samba not logging windows user names

Ronald Derksen Ronald_Derksen at nl.compuware.com
Wed Nov 24 09:02:23 GMT 1999 

Steve Litt wrote:
> 
> Thread continues at bottom...
> 
> At 08:17 PM 11/23/1999 +1100, Ronald Derksen wrote:
> >Steve Litt wrote:
> >>
> >> At 07:26 PM 11/22/1999 +1100, Ronald Derksen wrote:
> >> >Hi,
> >> [clip]
> >> >I also tried logging to a file which contains '%U' but this give me very
> >> >often the 'guest' name in the logfile while guest access is denied.
> >> [clip]
> >> >Ronald Derksen
> >>
> >> Ronald -- the listing of "guest" as %U is not at all my experience. My
> >> experience is %U is the username on the windows box or the -U arg of
> >> smbclient, irrespective of any guesting issues. Either I've spaced out or
> >> you've discovered a very interesting anomoly. Can you reproduce this
> >> behavior with a tiny smb.conf?
> >
> >Yes
> >
> >root at lycosa # cat ../lib/smb.conf
> >[GLOBAL]
> >        netbios name    = cwnl-lycosa
> >        workgroup = CWNL-LAB
> >        guest account = pcguest
> >        log file = /usr/local/samba/log/log.%U
> >        debug level = 1
> >        encrypt passwords = yes
> >        password server = cweu-users-pdc
> >        security = server
> >        username map = /usr/local/samba/lib/username.map
> >        lock directory = /usr/local/samba/locks
> >       dead time = 1
> >
> >[temp]
> >        path = /tmp
> >        guest ok = no
> >        valid users = ronaldd
> >        force user = test1
> >root at lycosa # ls -l /usr/local/samba/log
> >total 8
> >-rw-r--r--   1 root     system         0 Mar 14 22:21 log.
> >-rw-r--r--   1 root     system         0 Mar 14 22:21 log.cwnl-ronaldd
> >-rw-r--r--   1 root     system       116 Mar 14 22:21 log.pcguest
> >root at lycosa # cat /usr/local/samba/log/log.pcguest
> >2000/03/14 22:21:43 cwnl-c1683 (172.16.27.85) connect to service temp as
> >user test1 (uid=3310,gid=1430) (pid 28476)
> >root at lycosa #
> >
> >The "connect to service" line only appears in the logfile "log.pcguest".
> >This happens when connect via "START -> RUN -> open: \\cwnl-lycosa" and
> >select share temp ( and browse network neigborhood ). This is the
> >behaviour of most of our users because there are too many shares that
> >are not always needed. When I do a "map network drive" the "connect to
> >service" line only appears in the logfile "log.cwnl-ronaldd".
> >
> >Some interesting note I just found out: The "closed connection to
> >service" line comes in the file "log.cwnl-ronaldd" when browsing.
> 
> Ronald -- the plot thickens.
> 
> My results were:
> 
> [root at mainserv samba]# ls log
> log.  log.ronaldd  log.test1
> [root at mainserv samba]# ls -ldF log/*
> -rw-r--r--   1 root     root          282 Nov 23 05:51 log/log.
> -rw-r--r--   1 root     root          379 Nov 23 05:51 log/log.ronaldd
> -rw-r--r--   1 root     root          198 Nov 23 05:51 log/log.test1
> [root at mainserv samba]#
> 
> I created your smb.conf, and your users I ran the tests from smbclient, as
> I didn't want to take 5 minutes to reboot my machine. Also, not having your
> authentication server, and not having a PDC handy, I needed to comment out
> your password server=. Probably more significantly, I didn't have your
> username map= file, so I commented that out.

I also removed password server= and changed security to user and added
ronaldd to smbpasswd. Result is the same. "connect to service" apears in
log.pcguest. I tried smbclient //cwnl-lycosa -U cwnl-ronaldd. And the
"connect to service" apears in the log file log.cwnl-ronaldd. I can only
reproduce it with my NT 4.0SP5 worksation ( not tried ohter MS-clients). 

Reading the man page again i saw: 
 %U = session user name (the user name that the client wanted, not
necessarily the same as the one they got). 

It looks like NT first tries to connect as a guest, logging starts in
file log.pcguest which contains the "connect to service" message. And
when the share disconnects it logs in file log.cwnl-ronaldd. When I
raise the debug level to 10 log messages are spread over 3 files: log. ,
log.pcguest , log.cwnl-ronaldd. This happens when opening \\cwnl-lycosa
via Start -> RUN and select share temp. When accessing via a mapped
drive no log is written to log.pcguest

If %U is not necessarily the windows username then it is not possible to
audit which user connects to which share because with the forced user
option this information is lost.
> 
> We can exploit the differences now. First step, send me your username map

root at lycosa # cat ../lib/username.map 
ronaldd = cwnl-ronaldd

> file (or a subset sufficient to this anomoly). One thing. Are you
> absolutely, positively certain you didn't accidentally access [temp] as
> user pcguest?
I am logged in to our domain as cwnl-ronaldd and I am not supplying any
usernames/passwords. the share is restricted to one person, valid user =
ronaldd and guest ok = no. I can see the contents of the share. I asume
that it is only possble to connect as a non guest user.
> 
> Steve Litt

Ronald Derksen

More information about the samba mailing list