[Samba] tracking user activity - Active Directory

Bob Miller bob at computerisms.ca
Thu Mar 7 16:10:53 MST 2013

Thanks Gregory,

I appreciate your answer, but this isn't quite what I am looking for.

I am using samba4 compiled from source, and I am using daemontools to
run it, so all the logs are being captured on stdout and dumped into a
file, but I understand your point about where the logs are and how to
search them.

What I am looking for might be better described like so:

grep "Mar 5" sambalogfile | grep <string showing a workstation was
logged into>

Note that I am not looking to see if a specific user logged in during a
specific time, but for all users that performed a login in during a
specific time.

Also, because I have multiple services authenticating against this
active directory, how do I tell the difference between a user logging
into a workstation and a user logging into webmail (and being
authenticated by Active Directory) from outside the organization?

Bob Miller      
867-334-7117 / 867-633-3760

On Thu, 2013-03-07 at 14:38 -0600, Gregory Carter wrote:
> Yes.
> Under /var/log/samba in a typical distro you will find the log files for 
> each IP address/workstation connected to the samba server.
> You could then use egrep to go through the files and look for various 
> logins.
> A typical example would be:
> egrep -in "gcarter|Mar 5" log*
> The above example looks through all of the log files beginning with 
> "log" and looks for the samba user name and date associated with the name.
> If you are not capturing that sort of detail, depending on how you have 
> your smbd process configured, you might be out of luck.
> You can use the same technique on any log file including Email if you 
> are running a email/smtp/pop server of course for searching information.
> -gc
> On 03/07/2013 02:17 PM, Bob Miller wrote:
> > Hello,
> >
> > Some mischief happened and I have been asked if I can find out who was
> > logged into their computers within a specific off-hours time frame.  My
> > logs for that time frame happened to be running at debug level 3, so I
> > have been looking through them and trying to figure out how to recognize
> > a workstation login.  I find lines beginning with
> > auth_check_password_send that seem like reasonably good candidates, but
> > I have a number of other services such as email authenticating against
> > the AD, and it seems that is just as likely to describe a mail log in as
> > it is a workstation login.  Is there a way, or some documentation that
> > will explain how, to parse the log files and determine which
> > workstations were actively in use and by which account?  Or are there
> > any tools that will parse the log files and provide me such information?
> >

More information about the samba mailing list