samba not logging windows user names
Ronald_Derksen at nl.compuware.com
Wed Nov 24 09:02:23 GMT 1999
Steve Litt wrote:
> Thread continues at bottom...
> At 08:17 PM 11/23/1999 +1100, Ronald Derksen wrote:
> >Steve Litt wrote:
> >> At 07:26 PM 11/22/1999 +1100, Ronald Derksen wrote:
> >> >Hi,
> >> [clip]
> >> >I also tried logging to a file which contains '%U' but this give me very
> >> >often the 'guest' name in the logfile while guest access is denied.
> >> [clip]
> >> >Ronald Derksen
> >> Ronald -- the listing of "guest" as %U is not at all my experience. My
> >> experience is %U is the username on the windows box or the -U arg of
> >> smbclient, irrespective of any guesting issues. Either I've spaced out or
> >> you've discovered a very interesting anomoly. Can you reproduce this
> >> behavior with a tiny smb.conf?
> >root at lycosa # cat ../lib/smb.conf
> > netbios name = cwnl-lycosa
> > workgroup = CWNL-LAB
> > guest account = pcguest
> > log file = /usr/local/samba/log/log.%U
> > debug level = 1
> > encrypt passwords = yes
> > password server = cweu-users-pdc
> > security = server
> > username map = /usr/local/samba/lib/username.map
> > lock directory = /usr/local/samba/locks
> > dead time = 1
> > path = /tmp
> > guest ok = no
> > valid users = ronaldd
> > force user = test1
> >root at lycosa # ls -l /usr/local/samba/log
> >total 8
> >-rw-r--r-- 1 root system 0 Mar 14 22:21 log.
> >-rw-r--r-- 1 root system 0 Mar 14 22:21 log.cwnl-ronaldd
> >-rw-r--r-- 1 root system 116 Mar 14 22:21 log.pcguest
> >root at lycosa # cat /usr/local/samba/log/log.pcguest
> >2000/03/14 22:21:43 cwnl-c1683 (172.16.27.85) connect to service temp as
> >user test1 (uid=3310,gid=1430) (pid 28476)
> >root at lycosa #
> >The "connect to service" line only appears in the logfile "log.pcguest".
> >This happens when connect via "START -> RUN -> open: \\cwnl-lycosa" and
> >select share temp ( and browse network neigborhood ). This is the
> >behaviour of most of our users because there are too many shares that
> >are not always needed. When I do a "map network drive" the "connect to
> >service" line only appears in the logfile "log.cwnl-ronaldd".
> >Some interesting note I just found out: The "closed connection to
> >service" line comes in the file "log.cwnl-ronaldd" when browsing.
> Ronald -- the plot thickens.
> My results were:
> [root at mainserv samba]# ls log
> log. log.ronaldd log.test1
> [root at mainserv samba]# ls -ldF log/*
> -rw-r--r-- 1 root root 282 Nov 23 05:51 log/log.
> -rw-r--r-- 1 root root 379 Nov 23 05:51 log/log.ronaldd
> -rw-r--r-- 1 root root 198 Nov 23 05:51 log/log.test1
> [root at mainserv samba]#
> I created your smb.conf, and your users I ran the tests from smbclient, as
> I didn't want to take 5 minutes to reboot my machine. Also, not having your
> authentication server, and not having a PDC handy, I needed to comment out
> your password server=. Probably more significantly, I didn't have your
> username map= file, so I commented that out.
I also removed password server= and changed security to user and added
ronaldd to smbpasswd. Result is the same. "connect to service" apears in
log.pcguest. I tried smbclient //cwnl-lycosa -U cwnl-ronaldd. And the
"connect to service" apears in the log file log.cwnl-ronaldd. I can only
reproduce it with my NT 4.0SP5 worksation ( not tried ohter MS-clients).
Reading the man page again i saw:
%U = session user name (the user name that the client wanted, not
necessarily the same as the one they got).
It looks like NT first tries to connect as a guest, logging starts in
file log.pcguest which contains the "connect to service" message. And
when the share disconnects it logs in file log.cwnl-ronaldd. When I
raise the debug level to 10 log messages are spread over 3 files: log. ,
log.pcguest , log.cwnl-ronaldd. This happens when opening \\cwnl-lycosa
via Start -> RUN and select share temp. When accessing via a mapped
drive no log is written to log.pcguest
If %U is not necessarily the windows username then it is not possible to
audit which user connects to which share because with the forced user
option this information is lost.
> We can exploit the differences now. First step, send me your username map
root at lycosa # cat ../lib/username.map
ronaldd = cwnl-ronaldd
> file (or a subset sufficient to this anomoly). One thing. Are you
> absolutely, positively certain you didn't accidentally access [temp] as
> user pcguest?
I am logged in to our domain as cwnl-ronaldd and I am not supplying any
usernames/passwords. the share is restricted to one person, valid user =
ronaldd and guest ok = no. I can see the contents of the share. I asume
that it is only possble to connect as a non guest user.
> Steve Litt
More information about the samba