samba not logging windows user names
Ronald Derksen
Ronald_Derksen at nl.compuware.com
Thu Nov 25 07:31:01 GMT 1999
Steve Litt wrote:
>
> At 10:00 AM 11/24/1999 +0100, you wrote:
> >Steve Litt wrote:
> >>
> >> Thread continues at bottom...
> >>
> >> At 08:17 PM 11/23/1999 +1100, Ronald Derksen wrote:
> >> >Steve Litt wrote:
> >> >>
> >> >> At 07:26 PM 11/22/1999 +1100, Ronald Derksen wrote:
> >> >> >Hi,
> >> >> [clip]
> >> >> >I also tried logging to a file which contains '%U' but this give me
> very
> >> >> >often the 'guest' name in the logfile while guest access is denied.
> >> >> [clip]
> >> >> >Ronald Derksen
> >> >>
> >> >> Ronald -- the listing of "guest" as %U is not at all my experience. My
> >> >> experience is %U is the username on the windows box or the -U arg of
> >> >> smbclient, irrespective of any guesting issues. Either I've spaced
> out or
> >> >> you've discovered a very interesting anomoly. Can you reproduce this
> >> >> behavior with a tiny smb.conf?
> >> >
> >> >Yes
> >> >
> >> >root at lycosa # cat ../lib/smb.conf
> >> >[GLOBAL]
> >> > netbios name = cwnl-lycosa
> >> > workgroup = CWNL-LAB
> >> > guest account = pcguest
> >> > log file = /usr/local/samba/log/log.%U
> >> > debug level = 1
> >> > encrypt passwords = yes
> >> > password server = cweu-users-pdc
> >> > security = server
> >> > username map = /usr/local/samba/lib/username.map
> >> > lock directory = /usr/local/samba/locks
> >> > dead time = 1
> >> >
> >> >[temp]
> >> > path = /tmp
> >> > guest ok = no
> >> > valid users = ronaldd
> >> > force user = test1
> >> >root at lycosa # ls -l /usr/local/samba/log
> >> >total 8
> >> >-rw-r--r-- 1 root system 0 Mar 14 22:21 log.
> >> >-rw-r--r-- 1 root system 0 Mar 14 22:21 log.cwnl-ronaldd
> >> >-rw-r--r-- 1 root system 116 Mar 14 22:21 log.pcguest
> >> >root at lycosa # cat /usr/local/samba/log/log.pcguest
> >> >2000/03/14 22:21:43 cwnl-c1683 (172.16.27.85) connect to service temp as
> >> >user test1 (uid=3310,gid=1430) (pid 28476)
> >> >root at lycosa #
> >> >
> >> >The "connect to service" line only appears in the logfile "log.pcguest".
> >> >This happens when connect via "START -> RUN -> open: \\cwnl-lycosa" and
> >> >select share temp ( and browse network neigborhood ). This is the
> >> >behaviour of most of our users because there are too many shares that
> >> >are not always needed. When I do a "map network drive" the "connect to
> >> >service" line only appears in the logfile "log.cwnl-ronaldd".
> >> >
> >> >Some interesting note I just found out: The "closed connection to
> >> >service" line comes in the file "log.cwnl-ronaldd" when browsing.
> >>
> >> Ronald -- the plot thickens.
> >>
> >> My results were:
> >>
> >> [root at mainserv samba]# ls log
> >> log. log.ronaldd log.test1
> >> [root at mainserv samba]# ls -ldF log/*
> >> -rw-r--r-- 1 root root 282 Nov 23 05:51 log/log.
> >> -rw-r--r-- 1 root root 379 Nov 23 05:51 log/log.ronaldd
> >> -rw-r--r-- 1 root root 198 Nov 23 05:51 log/log.test1
> >> [root at mainserv samba]#
> >>
> >> I created your smb.conf, and your users I ran the tests from smbclient, as
> >> I didn't want to take 5 minutes to reboot my machine. Also, not having your
> >> authentication server, and not having a PDC handy, I needed to comment out
> >> your password server=. Probably more significantly, I didn't have your
> >> username map= file, so I commented that out.
> >
> >I also removed password server= and changed security to user and added
> >ronaldd to smbpasswd. Result is the same. "connect to service" apears in
> >log.pcguest. I tried smbclient //cwnl-lycosa -U cwnl-ronaldd. And the
> >"connect to service" apears in the log file log.cwnl-ronaldd. I can only
> >reproduce it with my NT 4.0SP5 worksation ( not tried ohter MS-clients).
> >
> >Reading the man page again i saw:
> > %U = session user name (the user name that the client wanted, not
> >necessarily the same as the one they got).
> >
> >It looks like NT first tries to connect as a guest, logging starts in
> >file log.pcguest which contains the "connect to service" message. And
> >when the share disconnects it logs in file log.cwnl-ronaldd. When I
> >raise the debug level to 10 log messages are spread over 3 files: log. ,
> >log.pcguest , log.cwnl-ronaldd. This happens when opening \\cwnl-lycosa
> >via Start -> RUN and select share temp. When accessing via a mapped
> >drive no log is written to log.pcguest
> >
> >If %U is not necessarily the windows username then it is not possible to
> >audit which user connects to which share because with the forced user
> >option this information is lost.
> >>
> >> We can exploit the differences now. First step, send me your username map
> >
> >root at lycosa # cat ../lib/username.map
> >ronaldd = cwnl-ronaldd
> >
> >> file (or a subset sufficient to this anomoly). One thing. Are you
> >> absolutely, positively certain you didn't accidentally access [temp] as
> >> user pcguest?
> >I am logged in to our domain as cwnl-ronaldd and I am not supplying any
> >usernames/passwords. the share is restricted to one person, valid user =
> >ronaldd and guest ok = no. I can see the contents of the share. I asume
> >that it is only possble to connect as a non guest user.
> >>
> >> Steve Litt
> >
> >Ronald Derksen
> >
>
> Ronald -- I'll try your username map later, but Jerry Carter suggested
> maybe it's your PDC that's granting guest access. What happens if you
> temporarily authenticate on the Samba server itself?
That is what I did yesterday, I removed PDC authentication and added me
in smbpasswd. The result is the same.
I also looked in the samba source and found the place where the "connect
to service" message is written and added a dbgtext line wich prints the
variable 'sesssetup_user'. Now I see the username cwnl-ronaldd in the
logfile and not guest.
Ronald
>
> Steve
--
-----------------------------------------------------------------------
Ronald Derksen Tel: +31-20-3116153
Unix Systems Administrator Fax: +31 20 3116200
Compuware Europe B.V. Email: Ronald_Derksen at nl.compuware.com
Amsterdam
More information about the samba
mailing list