[Samba] Lagging failed login attempts

Paul Gienger pgienger at ae-solutions.com
Fri Nov 19 15:51:47 GMT 2004

Adam Tauno Williams wrote:

>>>Are failed client logins on the XP clients logged anywhere ?
>>>How about non-domain member clients accessing shares ?
>>It completely depends on your logging settings.  Perhaps show your 
>>smb.conf global section so we can tell.
>>In my setup, and from the looks of things around here, a lot of other 
>>peoples, is that there is a main log.smbd file and then also a log for 
>>each machine.  Check in those if you are so configured.  I'm sure we'll 
>>have better info for you once we see your globals.
>None of which are terribly useful or consice for loggin access attempts.
Then you aren't trying hard enough.  I 'was' getting stuff like this in 
my logs all over the place

check_ntlm_password:  Authentication for user [training] -> [training] 
check_ntlm_password:  Authentication for user [cmcleod] -> [cmcleod] 

If that isn't a failed login then I don't know what is.  Depending on 
your setup you'll see this in a machine specific file or the unified log 
file.  Trolling through isn't that bad, if you do a grep for NT and then 
another grep for FAILED you'll get the machine it was coming from (in 
the file: section of grep) and probably the username (as above) and the 
reason it was failed (also above).  If you're not seeing that, turn up 
your log level until you do.  I don't think I've ever operated higher 
than 2 in production.

I also see lots of valid connection results, so if you want 'successful' 
connections, it's in there too.

Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com

More information about the samba mailing list