Hoefle, Marco (Avnet Silica)
2024-Dec-04 15:04 UTC
[Samba] samba log level: ldap log file remains empty
>>>>> On Mon, 25 Nov 2024 11:44:28 +0100 >>>>> Kees van Vloten via samba <samba at lists.samba.org>?wrote: >>>>> >>>>>> Op 25-11-2024 om 11:35 schreef Rowland Penny via samba: >>>>>>> On Mon, 25 Nov 2024 09:48:19 +0000 >>>>>>> "Hoefle, Marco \(Avnet Silica\) via samba" <samba at lists.samba.org> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> I have different services using ldap for user/passwd queries. I am >>>>>>>> using the LDAP server integrated in the samba domain controller. >>>>>>>> For debugging and login attempts I wanted to have all requests in a >>>>>>>> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9 (standard >>>>>>>> ubuntu 24.04 package) samba package. >>>>>>>> >>>>>>>> >>>>>>>> This is the relevant samba dc config: >>>>>>>> >>>>>>>>???? server role = active directory domain controller >>>>>>>>???? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES >>>>>>>>???? idmap_ldb:use rfc2307 = yes >>>>>>>>???? allow dns updates = nonsecure and secure >>>>>>>>???? log level = 2 >>>>>>>> auth_json_audit:3@/var/log/samba/domain_join.log >>>>>>>> ldap:10@/var/log/samba/ldap.log?auth:5 passdb:5 rpc_srv:5 >>>>>>>> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log?log file >>>>>>>> /var/log/samba/log.%m >>>>>>>> >>>>>>>> The domain join log file ( /var/log/samba/domain_join.log) is >>>>>>>> created and works (I see each domain join approach). The LDAP >>>>>>>> queries are not in the file. /var/log/samba/ldap.log is created >>>>>>>> but remains empty even after a successful LDAP query. >>>>>>>> >>>>>>>> Generally, I cannot see any ldap requests in the other log files >>>>>>>> either. >>>>>>> Sorry, but this is because there is no 'ldap' debug class. If you >>>>>>> read 'man smb.conf' under 'log level', you will find a full list of >>>>>>> available debug classes. There is 'ldb' if you can use the ldb-tools >>>>>>> instead (note: this may work with ldapsearch etc, but I haven't >>>>>>> tried it.). >>>>>> In 4.21 there is "ldapsrv" to log ldap queries. >>>>>> >>>>> Well, yes there is, but the OP may not be able to update or is not >>>>> allowed to use external repos, but if they can, I would always >>>>> recommend using the latest Samba version possible. >>>>Indeed upgrading is the easiest way to solve it. I still have an >>>>"ldapsrv" patch that works for 4.17 (I can make it available if needed), >>>>however it stopped working in 4.18 and someone updated the patch for >>>>4.21, where it got merged. That does not help much for 4.19.5 :-( >>>>> >>>>> However, the OP seems to be using Samba AD for authentication via ldap, >>>>> they may be able to use kerberos instead, but this would entail joining >>>>> the domain.>>>>There are many more services and applications (e.g. web-applications) >>>>that support authentication through LDAP than there are that support >>>>Kerberos. That's why I (have to) use LDAP authentication (and >>>>authorization) in many places.>>>>Even a webserver like Apache can do Kerberos for authentication only, if >>>>you want authorization in Apache you still need LDAP as it does not >>>>support looking at the groups in the PAC. Another solution is to use an >>>>intermediate like Keycloak to provide authn+authz through OIDC.>>>>- Kees.>>Thanks Kees, >>I tried to upgrade by using debian testing (in a docker container) but I get other issues then. I saw that ldapsrv is supported in the debian testing samba version. >>With the current settings I can see the ldap requests in the main log:>>samba ? ? ?| {"timestamp": "2024-11-25T16:06:44.021365+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4624, "logonId": "0", >>"logonType": 8, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.3.0.5:389", "remoteAddress": "ipv4:10.3.0.6:35370", "serviceDescription": "LDAP", "authDescription": "simple >>bind", "clientDomain": "xxx", "clientAccount": "CN=binddn,CN=Users,DC=xxx,DC=xxx", "workstation": "DC", "becameAccount": "binddn", "becameDomain": "xxx", "becameSid": >>"S-1-5-21-3518546476-3047455531-1007412457-1104", "mappedAccount": "binddn", "mappedDomain": "xxx", "netlogonComputer": null, "netlogonTrustAccount": null, >>"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "clientPolicyAccessCheck": null, >>"serverPolicyAccessCheck": null, "duration": 1995}} >>samba ? ? ?