[Samba] Need IP on failed logins in logfile

Mark Foley mfoley at ohprs.org
Sun Jun 26 05:16:07 UTC 2016 

I used to also get related log messages of the form:

auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER]
  auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER]

but now all I get is the auth_check_password_recv in the log.  Perhaps the change is due to an
upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in
my original email below mj's). 

Anyway, samba does (or did) have access to the hostname of the offending computer. The one
shown above, ROVER, is actual my home laptop's host name, said computer being miles away from
the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely
must have knowledge of the computer's IP?

Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of
Internet security in this day-and-age of cyber criminals it would be useful to know the IP of
attackers so appropriate countermeasures could be taken. 

Rowland, I will investigate pam_tally[2] to see what it does. I've not heard of it before. 

I suppose I could also run tcpdump continuously against the specific port(s) where such logins
can occur, but that is a bit of work, esp. since the timestamp of the samba log message is
detached to a separate message preceding the one listing the failed user.

--Mark

> > To: samba at lists.samba.org
> > From: mj <lists at merit.unu.edu>
> > Date: Sat, 25 Jun 2016 22:48:13 +0200
> > Subject: Re: [Samba] Need IP on failed logins in logfile
> >
> >
> > On 06/25/2016 06:32 PM, Mark Foley wrote:
> > > I think I've read something on this before, but I can't seem to find it.
> > As far as we know, this is impossible. :-(
> >
> > It a feature we would also VERY much like to see, for exactly the same 
> > reason.
> >
> > MJ
> >
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> From: Mark Foley <mfoley at ohprs.org>
> Date: Sat, 25 Jun 2016 12:32:54 -0400
> To: samba at lists.samba.org
> Subject: [Samba] Need IP on failed logins in logfile
> 
> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba
> messages to /var/log/samba/log.samba with logging set to the following in smb.conf:
> 
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> 
> I have a script that scans this logfile for message like the following:
> 
> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
> 
> Usually, these are not a big deal as they are the results of a local domain user mistyping
> either their login ID or password. However, occasionally the attempts are clearly outsiders
> trying to break in.
> 
> Is there some way to get the logger to show the IP of the failure? Currently it shows only the
> domain and user.
> 
> I think I've read something on this before, but I can't seem to find it.
> 
> Thanks, Mark

More information about the samba mailing list