20 at 18:24 -0400, Robert Marcano via samba wrote:> Greetings. > > Samba documentation states: > > Password changes and Password resets are logged under > dsdb_password_audit and a JSON representation is logged under the > dsdb_password_json_audit. > > I have enabled > > log level = 0 > dsdb_password_json_audit:4@/var/log/samba/password.log > > and then tried a password change using > > samba-tool user setpassword <user> > > but no log entry was added. I wonder if samba-tool generated > password > changes aren't logged because it wasn't generated by one of the AD > RPC > calls. > > I am trying to detect if some rogue sysadmin is changing passwords. > Thanks in advance.Thanks for the question. As samba-tool user setpassword operates locally on the sam.ldb, the logging is done in the tool - typically to stderr. We realise this isn't ideal. The cop-out is that someone with local root access can just edit the database at even lower levels anyway. Remote password changes should be logged, say if you use -H to specify the ldap server and the administrator password. I hope this helps, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On 8/20/20 6:53 PM, Andrew Bartlett wrote:> On Thu, 2020-08-20 at 18:24 -0400, Robert Marcano via samba wrote: >> Greetings. >> >> Samba documentation states: >> >> Password changes and Password resets are logged under >> dsdb_password_audit and a JSON representation is logged under the >> dsdb_password_json_audit. >> >> I have enabled >> >> log level = 0 >> dsdb_password_json_audit:4@/var/log/samba/password.log >> >> and then tried a password change using >> >> samba-tool user setpassword <user> >> >> but no log entry was added. I wonder if samba-tool generated >> password >> changes aren't logged because it wasn't generated by one of the AD >> RPC >> calls. >> >> I am trying to detect if some rogue sysadmin is changing passwords. >> Thanks in advance. > > Thanks for the question. As samba-tool user setpassword operates > locally on the sam.ldb, the logging is done in the tool - typically to > stderr. > > We realise this isn't ideal. The cop-out is that someone with local > root access can just edit the database at even lower levels anyway. > > Remote password changes should be logged, say if you use -H to specify > the ldap server and the administrator password. > > I hope this helps,Thanks for the reply. I manage a few customers domains where sadly these kind of access is shared by all IT department, usually small businesses. Sometimes they give full sudo access not knowing that running 'sudo bash' will erase any trace of the commands they ran. I will have to update them to a modern distribution supporting session recording in case they didn't learn this time. Thanks again for the information.
Possibly Parallel Threads
- dsdb_password_json_audit and samba-tool
- kpasswd_samdb_set_password: domain\user (S-...) is changing password of user@domain
- kpasswd_samdb_set_password: domain\user (S-...) is changing password of user@domain
- samba-tool domain provision stuck when using python3
- kpasswd_samdb_set_password: domain\user (S-...) is changing password of user@domain