[Samba] Need IP on failed logins in logfile
Mark Foley
mfoley at ohprs.org
Sat Jun 25 16:32:54 UTC 2016
I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba
messages to /var/log/samba/log.samba with logging set to the following in smb.conf:
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
I have a script that scans this logfile for message like the following:
auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
Usually, these are not a big deal as they are the results of a local domain user mistyping
either their login ID or password. However, occasionally the attempts are clearly outsiders
trying to break in.
Is there some way to get the logger to show the IP of the failure? Currently it shows only the
domain and user.
I think I've read something on this before, but I can't seem to find it.
Thanks, Mark
More information about the samba
mailing list