samba not logging windows user names

Steve Litt slitt at troubleshooters.com
Wed Nov 24 14:01:20 GMT 1999 

At 10:00 AM 11/24/1999 +0100, you wrote:
>Steve Litt wrote:
>> 
>> Thread continues at bottom...
>> 
>> At 08:17 PM 11/23/1999 +1100, Ronald Derksen wrote:
>> >Steve Litt wrote:
>> >>
>> >> At 07:26 PM 11/22/1999 +1100, Ronald Derksen wrote:
>> >> >Hi,
>> >> [clip]
>> >> >I also tried logging to a file which contains '%U' but this give me
very
>> >> >often the 'guest' name in the logfile while guest access is denied.
>> >> [clip]
>> >> >Ronald Derksen
>> >>
>> >> Ronald -- the listing of "guest" as %U is not at all my experience. My
>> >> experience is %U is the username on the windows box or the -U arg of
>> >> smbclient, irrespective of any guesting issues. Either I've spaced
out or
>> >> you've discovered a very interesting anomoly. Can you reproduce this
>> >> behavior with a tiny smb.conf?
>> >
>> >Yes
>> >
>> >root at lycosa # cat ../lib/smb.conf
>> >[GLOBAL]
>> >        netbios name    = cwnl-lycosa
>> >        workgroup = CWNL-LAB
>> >        guest account = pcguest
>> >        log file = /usr/local/samba/log/log.%U
>> >        debug level = 1
>> >        encrypt passwords = yes
>> >        password server = cweu-users-pdc
>> >        security = server
>> >        username map = /usr/local/samba/lib/username.map
>> >        lock directory = /usr/local/samba/locks
>> >       dead time = 1
>> >
>> >[temp]
>> >        path = /tmp
>> >        guest ok = no
>> >        valid users = ronaldd
>> >        force user = test1
>> >root at lycosa # ls -l /usr/local/samba/log
>> >total 8
>> >-rw-r--r--   1 root     system         0 Mar 14 22:21 log.
>> >-rw-r--r--   1 root     system         0 Mar 14 22:21 log.cwnl-ronaldd
>> >-rw-r--r--   1 root     system       116 Mar 14 22:21 log.pcguest
>> >root at lycosa # cat /usr/local/samba/log/log.pcguest
>> >2000/03/14 22:21:43 cwnl-c1683 (172.16.27.85) connect to service temp as
>> >user test1 (uid=3310,gid=1430) (pid 28476)
>> >root at lycosa #
>> >
>> >The "connect to service" line only appears in the logfile "log.pcguest".
>> >This happens when connect via "START -> RUN -> open: \\cwnl-lycosa" and
>> >select share temp ( and browse network neigborhood ). This is the
>> >behaviour of most of our users because there are too many shares that
>> >are not always needed. When I do a "map network drive" the "connect to
>> >service" line only appears in the logfile "log.cwnl-ronaldd".
>> >
>> >Some interesting note I just found out: The "closed connection to
>> >service" line comes in the file "log.cwnl-ronaldd" when browsing.
>> 
>> Ronald -- the plot thickens.
>> 
>> My results were:
>> 
>> [root at mainserv samba]# ls log
>> log.  log.ronaldd  log.test1
>> [root at mainserv samba]# ls -ldF log/*
>> -rw-r--r--   1 root     root          282 Nov 23 05:51 log/log.
>> -rw-r--r--   1 root     root          379 Nov 23 05:51 log/log.ronaldd
>> -rw-r--r--   1 root     root          198 Nov 23 05:51 log/log.test1
>> [root at mainserv samba]#
>> 
>> I created your smb.conf, and your users I ran the tests from smbclient, as
>> I didn't want to take 5 minutes to reboot my machine. Also, not having your
>> authentication server, and not having a PDC handy, I needed to comment out
>> your password server=. Probably more significantly, I didn't have your
>> username map= file, so I commented that out.
>
>I also removed password server= and changed security to user and added
>ronaldd to smbpasswd. Result is the same. "connect to service" apears in
>log.pcguest. I tried smbclient //cwnl-lycosa -U cwnl-ronaldd. And the
>"connect to service" apears in the log file log.cwnl-ronaldd. I can only
>reproduce it with my NT 4.0SP5 worksation ( not tried ohter MS-clients). 
>
>Reading the man page again i saw: 
> %U = session user name (the user name that the client wanted, not
>necessarily the same as the one they got). 
>
>It looks like NT first tries to connect as a guest, logging starts in
>file log.pcguest which contains the "connect to service" message. And
>when the share disconnects it logs in file log.cwnl-ronaldd. When I
>raise the debug level to 10 log messages are spread over 3 files: log. ,
>log.pcguest , log.cwnl-ronaldd. This happens when opening \\cwnl-lycosa
>via Start -> RUN and select share temp. When accessing via a mapped
>drive no log is written to log.pcguest
>
>If %U is not necessarily the windows username then it is not possible to
>audit which user connects to which share because with the forced user
>option this information is lost.
>> 
>> We can exploit the differences now. First step, send me your username map
>
>root at lycosa # cat ../lib/username.map 
>ronaldd = cwnl-ronaldd
>
>> file (or a subset sufficient to this anomoly). One thing. Are you
>> absolutely, positively certain you didn't accidentally access [temp] as
>> user pcguest?
>I am logged in to our domain as cwnl-ronaldd and I am not supplying any
>usernames/passwords. the share is restricted to one person, valid user =
>ronaldd and guest ok = no. I can see the contents of the share. I asume
>that it is only possble to connect as a non guest user.
>> 
>> Steve Litt
>
>Ronald Derksen
>

Ronald -- I'll try your username map later, but Jerry Carter suggested
maybe it's your PDC that's granting guest access. What happens if you
temporarily authenticate on the Samba server itself?

Steve

More information about the samba mailing list