samba - Feb 2022 - Compatibility With PaloAlto User Identification

Hey All,

I've got a PaloAlto 460 that we're working on integrating, and one of
the things we're trying to get set up is the User-ID. Normally they
have you install an agent on the windows Domain Controller to listen
to the event-viewer and relay login and logout events back to the
firewall to correlate Users to IPs.

There was an article posted
(https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRhCAK)
that detailed setting Samba up to forward logs via syslogd, and then
set up a listener on the firewall along with a profile to regex parse
the info it needs. This works great for logins. The issue I was
running into was a combination of a cache issue and that the article
is only addressing half the problem.
User ID is being sent, and cached for the specified time (in my case,
30 minutes). However there doesn't seem to be any normalized renewal
of this being sent from Samba, as there are times when the PC we're
testing on just drops to an unauthenticated role, meaning the 30
minutes elapsed without any new logs refreshing the cache had been
received. One solution we tried was turning the timeout off, but this
led to multiple users being identified on the same machine, even if
the other had logged out, and even persisting through reboots. So that
can't work (as it's configured now at least).

Now that the background has been explained (same thing I have in the
ticket to Palo-Alto), I wanted to know if there may be a better
approach to this issue from the samba side of things. Right now the
article's solution is a bit crude, and as noted in my last mail
thread, I have too verbose of logging being spilled out into the
syslog of the domain controller. I know that Event Viewer
functionality is a thing now, so would that work better? Or if someone
else has set this up with a Palo in their environment and has a nicer
solution, I'd appreciate that specific insight.

Thanks in advance!
Ralph

On Mon, 2022-02-14 at 12:58 -0500, ralph strebbing via samba
wrote:
> Hey All,
> 
> I've got a PaloAlto 460 that we're working on integrating, and one
of
> the things we're trying to get set up is the User-ID. Normally they
> have you install an agent on the windows Domain Controller to listen
> to the event-viewer and relay login and logout events back to the
> firewall to correlate Users to IPs.
> 
> There was an article posted
> (
>
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRhCAK
> )
> that detailed setting Samba up to forward logs via syslogd, and then
> set up a listener on the firewall along with a profile to regex parse
> the info it needs. 
> Now that the background has been explained (same thing I have in the
> ticket to Palo-Alto), I wanted to know if there may be a better
> approach to this issue from the samba side of things. Right now the
> article's solution is a bit crude, and as noted in my last mail
> thread, I have too verbose of logging being spilled out into the
> syslog of the domain controller. I know that Event Viewer
> functionality is a thing now, so would that work better? Or if
> someone
> else has set this up with a Palo in their environment and has a nicer
> solution, I'd appreciate that specific insight.
We don't have event viewer support for this kind of thing (or anything
really), but we have really awesome JSON based audit logging.  I
suggest parsing the audit logs with a JSON parser and having the
PaloAlto accept the output of that.

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

If you get that working, I would love to see a wiki page describing the
arrangement so we can help others with similar devices.

The approach above only detects file access, eg for the logon script,
but the AD audit logging can catch all activity.  However a good
Kerberos client won't be hitting the DC all day - it will get a TGT and
a ticket to the services it needs and keep it for 10 hours.

So the caching issue can't be addressed, sadly. 

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions