[Samba] Re: Sarbanes-Oxley headaches

Robert Kelly robert.kelly at ebimed.com
Fri May 13 18:51:51 GMT 2005

Tony Earnshaw wrote:
> tor, 12.05.2005 kl. 18.54 skrev Robert Kelly:
>>With the new scrutinization by auditors on account policies and
>>auditing, how can Samba be SOX compliant?
>>Using 3.0.14a-sernet on Suse 9.1 - ldapsam
>>Specifically, a couple of things seem to be lacking:
>>1) Logon/Logoff times are not being recorded
>>	The last logon time recorded in my ldap entries are pre-nt4 migration.
> Bad luck?

By bad luck, do you mean your sambaLogonTime and sambaLogoffTime
attributes are get updated?

>>2) Do the Audit Policy values in user manager have any effect?
>>	Are they implemented?
>>	Can they be syslogged?
> No to both, please read the official Samba HOWTOs. Experiment. Like we
> all have to.

Thanks, I didn't see any mention of audit policy only account and user

>>3) How can I get a hook into logons?
>>	Without turning up the debug values, how can I tell if an account has
>>had repeated login failures?
> Try 'man pdbedit' and search for "-P". 
> I have never understood why people complain about any item of software's
> supposed limitations until they have read and thoroughly understand all
> aspects of all the documentation. Perhaps they aspire toward posthumous
> beatification, attaining al martyrs' brigade status or whatever.

Again, I'm aware of the account policies, how to view and set them. I'm
asking about the auditing policies e.g. logon/logoff success or failure.

> *Wake up* and at least make *some effort* to read the docs and follow
> the threads and experiment for yourself as 1001 others on this list,
> including the undersigned choose to do. Hanging yourself out is not to
> your own advantage.
> --Tonni

Thanks for your input Tonni. I've been using samba as our production
fileservers for years and migrated our NT4 domain to Samba/ldapsam last
August. It's been running great, but with the SOX audits, I don't have
answers for them about the audit functions. Of course I have gone
through the documentation and googled. I'm posting to this forum because
the information I needed wasn't found there. The documentation is
excellent and without it I wouldn't have even thought about migrating
domain control to samba. What I don't want is the auditors to make a
recommendation to migrate from samba to Active Directory just because of
the missing audit functions.


More information about the samba mailing list