[Samba] bad password lockout on 4.2.4

[James]

On 9/24/2015 9:51 AM, mourik jan heupink wrote:
> Hi James,
>
>> Another option is to have these events forwarded to a Syslog. I have
>> enabled a few workstations through GPO to process 'Audit account logon
>> events'. When a user enters a bad password or username. The event is
>> triggered and sent to the syslog.
>>
>> I did the above because of the exact issue you are facing. I was unable
>> to easily find these events by grepping the samba log files.
> ok that sounds interesting, and I'll take a good look at it.
>
> But if I understand it correctly, that would give me an overview of
> windows domain workstation logons, and it would not include any failed
> ldap authentication events to our AD, and such, right?
>
> Asking because I can trigger the same errors though an web ldap logon,
> so therefore I think it could be caused by *any* of our ldap enabled
> services. (these all talk to the same three dc's)
>
You would need to configure event forwarding on all your servers.

For instance, I have a web server that uses Samba AD to authenticate
users. If Apache sees a failed logon. It creates a event in it's syslog.
This then gets forwarded to my central syslog server.

-- 
-James