[Samba] force samba 4.12.5 to log failed and succeeding authentication

karel.de.macil at free.fr karel.de.macil at free.fr
Thu Sep 17 10:16:11 UTC 2020 

Le 16/09/2020 20:04, Andrew Bartlett via samba a écrit :
> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
> 
> See eg (for password changes)
> dsdb_password_json_audit:4@/var/log/samba/password.log
> 
> Sadly not yet fully documented in:
> https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes
> 
> (but feel free to fix that).  I think it is in the man smb.conf
> 
> Andrew Bartlett

I have just try to add
log level = 1 auth_audit:7@/var/log/samba/log.auth_audit

to my smb.conf but no luck on this either , this indeed create a 
/var/log/samba/log.auth_audit who stay definetly empty...
even after auth attempt. And still after a failed or successfull attempt 
there is no trace in the log of the ip of the pc
where the failed/successfull attempt occur, the name of the computer, or 
the name of the account used, just nothing.

I have read and try you comment as well as this page :

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

but despite all my effort there is no message like :

[2017/07/04 21:07:41.410381,  4, pid=21757] 
../auth/auth_log.c:848(log_successful_authz_event_human_readable)
   Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] 
[S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 
21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host 
[ipv4:10.99.0.1:445]

who appear in my log.

Thing that can play a role in y situation (or not)

i have 2 DC in different version, the one who is FMSO for all role is 
4.12.5 the other is much older. but i can't see any log in any of em.
i have pass GPO to enable log of authentication attemps on client side 
via :
Policies -> Windows Settings -> Security Settings -> Local Policies -> 
Audit Policy

> On Wed, 2020-09-16 at 16:50 +0200, karel de macil via samba wrote:
>> Hi all,
>> 
>> i'm strugling since a few hours to find what i can do to have some
>> debug
>> information in samba on succesfull or unsccessful login attempt.
>> I'm running the standard bulleye samba deb package.
>> Systemd is installed and see some thing , but whatever i put in
>> smb.conf
>> 
>> It seems like i can't have access to those information.
>> 
>> i have allready try :
>> 
>> -log level = 1 auth:5 winbind:5
>> -log level = 5
>> -log level = 10
>> 
>> neither the ip or the name of successful or unsuccessful login
>> attempt
>> appear in any place.
>> nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/
>> 
>> can any one help me on this one ?
>> 
>> best regards
>> 
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba

More information about the samba mailing list