Anantha Raghava
2025-Jul-31 18:16 UTC
[Samba] Get User add, modify, delete, group membership changes to log
Hi,
I am trying to get the user add, modify, delete or group add, modify or
delete or group member add, modify or change etc., logs to log.samba. I
do get dsdb change logs, but they seem to be unclear, not human
readable. I am able to get these operations on the terminal as shown
below but these are not getting printed in log.samba or dc2.log, the
actual log file.
*_Sample Terminal output:_*
root at dc2:/home/ubuntu# samba-tool user add gxxxld Rxxx at 1xxx
DSDB Change [Add] at [Thu, 31 Jul 2025 22:33:20.271575 IST] status
[Success] remote host [Unknown] SID [S-1-5-18] DN
[CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [objectClass [user]
sAMAccountName [gxxxld] userPrincipalName [gxxxld at ixxxxxe.demo]]
{"timestamp": "2025-07-31T22:33:20.271824+0530",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation": "Add",
"remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId":
"5adc6f76-a79c-496a-812c-6000924ca590", "sessionId":
"9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes":
{"objectClass":
{"actions": [{"action": "add", "values":
[{"value": "user"}]}]},
"sAMAccountName": {"actions": [{"action":
"add", "values": [{"value":
"gxxxld"}]}]}, "userPrincipalName": {"actions":
[{"action": "add",
"values": [{"value": "gxxxld at
ixxxxxe.demo"}]}]}}}}
DSDB Change [Modify] at [Thu, 31 Jul 2025 22:33:20.335082 IST] status
[Success] remote host [Unknown] SID [S-1-5-18] DN
[CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [replace: unicodePwd
[REDACTED SECRET ATTRIBUTE]]
{"timestamp": "2025-07-31T22:33:20.335244+0530",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation":
"Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId":
"5adc6f76-a79c-496a-812c-6000924ca590", "sessionId":
"9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes":
{"unicodePwd":
{"actions": [{"action": "replace",
"redacted": true}]}}}}
DSDB Change [Modify] at [Thu, 31 Jul 2025 22:33:20.336539 IST] status
[Success] remote host [Unknown] SID [S-1-5-18] DN
[CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [delete:
userAccountControl [546] add: userAccountControl [512]]
{"timestamp": "2025-07-31T22:33:20.336648+0530",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation":
"Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId":
"5adc6f76-a79c-496a-812c-6000924ca590", "sessionId":
"9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes":
{"userAccountControl": {"actions": [{"action":
"delete", "values":
[{"value": "546"}]}, {"action": "add",
"values": [{"value": "512"}]}]}}}}
descriptor_prepare_commit: changes: num_registrations=0
descriptor_prepare_commit: changes: num_registered=0
descriptor_prepare_commit: changes: num_toplevel=0
descriptor_prepare_commit: changes: num_processed=0
descriptor_prepare_commit: objects: num_processed=0
descriptor_prepare_commit: objects: num_skipped=0
User 'gxxxld' added successfully
*_My smb.conf is as follows:_*
# Global parameters
[global]
??????? ad dc functional level = 2016
??????? dns forwarder = 1.x.x.1
??????? dns forwarder = 8.x.x.8
??????? netbios name = DC2
??????? realm = IxxxxxE.DEMO
??????? server role = active directory domain controller
??????? workgroup = IxxxxxE
??????? idmap_ldb:use rfc2307 = yes
??????? ldap server require strong auth = yes
??????? tls enabled? = yes
??????? tls keyfile? = tls/dc2.ixxxxxe.demo.key.pem
??????? tls certfile = tls/dc2.ixxxxxe.demo.cert.pem
??????? tls cafile?? = tls/ca.cert.pem
??????? log level = 3 dns:3 auth_json_audit:5 dsdb_json_audit:5
dsdb_audit:5
??????? log file = /usr/local/samba/var/dc2.log
??????? max log size = 1000000
[sysvol]
??????? path = /usr/local/samba/var/locks/sysvol
??????? read only = No
[netlogon]
??????? path = /usr/local/samba/var/locks/sysvol/ixxxxxe.demo/scripts
??????? read only = No
--
Thanks & regards,
Raghav
Rowland Penny
2025-Jul-31 18:45 UTC
[Samba] Get User add, modify, delete, group membership changes to log
