karel.de.macil at free.fr
2020-Sep-16 14:50 UTC
[Samba] force samba 4.12.5 to log failed and succeeding authentication
Hi all, i'm strugling since a few hours to find what i can do to have some debug information in samba on succesfull or unsccessful login attempt. I'm running the standard bulleye samba deb package. Systemd is installed and see some thing , but whatever i put in smb.conf It seems like i can't have access to those information. i have allready try : -log level = 1 auth:5 winbind:5 -log level = 5 -log level = 10 neither the ip or the name of successful or unsuccessful login attempt appear in any place. nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/ can any one help me on this one ? best regards
Andrew Bartlett
2020-Sep-16 18:04 UTC
[Samba] force samba 4.12.5 to log failed and succeeding authentication
https://wiki.samba.org/index.php/Setting_up_Audit_Logging See eg (for password changes) dsdb_password_json_audit:4@/var/log/samba/password.log Sadly not yet fully documented in: https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes (but feel free to fix that). I think it is in the man smb.conf Andrew Bartlett On Wed, 2020-09-16 at 16:50 +0200, karel de macil via samba wrote:> Hi all, > > i'm strugling since a few hours to find what i can do to have some > debug > information in samba on succesfull or unsccessful login attempt. > I'm running the standard bulleye samba deb package. > Systemd is installed and see some thing , but whatever i put in > smb.conf > > It seems like i can't have access to those information. > > i have allready try : > > -log level = 1 auth:5 winbind:5 > -log level = 5 > -log level = 10 > > neither the ip or the name of successful or unsuccessful login > attempt > appear in any place. > nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/ > > can any one help me on this one ? > > best regards >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
karel.de.macil at free.fr
2020-Sep-17 10:16 UTC
[Samba] force samba 4.12.5 to log failed and succeeding authentication
Le 16/09/2020 20:04, Andrew Bartlett via samba a ?crit?:> https://wiki.samba.org/index.php/Setting_up_Audit_Logging > > See eg (for password changes) > dsdb_password_json_audit:4@/var/log/samba/password.log > > Sadly not yet fully documented in: > https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes > > (but feel free to fix that). I think it is in the man smb.conf > > Andrew BartlettI have just try to add log level = 1 auth_audit:7@/var/log/samba/log.auth_audit to my smb.conf but no luck on this either , this indeed create a /var/log/samba/log.auth_audit who stay definetly empty... even after auth attempt. And still after a failed or successfull attempt there is no trace in the log of the ip of the pc where the failed/successfull attempt occur, the name of the computer, or the name of the account used, just nothing. I have read and try you comment as well as this page : https://wiki.samba.org/index.php/Setting_up_Audit_Logging but despite all my effort there is no message like : [2017/07/04 21:07:41.410381, 4, pid=21757] ../auth/auth_log.c:848(log_successful_authz_event_human_readable) Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] [S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host [ipv4:10.99.0.1:445] who appear in my log. Thing that can play a role in y situation (or not) i have 2 DC in different version, the one who is FMSO for all role is 4.12.5 the other is much older. but i can't see any log in any of em. i have pass GPO to enable log of authentication attemps on client side via : Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy> On Wed, 2020-09-16 at 16:50 +0200, karel de macil via samba wrote: >> Hi all, >> >> i'm strugling since a few hours to find what i can do to have some >> debug >> information in samba on succesfull or unsccessful login attempt. >> I'm running the standard bulleye samba deb package. >> Systemd is installed and see some thing , but whatever i put in >> smb.conf >> >> It seems like i can't have access to those information. >> >> i have allready try : >> >> -log level = 1 auth:5 winbind:5 >> -log level = 5 >> -log level = 10 >> >> neither the ip or the name of successful or unsuccessful login >> attempt >> appear in any place. >> nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/ >> >> can any one help me on this one ? >> >> best regards >> > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba