[Samba] Compatibility With PaloAlto User Identification

Andrew Bartlett abartlet at samba.org
Tue Feb 15 06:37:44 UTC 2022 

On Mon, 2022-02-14 at 12:58 -0500, ralph strebbing via samba wrote:
> Hey All,
> 
> I've got a PaloAlto 460 that we're working on integrating, and one of
> the things we're trying to get set up is the User-ID. Normally they
> have you install an agent on the windows Domain Controller to listen
> to the event-viewer and relay login and logout events back to the
> firewall to correlate Users to IPs.
> 
> There was an article posted
> (
> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRhCAK
> )
> that detailed setting Samba up to forward logs via syslogd, and then
> set up a listener on the firewall along with a profile to regex parse
> the info it needs. 


> Now that the background has been explained (same thing I have in the
> ticket to Palo-Alto), I wanted to know if there may be a better
> approach to this issue from the samba side of things. Right now the
> article's solution is a bit crude, and as noted in my last mail
> thread, I have too verbose of logging being spilled out into the
> syslog of the domain controller. I know that Event Viewer
> functionality is a thing now, so would that work better? Or if
> someone
> else has set this up with a Palo in their environment and has a nicer
> solution, I'd appreciate that specific insight.

We don't have event viewer support for this kind of thing (or anything
really), but we have really awesome JSON based audit logging.  I
suggest parsing the audit logs with a JSON parser and having the
PaloAlto accept the output of that.

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

If you get that working, I would love to see a wiki page describing the
arrangement so we can help others with similar devices.

The approach above only detects file access, eg for the logon script,
but the AD audit logging can catch all activity.  However a good
Kerberos client won't be hitting the DC all day - it will get a TGT and
a ticket to the services it needs and keep it for 10 hours.

So the caching issue can't be addressed, sadly. 

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list