On Thu, 31 Jul 2025 23:46:40 +0530 Anantha Raghava via samba <samba at lists.samba.org> wrote:> Hi, > > I am trying to get the user add, modify, delete or group add, modify > or delete or group member add, modify or change etc., logs to > log.samba. I do get dsdb change logs, but they seem to be unclear, > not human readable. I am able to get these operations on the terminal > as shown below but these are not getting printed in log.samba or > dc2.log, the actual log file. > > *_Sample Terminal output:_* > > root at dc2:/home/ubuntu# samba-tool user add gxxxld Rxxx at 1xxx > DSDB Change [Add] at [Thu, 31 Jul 2025 22:33:20.271575 IST] status > [Success] remote host [Unknown] SID [S-1-5-18] DN > [CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [objectClass > [user] sAMAccountName [gxxxld] userPrincipalName > [gxxxld at ixxxxxe.demo]] {"timestamp": > "2025-07-31T22:33:20.271824+0530", "type": "dsdbChange", > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, > "status": "Success", "operation": "Add", "remoteAddress": null, > "performedAsSystem": false, "userSid": "S-1-5-18", "dn": > "CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId": > "5adc6f76-a79c-496a-812c-6000924ca590", "sessionId": > "9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes": {"objectClass": > {"actions": [{"action": "add", "values": [{"value": "user"}]}]}, > "sAMAccountName": {"actions": [{"action": "add", "values": [{"value": > "gxxxld"}]}]}, "userPrincipalName": {"actions": [{"action": "add", > "values": [{"value": "gxxxld at ixxxxxe.demo"}]}]}}}} DSDB Change > [Modify] at [Thu, 31 Jul 2025 22:33:20.335082 IST] status [Success] > remote host [Unknown] SID [S-1-5-18] DN > [CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [replace: > unicodePwd [REDACTED SECRET ATTRIBUTE]] {"timestamp": > "2025-07-31T22:33:20.335244+0530", "type": "dsdbChange", > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, > "status": "Success", "operation": "Modify", "remoteAddress": null, > "performedAsSystem": false, "userSid": "S-1-5-18", "dn": > "CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId": > "5adc6f76-a79c-496a-812c-6000924ca590", "sessionId": > "9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes": {"unicodePwd": > {"actions": [{"action": "replace", "redacted": true}]}}}} DSDB Change > [Modify] at [Thu, 31 Jul 2025 22:33:20.336539 IST] status [Success] > remote host [Unknown] SID [S-1-5-18] DN > [CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [delete: > userAccountControl [546] add: userAccountControl [512]] {"timestamp": > "2025-07-31T22:33:20.336648+0530", "type": "dsdbChange", > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, > "status": "Success", "operation": "Modify", "remoteAddress": null, > "performedAsSystem": false, "userSid": "S-1-5-18", "dn": > "CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId": > "5adc6f76-a79c-496a-812c-6000924ca590", "sessionId": > "9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes": > {"userAccountControl": {"actions": [{"action": "delete", "values": > [{"value": "546"}]}, {"action": "add", "values": [{"value": > "512"}]}]}}}} descriptor_prepare_commit: changes: num_registrations=0 > descriptor_prepare_commit: changes: num_registered=0 > descriptor_prepare_commit: changes: num_toplevel=0 > descriptor_prepare_commit: changes: num_processed=0 > descriptor_prepare_commit: objects: num_processed=0 > descriptor_prepare_commit: objects: num_skipped=0 User 'gxxxld' added > successfully >I had something like this very recently and this is what Douglas Bagnall had to say on the subject: |----------------------------------------------------------| I guess normally FSMO role changes are done by system processes and these messages are collected up in the logs, but if you are changing it directly in the samba-tool process using a direct filename connection the messages spill out on stderr. This is a problem for people trying to follow the DSDB audit log trail in the logs, since it won't be there. |----------------------------------------------------------| I pointed out that this didn't use to happen and he tried to blind me with science, so I put it down to it just being me, but now you have hit the same problem, so can you please open a bug report on this. It may get fixed, but will probably take some time. Rowland
Anantha Raghava
2025-Aug-01 02:54 UTC
[Samba] Get User add, modify, delete, group membership changes to log
Thanks Rowland. I even attempted to get these routed to journal. It does not appear even there expect in stderr or stdout. It appears properly when samba is run in front end, but does not appear when samba is running in detached mode. I will open a bug report for this. Thanks n? Regards, Anantha Raghava H A Indryve India Private Limited | Indryve Inc. | Exza Technology Consulting And Services Email: raghav at exzatech.net / raghav at indryve.com <mailto:raghav at exzatech.net> Ph: +1-302-2328847 / +91-80-49568659 / +91-9108664065 URL: https://indryve.com <https://www.indryve.com/> Indryve ? A New Age Content Collaboration Workspace *Your data intrinsically empowers its recipients, for good or bad.