Hi all,
running an Samba-AD with
dsdb_json_audit:5
in smb.conf perfectly for months, yesterday in the logs a messed up /
suspicious entry containing "CN=[...]\0ADEL:[someId]" as CN showed up.
I
could not find any information what this means or what could have this
triggered, and maybe this means kind of "newline"+"DEL". No
other
Delete-entry have this appendix in a string. The domain name also
includes "CN=Deleted Objects", so maybe this was the final delete from
some kind of trash folder?
There are 5 entries that show this "\0ADEL" appendix after a valid CN,
all report deletion of a test object for "Hildegard Test" within only
a
few milliseconds, all have result==Success which makes me wonder because
this object should exist only once and should never be deleted, and
especially it can not be deleted five times.
The given userSid S-1-5-18 belongs to "NT Authority\SYSTEM 5"
accordings
to wbinfo and remoteAddress==null I don't understand, too. The sessionId
seeams to be an internal server id, because for the given sessionId
there are numerous login+logout messages for a very long time and for
several users.
How to find out
- what (user/machine/process/...) triggered the deletion of those objects,
- why the message in the log is formatted like "[Name]\0ADEL[id]"?
Thanks in advance,
Tim
Server: Debian 12 bookworm
Samba version: 4.17.12-Debian
Some of the JSON log suspicuous entries in dsdb_json_audig.log
{"timestamp": "2024-09-17T09:26:55.672484+0200",
"type":
"dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
"statusCode": 0, "status": "Success",
"operation": "Delete",
"remoteAddress": null, "performedAsSystem": false,
"userSid":
"S-1-5-18", "dn": "CN=Hildegard
Test\\0ADEL:6f6ada50-75c5-4b58-b2c2-9c536c3bd2dd,CN=Deleted
Objects,DC=hs[...]", "transactionId":
"aaba9cf0-ad49-4090-848e-387421a7ece2", "sessionId":
"56478359-facb-4e2d-aaff-b651a73eb325"}}
{"timestamp": "2024-09-17T09:26:55.698738+0200",
"type":
"dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
"statusCode": 0, "status": "Success",
"operation": "Delete",
"remoteAddress": null, "performedAsSystem": false,
"userSid":
"S-1-5-18", "dn": "cn=Hildegard
Test\\0ADEL:adc46a65-499d-437c-80aa-7dc258a5545d,CN=Deleted
Objects,DC=hs[...]", "transactionId":
"ef24dde8-eb30-4c6a-a90b-82aa4a1c4b1b", "sessionId":
"56478359-facb-4e2d-aaff-b651a73eb325"}}
{"timestamp": "2024-09-17T09:26:55.713554+0200",
"type":
"dsdbChange", "dsdbChange": {"version":
{"major": 1, "minor": 0},
"statusCode": 0, "status": "Success",
"operation": "Delete",
"remoteAddress": null, "performedAsSystem": false,
"userSid":
"S-1-5-18", "dn": "cn=Hildegard
Test\\0ADEL:448acc07-8e15-44fa-9db3-30d93885ceb9,CN=Deleted
Objects,DC=hs[...]", "transactionId":
"053607b2-cb55-4340-a7f6-c6fe504fe512", "sessionId":
"56478359-facb-4e2d-aaff-b651a73eb325"}}
Rowland Penny
2024-Sep-18 10:37 UTC
[Samba] suspicious dsdb audit log entry conaining 0ADEL
On Wed, 18 Sep 2024 11:53:45 +0200 Tim Taylor via samba <samba at lists.samba.org> wrote:> Hi all, > > running an Samba-AD with > dsdb_json_audit:5 > in smb.conf perfectly for months, yesterday in the logs a messed up / > suspicious entry containing "CN=[...]\0ADEL:[someId]" as CN showed > up.I am surprised you couldn't find anything about that, because it is well known, that record is a tombstone record, a record that is deleted. There is nothing to worry about, it will eventually disappear, in about six months unless you use samba-tool to remove them. Rowland