| Calling samba_kcc script>>/Marco>>Samba 4.21.1 is available in Debian backports, no need to use testing. The Debian maintainer also has a private repo with recent versions at >>http://www.corpit.ru/mjt/packages/samba/>>Docker and Samba are no friends, or better xattrs (used by Samba for ntacls) need privileged filesystem access.>>- Kees.Thanks Kees, I have now installed the debian backports: root at dc:/# dpkg -l | grep samba-ad ii ?samba-ad-dc ? ? ? ? ? ? ? ? 2:4.21.2+dfsg-3 ? ? ? ? ? ? ? ? amd64 ? ? ? ?Samba control files to run AD Domain Controller and added this? log level = 2 auth_json_audit:3@/var/log/samba/domain_join.log auth:2@/var/log/samba/auth.log ldapsrv:10@/var/log/samba/ldap.log?passdb:2 rpc_srv:2 rpc_parse:2 the file /var/log/samba/ldap.log remains empty even if a successful ldap request has occurred. I wanted to clean the logging. I noticed that I get every 15 minutes this: samba | Calling samba_kcc script samba | Calling samba_kcc script samba | Calling samba_kcc script samba | Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[SAMBA-SRV$@XXX.XFAE] at [Wed, 04 Dec 2024 15:58:47.044307 CET] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_PROTOCOL_UNREACHABLE] workstation [(null)] remote host [ipv4:10.3.0.6:53159] mapped to [XXXX]\[SAMBA-SRV$]. local host [NULL] Do you know where this time comes from? There is on samba file server joined to the AD. /Marco -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba ? We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. Please read our privacy statement including an information notice and data protection policy for detailed information on our website. We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. Please read our privacy statement including an information notice and data protection policy for detailed information on our website.
Kees van Vloten
2024-Dec-04 16:38 UTC
[Samba] samba log level: ldap log file remains empty
Op 04-12-2024 om 16:04 schreef Hoefle, Marco (Avnet Silica):>>>>>> On Mon, 25 Nov 2024 11:44:28 +0100 >>>>>> Kees van Vloten via samba <samba at lists.samba.org>?wrote: >>>>>> >>>>>>> Op 25-11-2024 om 11:35 schreef Rowland Penny via samba: >>>>>>>> On Mon, 25 Nov 2024 09:48:19 +0000 >>>>>>>> "Hoefle, Marco \(Avnet Silica\) via samba" <samba at lists.samba.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> I have different services using ldap for user/passwd queries. I am >>>>>>>>> using the LDAP server integrated in the samba domain controller. >>>>>>>>> For debugging and login attempts I wanted to have all requests in a >>>>>>>>> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9 (standard >>>>>>>>> ubuntu 24.04 package) samba package. >>>>>>>>> >>>>>>>>> >>>>>>>>> This is the relevant samba dc config: >>>>>>>>> >>>>>>>>> ???? server role = active directory domain controller >>>>>>>>> ???? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>>>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES >>>>>>>>> ???? idmap_ldb:use rfc2307 = yes >>>>>>>>> ???? allow dns updates = nonsecure and secure >>>>>>>>> ???? log level = 2 >>>>>>>>> auth_json_audit:3@/var/log/samba/domain_join.log >>>>>>>>> ldap:10@/var/log/samba/ldap.log?auth:5 passdb:5 rpc_srv:5 >>>>>>>>> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log?log file >>>>>>>>> /var/log/samba/log.%m >>>>>>>>> >>>>>>>>> The domain join log file ( /var/log/samba/domain_join.log) is >>>>>>>>> created and works (I see each domain join approach). The LDAP >>>>>>>>> queries are not in the file. /var/log/samba/ldap.log is created >>>>>>>>> but remains empty even after a successful LDAP query. >>>>>>>>> >>>>>>>>> Generally, I cannot see any ldap requests in the other log files >>>>>>>>> either. >>>>>>>> Sorry, but this is because there is no 'ldap' debug class. If you >>>>>>>> read 'man smb.conf' under 'log level', you will find a full list of >>>>>>>> available debug classes. There is 'ldb' if you can use the ldb-tools >>>>>>>> instead (note: this may work with ldapsearch etc, but I haven't >>>>>>>> tried it.). >>>>>>> In 4.21 there is "ldapsrv" to log ldap queries. >>>>>>> >>>>>> Well, yes there is, but the OP may not be able to update or is not >>>>>> allowed to use external repos, but if they can, I would always >>>>>> recommend using the latest Samba version possible. >>>>> Indeed upgrading is the easiest way to solve it. I still have an >>>>> "ldapsrv" patch that works for 4.17 (I can make it available if needed), >>>>> however it stopped working in 4.18 and someone updated the patch for >>>>> 4.21, where it got merged. That does not help much for 4.19.5 :-( >>>>>> However, the OP seems to be using Samba AD for authentication via ldap, >>>>>> they may be able to use kerberos instead, but this would entail joining >>>>>> the domain. >>>>> There are many more services and applications (e.g. web-applications) >>>>> that support authentication through LDAP than there are that support >>>>> Kerberos. That's why I (have to) use LDAP authentication (and >>>>> authorization) in many places. >>>>> Even a webserver like Apache can do Kerberos for authentication only, if >>>>> you want authorization in Apache you still need LDAP as it does not >>>>> support looking at the groups in the PAC. Another solution is to use an >>>>> intermediate like Keycloak to provide authn+authz through OIDC. >>>>> - Kees. >>> Thanks Kees, >>> I tried to upgrade by using debian testing (in a docker container) but I get other issues then. I saw that ldapsrv is supported in the debian testing samba version. >>> With the current settings I can see the ldap requests in the main log: >>> samba ? ? ?| {"timestamp": "2024-11-25T16:06:44.021365+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4624, "logonId": "0", >>"logonType": 8, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.3.0.5:389", "remoteAddress": "ipv4:10.3.0.6:35370", "serviceDescription": "LDAP", "authDescription": "simple >>bind", "clientDomain": "xxx", "clientAccount": "CN=binddn,CN=Users,DC=xxx,DC=xxx", "workstation": "DC", "becameAccount": "binddn", "becameDomain": "xxx", "becameSid": >>"S-1-5-21-3518546476-3047455531-1007412457-1104", "mappedAccount": "binddn", "mappedDomain": "xxx", "netlogonComputer": null, "netlogonTrustAccount": null, >>"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "clientPolicyAccessCheck": null, >>"serverPolicyAccessCheck": null, "duration": 1995}} >>> samba ? ? ?| Calling samba_kcc script >>> /Marco > >>> Samba 4.21.1 is available in Debian backports, no need to use testing. The Debian maintainer also has a private repo with recent versions at >>http://www.corpit.ru/mjt/packages/samba/ >>> Docker and Samba are no friends, or better xattrs (used by Samba for ntacls) need privileged filesystem access. >>> - Kees. > > Thanks Kees, > > I have now installed the debian backports: > root at dc:/# dpkg -l | grep samba-ad > ii ?samba-ad-dc ? ? ? ? ? ? ? ? 2:4.21.2+dfsg-3 ? ? ? ? ? ? ? ? amd64 ? ? ? ?Samba control files to run AD Domain Controller > > and added this > log level = 2 auth_json_audit:3@/var/log/samba/domain_join.log auth:2@/var/log/samba/auth.log ldapsrv:10@/var/log/samba/ldap.log?passdb:2 rpc_srv:2 rpc_parse:2 > > the file /var/log/samba/ldap.log remains empty even if a successful ldap request has occurred. > > I wanted to clean the logging. I noticed that I get every 15 minutes this: > > samba | Calling samba_kcc script > samba | Calling samba_kcc script > samba | Calling samba_kcc script > samba | Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[SAMBA-SRV$@XXX.XFAE] at [Wed, 04 Dec 2024 15:58:47.044307 CET] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_PROTOCOL_UNREACHABLE] workstation [(null)] remote host [ipv4:10.3.0.6:53159] mapped to [XXXX]\[SAMBA-SRV$]. local host [NULL] > > > Do you know where this time comes from? There is on samba file server joined to the AD.If you mean to say: "This is on samba file server joined to the AD.", then that might be the reason. LDAP queries are made to DC servers, not to file servers. - Kees.> > /Marco > > > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > > We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. > Please read our privacy statement including an information notice and data protection policy for detailed information on our website. > We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. > Please read our privacy statement including an information notice and data protection policy for detailed information on our website.