Patrick Goetz
2022-Feb-25 14:30 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
On 2/24/22 17:06, Andrew Bartlett via samba wrote:> That really should be logged then. > > No idea right now on what is going on, you will have to dig further. >Because I want a lot of stuff to happen automatically (e.g. add new user to default groups, create a UNIX home directory, turn off password expiration, etc.) I wrote a script to create new user accounts, which then presumably isn't logged? That would seem like the normal use case. I tried creating new users using RSAT and found the experience underwhelming.> Andrew, > > On Thu, 2022-02-24 at 22:36 +0000, Joseph Bell wrote: >> Thanks Andrew. I actually use the AD DS RSAT tools on a Windows >> server that point to my Samba Domain Controller. It has worked >> beautifully thus far. >> >> From: Andrew Bartlett <abartlet at samba.org> >> Date: Thursday, February 24, 2022 at 4:30 PM >> To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org < >> samba at lists.samba.org> >> Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC >> >> On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote: >>> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active >> Directory >>> Domain Controller, and one of my compliance responsibilities is to >>> log and audit user creation, deletion, and modification (group >> member >>> changes). I thought I could accomplish this with: >>> >>> log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 >>> dsdb_group_json_audit:5 dsdb_transaction_json_audit:5 >>> >>> in smb.conf, and indeed, I do receive a lot of dsdbChange and >>> groupChange notifications in log.samba. Further testing of this >>> though leads me to believe that I either have something missing or >>> user creation is not logged as a dsdb change. >>> >>> My question is whether or not that is true, in which case how do I >>> log user creation, and if it isn?t true, what am I missing in my >>> configuration? >> >> How do you create the users? If you use command-line tools locally, >> then local access as root won't be logged to log.samba, it will be >> logged to the terminal (this wasn't made a priority to address as the >> root user could just turn off the logs anyway). >> >> Perhaps your sudo logging might capture these, or use root less and >> do >> remote operations to add users. >> >> Andrew Bartlett >>
Joseph Bell
2022-Feb-25 15:50 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
Thanks Patrick and Andrew.
So I have a testbed I use separate from my corporate environment, and in the
testbed the DSDB logs came across for both user creation (via RSAT) and deletion
(likewise):
{"timestamp": "2022-02-25T15:36:34.076478+0000",
"type": "groupChange", "groupChange":
{"version": {"major": 1, "minor": 1},
"eventId": 4728, "statusCode": 0, "status":
"Success", "action": "Added",
"remoteAddress": "ipv4:10.12.0.117:64802",
"userSid": "S-1-5-21-3939649434-3429806823-329711302-500",
"group": "CN=Test User,OU=Domain
Users,DC=sd,DC=iachieved,DC=it", "transactionId":
"c8c603f6-eabb-4468-ad84-e97614fea98a", "sessionId":
"86953890-6df0-4fa7-bbaf-d2b120b19163", "user":
"CN=Test User,OU=Domain Users,DC=sd,DC=iachieved,DC=it"}}
{"timestamp": "2022-02-25T15:37:12.358476+0000",
"type": "dsdbChange", "dsdbChange":
{"version": {"major": 1, "minor": 0},
"statusCode": 0, "status": "Success",
"operation": "Delete", "remoteAddress":
"ipv4:10.12.0.117:64810", "performedAsSystem": false,
"userSid": "S-1-5-21-3939649434-3429806823-329711302-500",
"dn": "CN=Test User,OU=Domain
Users,DC=sd,DC=iachieved,DC=it", "transactionId":
"8b03a388-d9a3-4a57-aad8-b62d4c67b31c", "sessionId":
"2db06449-f87a-4e41-970c-f00078b33e3d"}}
I reran the test on the corporate DC and the logs did not appear.
Both systems are based on Ubuntu 20.04 and use the stock Ubuntu samba packages.
The only difference that is glaring is that the corporate DC is an ARM64 server
in AWS, whereas the testbed is x86 on Proxmox.
I?ll continue to troubleshoot. Thanks in advance if there are any insights.
Joe
From: samba <samba-bounces at lists.samba.org> on behalf of Patrick Goetz
via samba <samba at lists.samba.org>
Date: Friday, February 25, 2022 at 8:33 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC
On 2/24/22 17:06, Andrew Bartlett via samba wrote:> That really should be logged then.
>
> No idea right now on what is going on, you will have to dig further.
>
Because I want a lot of stuff to happen automatically (e.g. add new user
to default groups, create a UNIX home directory, turn off password
expiration, etc.) I wrote a script to create new user accounts, which
then presumably isn't logged?
That would seem like the normal use case. I tried creating new users
using RSAT and found the experience underwhelming.
> Andrew,
>
> On Thu, 2022-02-24 at 22:36 +0000, Joseph Bell wrote:
>> Thanks Andrew. I actually use the AD DS RSAT tools on a Windows
>> server that point to my Samba Domain Controller. It has worked
>> beautifully thus far.
>>
>> From: Andrew Bartlett <abartlet at samba.org>
>> Date: Thursday, February 24, 2022 at 4:30 PM
>> To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org
<
>> samba at lists.samba.org>
>> Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC
>>
>> On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote:
>>> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active
>> Directory
>>> Domain Controller, and one of my compliance responsibilities is to
>>> log and audit user creation, deletion, and modification (group
>> member
>>> changes). I thought I could accomplish this with:
>>>
>>> log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5
>>> dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
>>>
>>> in smb.conf, and indeed, I do receive a lot of dsdbChange and
>>> groupChange notifications in log.samba. Further testing of this
>>> though leads me to believe that I either have something missing or
>>> user creation is not logged as a dsdb change.
>>>
>>> My question is whether or not that is true, in which case how do I
>>> log user creation, and if it isn?t true, what am I missing in my
>>> configuration?
>>
>> How do you create the users? If you use command-line tools locally,
>> then local access as root won't be logged to log.samba, it will be
>> logged to the terminal (this wasn't made a priority to address as
the
>> root user could just turn off the logs anyway).
>>
>> Perhaps your sudo logging might capture these, or use root less and
>> do
>> remote operations to add users.
>>
>> Andrew Bartlett
>>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2022-Feb-25 19:50 UTC
[Samba] DSDB Audit of User Creation/Deletion on Samba DC
On Fri, 2022-02-25 at 08:30 -0600, Patrick Goetz via samba wrote:> > On 2/24/22 17:06, Andrew Bartlett via samba wrote: > > That really should be logged then. > > > > No idea right now on what is going on, you will have to dig further. > > > > Because I want a lot of stuff to happen automatically (e.g. add new user > to default groups, create a UNIX home directory, turn off password > expiration, etc.) I wrote a script to create new user accounts, which > then presumably isn't logged?Correct. You could force those over LDAP via -H to get them logged, but you will need credentials.> That would seem like the normal use case. I tried creating new users > using RSAT and found the experience underwhelming.We know it is a weak point, but we don't have a good answer for this part. The audit code does run, but it is mixed into the debug stream and put on stderr, and often overridden by the debug level of the command line tools. Sorry, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba