[Samba] Authentication Auditing

Arthur Ramsey arthur_ramsey at mediture.com
Wed Jul 13 04:07:04 UTC 2016


Hello,

I'm looking for a way to log the following attributes for all 
authentication activity (LDAP bind, Kerberos, SMB / CIFS, etc.).

I would like to see:

  * Principle name (user name)
  * Source IP
  * Timestamp (including at least seconds if not milliseconds)
  * Authentication result (success / failure)
  * Reason for failure: bad password, account lockout, account expired,
    password expired, etc.

I believe vfs_full_audit can take care of CIFS activity (without failure 
reason?).  The samba logs at level >= 3 show Kerberos authentication 
result, principle name, timestamp and reason for failure, but not source 
IP.  I cannot find any way to monitor LDAP bind, which is the most 
important in my case.  Though I doubt I'm alone: LDAP authentication 
seems to be the most popular choice for integrating with Active 
Directory, but esp. with Samba domain controller.

I cannot connect with Event Viewer as documentation suggests I can.  I 
get an error, "The procedure number is out of range(1745)".  No 
corresponds errors observed at server side.

I searched man pages, wiki and mailing lists, but didn't find any solution.

Certainly a lack of auditing ability is a significant barrier to 
enterprise adoption of Samba based domain controllers?

Thanks,

Arthur



This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.


More information about the samba mailing list