* Read More at: https://www.indryve.com If you wish to evaluate Indryve or Indryve Endorse contact us at: https://indryve.com/contact/ *Indryve - Connect & Collaborate* DISCLAIMER: This e-mail communication and any attachments may be privileged and confidential to Indryve Inc., Indryve Inc & their group companies, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Do not print this e-mail unless required. Save Paper & trees. On 01/08/25 12:15 am, Rowland Penny via samba wrote:> On Thu, 31 Jul 2025 23:46:40 +0530 > Anantha Raghava via samba<samba at lists.samba.org> wrote: > >> Hi, >> >> I am trying to get the user add, modify, delete or group add, modify >> or delete or group member add, modify or change etc., logs to >> log.samba. I do get dsdb change logs, but they seem to be unclear, >> not human readable. I am able to get these operations on the terminal >> as shown below but these are not getting printed in log.samba or >> dc2.log, the actual log file. >> >> *_Sample Terminaloutput:_* >> >> root at dc2:/home/ubuntu# samba-tool user add gxxxld Rxxx at 1xxx >> DSDB Change [Add] at [Thu, 31 Jul 2025 22:33:20.271575 IST] status >> [Success] remote host [Unknown] SID [S-1-5-18] DN >> [CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [objectClass >> [user] sAMAccountName [gxxxld] userPrincipalName >> [gxxxld at ixxxxxe.demo]] {"timestamp": >> "2025-07-31T22:33:20.271824+0530", "type": "dsdbChange", >> "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, >> "status": "Success", "operation": "Add", "remoteAddress": null, >> "performedAsSystem": false, "userSid": "S-1-5-18", "dn": >> "CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId": >> "5adc6f76-a79c-496a-812c-6000924ca590", "sessionId": >> "9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes": {"objectClass": >> {"actions": [{"action": "add", "values": [{"value": "user"}]}]}, >> "sAMAccountName": {"actions": [{"action": "add", "values": [{"value": >> "gxxxld"}]}]}, "userPrincipalName": {"actions": [{"action": "add", >> "values": [{"value":"gxxxld at ixxxxxe.demo"}]}]}}}} DSDB Change >> [Modify] at [Thu, 31 Jul 2025 22:33:20.335082 IST] status [Success] >> remote host [Unknown] SID [S-1-5-18] DN >> [CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [replace: >> unicodePwd [REDACTED SECRET ATTRIBUTE]] {"timestamp": >> "2025-07-31T22:33:20.335244+0530", "type": "dsdbChange", >> "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, >> "status": "Success", "operation": "Modify", "remoteAddress": null, >> "performedAsSystem": false, "userSid": "S-1-5-18", "dn": >> "CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId": >> "5adc6f76-a79c-496a-812c-6000924ca590", "sessionId": >> "9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes": {"unicodePwd": >> {"actions": [{"action": "replace", "redacted": true}]}}}} DSDB Change >> [Modify] at [Thu, 31 Jul 2025 22:33:20.336539 IST] status [Success] >> remote host [Unknown] SID [S-1-5-18] DN >> [CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo] attributes [delete: >> userAccountControl [546] add: userAccountControl [512]] {"timestamp": >> "2025-07-31T22:33:20.336648+0530", "type": "dsdbChange", >> "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, >> "status": "Success", "operation": "Modify", "remoteAddress": null, >> "performedAsSystem": false, "userSid": "S-1-5-18", "dn": >> "CN=gxxxld,CN=Users,DC=ixxxxxe,DC=demo", "transactionId": >> "5adc6f76-a79c-496a-812c-6000924ca590", "sessionId": >> "9e685acd-2d1a-46a5-8298-2928ad8cbdd8", "attributes": >> {"userAccountControl": {"actions": [{"action": "delete", "values": >> [{"value": "546"}]}, {"action": "add", "values": [{"value": >> "512"}]}]}}}} descriptor_prepare_commit: changes: num_registrations=0 >> descriptor_prepare_commit: changes: num_registered=0 >> descriptor_prepare_commit: changes: num_toplevel=0 >> descriptor_prepare_commit: changes: num_processed=0 >> descriptor_prepare_commit: objects: num_processed=0 >> descriptor_prepare_commit: objects: num_skipped=0 User 'gxxxld' added >> successfully >> > I had something like this very recently and this is what Douglas > Bagnall had to say on the subject: > > |----------------------------------------------------------| > I guess normally FSMO role changes are done by system processes and these > messages are collected up in the logs, but if you are changing it > directly in the samba-tool process using a direct filename connection > the messages spill out on stderr. > > This is a problem for people trying to follow the DSDB audit log trail > in the logs, since it won't be there. > |----------------------------------------------------------| > > I pointed out that this didn't use to happen and he tried to blind me > with science, so I put it down to it just being me, but now you have > hit the same problem, so can you please open a bug report on this. It > may get fixed, but will probably take some time. > > Rowland >