samba - Nov 2024 - samba log level: ldap log file remains empty

Op 25-11-2024 om 11:57 schreef Rowland Penny via samba:
> On Mon, 25 Nov 2024 11:44:28 +0100
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 25-11-2024 om 11:35 schreef Rowland Penny via samba:
>>> On Mon, 25 Nov 2024 09:48:19 +0000
>>> "Hoefle, Marco \(Avnet Silica\) via samba" <samba at
lists.samba.org>
>>> wrote:
>>>
>>>> Hello,
>>>> I have different services using ldap for user/passwd queries. I
am
>>>> using the LDAP server integrated in the samba domain
controller.
>>>> For debugging and login attempts I wanted to have all requests
in a
>>>> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9
(standard
>>>> ubuntu 24.04 package) samba package.
>>>>
>>>>
>>>> This is the relevant samba dc config:
>>>>
>>>> 	server role = active directory domain controller
>>>> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES
>>>> 	idmap_ldb:use rfc2307 = yes
>>>> 	allow dns updates = nonsecure and secure
>>>> 	log level = 2
>>>> auth_json_audit:3@/var/log/samba/domain_join.log
>>>> ldap:10@/var/log/samba/ldap.log auth:5 passdb:5 rpc_srv:5
>>>> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log log file
>>>> /var/log/samba/log.%m
>>>>
>>>> The domain join log file ( /var/log/samba/domain_join.log) is
>>>> created and works (I see each domain join approach). The LDAP
>>>> queries are not in the file. /var/log/samba/ldap.log is created
>>>> but remains empty even after a successful LDAP query.
>>>>
>>>> Generally, I cannot see any ldap requests in the other log
files
>>>> either.
>>> Sorry, but this is because there is no 'ldap' debug class.
If you
>>> read 'man smb.conf' under 'log level', you will
find a full list of
>>> available debug classes. There is 'ldb' if you can use the
ldb-tools
>>> instead (note: this may work with ldapsearch etc, but I haven't
>>> tried it.).
>> In 4.21 there is "ldapsrv" to log ldap queries.
>>
> Well, yes there is, but the OP may not be able to update or is not
> allowed to use external repos, but if they can, I would always
> recommend using the latest Samba version possible.
Indeed upgrading is the easiest way to solve it. I still have an 
"ldapsrv" patch that works for 4.17 (I can make it available if
needed),
however it stopped working in 4.18 and someone updated the patch for 
4.21, where it got merged. That does not help much for 4.19.5
:-(
>
> However, the OP seems to be using Samba AD for authentication via ldap,
> they may be able to use kerberos instead, but this would entail joining
> the domain.
There are many more services and applications (e.g. web-applications) 
that support authentication through LDAP than there are that support 
Kerberos. That's why I (have to) use LDAP authentication (and 
authorization) in many places.

Even a webserver like Apache can do Kerberos for authentication only, if 
you want authorization in Apache you still need LDAP as it does not 
support looking at the groups in the PAC. Another solution is to use an 
intermediate like Keycloak to provide authn+authz through OIDC.

- Kees.
>
> Rowland
>
>
>

>>Op 25-11-2024 om 11:57 schreef Rowland Penny via samba:
>>> On Mon, 25 Nov 2024 11:44:28 +0100
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>> Op 25-11-2024 om 11:35 schreef Rowland Penny via samba:
>>>>> On Mon, 25 Nov 2024 09:48:19 +0000
>>>>> "Hoefle, Marco \(Avnet Silica\) via samba"
<samba at lists.samba.org>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>> I have different services using ldap for user/passwd
queries. I am
>>>>>> using the LDAP server integrated in the samba domain
controller.
>>>>>> For debugging and login attempts I wanted to have all
requests in a
>>>>>> separate log file. I am using the
2:4.19.5+dfsg-4ubuntu9 (standard
>>>>>> ubuntu 24.04 package) samba package.
>>>>>>
>>>>>>
>>>>>> This is the relevant samba dc config:
>>>>>>
>>>>>>     server role = active directory domain controller
>>>>>>     server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
>>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup =
TRAUTES
>>>>>>     idmap_ldb:use rfc2307 = yes
>>>>>>     allow dns updates = nonsecure and secure
>>>>>>     log level = 2
>>>>>> auth_json_audit:3@/var/log/samba/domain_join.log
>>>>>> ldap:10@/var/log/samba/ldap.log auth:5 passdb:5
rpc_srv:5
>>>>>> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log
log file >>>>>> /var/log/samba/log.%m
>>>>>>
>>>>>> The domain join log file (
/var/log/samba/domain_join.log) is
>>>>>> created and works (I see each domain join approach).
The LDAP
>>>>>> queries are not in the file. /var/log/samba/ldap.log is
created
>>>>>> but remains empty even after a successful LDAP query.
>>>>>>
>>>>>> Generally, I cannot see any ldap requests in the other
log files
>>>>>> either.
>>>>> Sorry, but this is because there is no 'ldap' debug
class. If you
>>>>> read 'man smb.conf' under 'log level', you
will find a full list of
>>>>> available debug classes. There is 'ldb' if you can
use the ldb-tools
>>>>> instead (note: this may work with ldapsearch etc, but I
haven't
>>>>> tried it.).
>>>> In 4.21 there is "ldapsrv" to log ldap queries.
>>>>
>>> Well, yes there is, but the OP may not be able to update or is not
>>> allowed to use external repos, but if they can, I would always
>>> recommend using the latest Samba version possible.
>>Indeed upgrading is the easiest way to solve it. I still have an
>>"ldapsrv" patch that works for 4.17 (I can make it available
if needed),
>>however it stopped working in 4.18 and someone updated the patch for
>>4.21, where it got merged. That does not help much for 4.19.5 :-(
>>>
>>> However, the OP seems to be using Samba AD for authentication via
ldap,
>>> they may be able to use kerberos instead, but this would entail
joining
>>> the domain.
>>There are many more services and applications (e.g. web-applications)
>>that support authentication through LDAP than there are that support
>>Kerberos. That's why I (have to) use LDAP authentication (and
>>authorization) in many places.
>>Even a webserver like Apache can do Kerberos for authentication only, if
>>you want authorization in Apache you still need LDAP as it does not
>>support looking at the groups in the PAC. Another solution is to use an
>>intermediate like Keycloak to provide authn+authz through OIDC.
>>- Kees.
Thanks Kees,
I tried to upgrade by using debian testing (in a docker container) but I get
other issues then. I saw that ldapsrv is supported in the debian testing samba
version.
With the current settings I can see the ldap requests in the main log:

samba      | {"timestamp":
"2024-11-25T16:06:44.021365+0100", "type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor": 3}, "eventId": 4624,
"logonId": "0", "logonType": 8,
"status": "NT_STATUS_OK", "localAddress":
"ipv4:10.3.0.5:389", "remoteAddress":
"ipv4:10.3.0.6:35370", "serviceDescription":
"LDAP", "authDescription": "simple bind",
"clientDomain": "xxx", "clientAccount":
"CN=binddn,CN=Users,DC=xxx,DC=xxx", "workstation":
"DC", "becameAccount": "binddn",
"becameDomain": "xxx", "becameSid":
"S-1-5-21-3518546476-3047455531-1007412457-1104",
"mappedAccount": "binddn", "mappedDomain":
"xxx", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"Plaintext", "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 1995}}
samba      | Calling samba_kcc script

/Marco




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

We continuously commit to comply with the applicable data protection laws and
ensure fair and transparent processing of your personal data.
Please read our privacy statement including an information notice and data
protection policy for detailed information on our website.