Andrew Bartlett
2022-Feb-15 06:37 UTC
[Samba] Compatibility With PaloAlto User Identification
On Mon, 2022-02-14 at 12:58 -0500, ralph strebbing via samba wrote:> Hey All, > > I've got a PaloAlto 460 that we're working on integrating, and one of > the things we're trying to get set up is the User-ID. Normally they > have you install an agent on the windows Domain Controller to listen > to the event-viewer and relay login and logout events back to the > firewall to correlate Users to IPs. > > There was an article posted > ( > https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRhCAK > ) > that detailed setting Samba up to forward logs via syslogd, and then > set up a listener on the firewall along with a profile to regex parse > the info it needs.> Now that the background has been explained (same thing I have in the > ticket to Palo-Alto), I wanted to know if there may be a better > approach to this issue from the samba side of things. Right now the > article's solution is a bit crude, and as noted in my last mail > thread, I have too verbose of logging being spilled out into the > syslog of the domain controller. I know that Event Viewer > functionality is a thing now, so would that work better? Or if > someone > else has set this up with a Palo in their environment and has a nicer > solution, I'd appreciate that specific insight.We don't have event viewer support for this kind of thing (or anything really), but we have really awesome JSON based audit logging. I suggest parsing the audit logs with a JSON parser and having the PaloAlto accept the output of that. https://wiki.samba.org/index.php/Setting_up_Audit_Logging If you get that working, I would love to see a wiki page describing the arrangement so we can help others with similar devices. The approach above only detects file access, eg for the logon script, but the AD audit logging can catch all activity. However a good Kerberos client won't be hitting the DC all day - it will get a TGT and a ticket to the services it needs and keep it for 10 hours. So the caching issue can't be addressed, sadly. I hope this helps, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
ralph strebbing
2022-Feb-15 20:12 UTC
[Samba] Compatibility With PaloAlto User Identification
On Tue, Feb 15, 2022 at 1:37 AM Andrew Bartlett <abartlet at samba.org> wrote:> If you get that working, I would love to see a wiki page describing the > arrangement so we can help others with similar devices.A way that I'm going to try getting this working is to use the Kerberos approach by getting Kerberos v5 SSO set up. The thing I'm hung up on right now is getting the keytab generated properly. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on.html The above link describes the commands to run on a windows DC, how should those translate for Samba? Ralph