Andrew Bartlett
2022-Feb-24 23:06 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
That really should be logged then. No idea right now on what is going on, you will have to dig further. Andrew, On Thu, 2022-02-24 at 22:36 +0000, Joseph Bell wrote:> Thanks Andrew. I actually use the AD DS RSAT tools on a Windows > server that point to my Samba Domain Controller. It has worked > beautifully thus far. > > From: Andrew Bartlett <abartlet at samba.org> > Date: Thursday, February 24, 2022 at 4:30 PM > To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org < > samba at lists.samba.org> > Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC > > On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote: > > I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active > Directory > > Domain Controller, and one of my compliance responsibilities is to > > log and audit user creation, deletion, and modification (group > member > > changes). I thought I could accomplish this with: > > > > log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 > > dsdb_group_json_audit:5 dsdb_transaction_json_audit:5 > > > > in smb.conf, and indeed, I do receive a lot of dsdbChange and > > groupChange notifications in log.samba. Further testing of this > > though leads me to believe that I either have something missing or > > user creation is not logged as a dsdb change. > > > > My question is whether or not that is true, in which case how do I > > log user creation, and if it isn?t true, what am I missing in my > > configuration? > > How do you create the users? If you use command-line tools locally, > then local access as root won't be logged to log.samba, it will be > logged to the terminal (this wasn't made a priority to address as the > root user could just turn off the logs anyway). > > Perhaps your sudo logging might capture these, or use root less and > do > remote operations to add users. > > Andrew Bartlett >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Patrick Goetz
2022-Feb-25 14:30 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
On 2/24/22 17:06, Andrew Bartlett via samba wrote:> That really should be logged then. > > No idea right now on what is going on, you will have to dig further. >Because I want a lot of stuff to happen automatically (e.g. add new user to default groups, create a UNIX home directory, turn off password expiration, etc.) I wrote a script to create new user accounts, which then presumably isn't logged? That would seem like the normal use case. I tried creating new users using RSAT and found the experience underwhelming.> Andrew, > > On Thu, 2022-02-24 at 22:36 +0000, Joseph Bell wrote: >> Thanks Andrew. I actually use the AD DS RSAT tools on a Windows >> server that point to my Samba Domain Controller. It has worked >> beautifully thus far. >> >> From: Andrew Bartlett <abartlet at samba.org> >> Date: Thursday, February 24, 2022 at 4:30 PM >> To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org < >> samba at lists.samba.org> >> Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC >> >> On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote: >>> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active >> Directory >>> Domain Controller, and one of my compliance responsibilities is to >>> log and audit user creation, deletion, and modification (group >> member >>> changes). I thought I could accomplish this with: >>> >>> log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 >>> dsdb_group_json_audit:5 dsdb_transaction_json_audit:5 >>> >>> in smb.conf, and indeed, I do receive a lot of dsdbChange and >>> groupChange notifications in log.samba. Further testing of this >>> though leads me to believe that I either have something missing or >>> user creation is not logged as a dsdb change. >>> >>> My question is whether or not that is true, in which case how do I >>> log user creation, and if it isn?t true, what am I missing in my >>> configuration? >> >> How do you create the users? If you use command-line tools locally, >> then local access as root won't be logged to log.samba, it will be >> logged to the terminal (this wasn't made a priority to address as the >> root user could just turn off the logs anyway). >> >> Perhaps your sudo logging might capture these, or use root less and >> do >> remote operations to add users. >> >> Andrew Bartlett >>