[Samba] Sernet 4.3.X package is no longer free :/

[Mark Foley]

Maurik,

You are right. I am currently using 4.1.17 and have the same failed login
messages as you describe. There is, however, a bit more information further down
in the logfile:

[2015/10/07 16:51:24.076283, 2] authentication for user [HPRS/Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
  auth_check_password_send: Checking password for unmapped user [HPRS]\[Administrator]@[ROVER]

This latter string (with no timestamp, making it hard to find/correlate) does
give the hostname of the offending computer, but not the IP.  Yes, the IP would
be very useful. In this case ROVER is my personal laptop, but all it gives me is
the hostname. The IP would indicate if the miscreant was connecting from inside the
domain (probably OK), or outside the domain (probably very bad). An IP would
also give us a clue as to which IP[range] to firewall if needed.

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: mourik jan heupink <heupink at merit.unu.edu>
> Date: Mon, 28 Sep 2015 09:32:11 +0200
> Subject: Re: [Samba] Sernet 4.3.X package is no longer free :/
>
> Hi Birgit,
>
> Most (i guess all) of the things you're asking about will work fine, 
> with 4.1.17 and more recent as well.
>
> One thing will NOT work fine, as we are currently experiencing ourselves:
>
> > * some basic monitoring for samba, e.g. failed AD logins attempts
>
> The only monitoring that currently seems to be possible (someone PLEASE 
> correct us if we're wrong) is a log line like this:
>
> >  auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\username] FAILED with error NT_STATUS_WRONG_PASSWORD
>
> No context, nothing else... so NO ip address what machine the attempt 
> came from, no info about used ports, nothing else. I would REALLY like 
> to see SOME more info than just the above.
>
> MJ
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>