Auditin NT Logins
Richard Sharpe
sharpe at ns.aus.com
Sat Mar 11 09:09:02 GMT 2000
At 06:51 PM 3/11/00 +1100, Peter Samuelson wrote:
>
>[Jonathan W Miner]
>> I'm using samba-2.0.6 on a Solaris 2.5.1 server. Is there any way to
>> log NT logins in the same manner that UNIX logins are logged?
>
>2.0.7, when it is released, will have support for the `utmpx' variant
>of utmp/wtmp. Assuming Solaris uses `utmpx', which I don't remember (I
>haven't used Solaris since 1994), this sounds like what you want. If
>you want to try it out and see, 2.0.7pre1 is out already.
>
>I don't know about logging unsuccessful logins to syslog -- whether
>this would even be a good idea. Windows machines often try two
>different sets of credentials in what is eventually a successful login,
>so you could get a *lot* of false positives). I don't know the details
>of this -- which clients do this or why.
Hmmm, I have seen a lot of traces of Windows machines trying to log in, and
I have seen the following:
1. When browsing, NT will often log in with a null account and password, or
an invalid set of credentials, but Samba maps bad credentials on the
IPC$ share to guest.
2. Some early Win95 versions would convert the user's password to upper case
before submitting it. However, this can be handled by
'password level = 4' or some other value.
3. Windows clients that insist on sending encrypted passwords.
I would be really interested in Windows clients that try with multiple sets
of credentials other than the above examples. Got a book to finish, you
see :-)
>Peter
>
Regards
-------
Richard Sharpe, sharpe at ns.aus.com, Master Linux Administrator :-),
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
Author: First Australian 2-day, intensive, hands-on Samba course
More information about the samba-ntdom
mailing list