samba - Sep 2020 - force samba 4.12.5 to log failed and succeeding authentication

Hi all,

i'm strugling since a few hours to find what i can do to have some debug 
information in samba on succesfull or unsccessful login attempt.
I'm running the standard bulleye samba deb package.
Systemd is installed and see some thing , but whatever i put in smb.conf

It seems like i can't have access to those information.

i have allready try :

-log level = 1 auth:5 winbind:5
-log level = 5
-log level = 10

neither the ip or the name of successful or unsuccessful login attempt 
appear in any place.
nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/

can any one help me on this one ?

best regards

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

See eg (for password changes)
dsdb_password_json_audit:4@/var/log/samba/password.log

Sadly not yet fully documented in:
https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes

(but feel free to fix that).  I think it is in the man smb.conf 

Andrew Bartlett

On Wed, 2020-09-16 at 16:50 +0200, karel de macil via samba
wrote:
> Hi all,
> 
> i'm strugling since a few hours to find what i can do to have some
> debug 
> information in samba on succesfull or unsccessful login attempt.
> I'm running the standard bulleye samba deb package.
> Systemd is installed and see some thing , but whatever i put in
> smb.conf
> 
> It seems like i can't have access to those information.
> 
> i have allready try :
> 
> -log level = 1 auth:5 winbind:5
> -log level = 5
> -log level = 10
> 
> neither the ip or the name of successful or unsuccessful login
> attempt 
> appear in any place.
> nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/
> 
> can any one help me on this one ?
> 
> best regards
> 
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

Le 16/09/2020 20:04, Andrew Bartlett via samba a ?crit?:
> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
> 
> See eg (for password changes)
> dsdb_password_json_audit:4@/var/log/samba/password.log
> 
> Sadly not yet fully documented in:
>
https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes
> 
> (but feel free to fix that).  I think it is in the man smb.conf
> 
> Andrew Bartlett
I have just try to add
log level = 1 auth_audit:7@/var/log/samba/log.auth_audit

to my smb.conf but no luck on this either , this indeed create a 
/var/log/samba/log.auth_audit who stay definetly empty...
even after auth attempt. And still after a failed or successfull attempt 
there is no trace in the log of the ip of the pc
where the failed/successfull attempt occur, the name of the computer, or 
the name of the account used, just nothing.

I have read and try you comment as well as this page :

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

but despite all my effort there is no message like :

[2017/07/04 21:07:41.410381,  4, pid=21757] 
../auth/auth_log.c:848(log_successful_authz_event_human_readable)
   Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] 
[S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 
21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host 
[ipv4:10.99.0.1:445]

who appear in my log.

Thing that can play a role in y situation (or not)

i have 2 DC in different version, the one who is FMSO for all role is 
4.12.5 the other is much older. but i can't see any log in any of em.
i have pass GPO to enable log of authentication attemps on client side 
via :
Policies -> Windows Settings -> Security Settings -> Local Policies
->
Audit Policy
> On Wed, 2020-09-16 at 16:50 +0200, karel de macil via samba wrote:
>> Hi all,
>> 
>> i'm strugling since a few hours to find what i can do to have some
>> debug
>> information in samba on succesfull or unsccessful login attempt.
>> I'm running the standard bulleye samba deb package.
>> Systemd is installed and see some thing , but whatever i put in
>> smb.conf
>> 
>> It seems like i can't have access to those information.
>> 
>> i have allready try :
>> 
>> -log level = 1 auth:5 winbind:5
>> -log level = 5
>> -log level = 10
>> 
>> neither the ip or the name of successful or unsuccessful login
>> attempt
>> appear in any place.
>> nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/
>> 
>> can any one help me on this one ?
>> 
>> best regards
>> 
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba