[Samba] Need IP on failed logins in logfile

Rowland penny rpenny at samba.org
Sun Jun 26 08:24:16 UTC 2016


On 26/06/16 06:16, Mark Foley wrote:
> I used to also get related log messages of the form:
>
> auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER]
>    auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER]
>
> but now all I get is the auth_check_password_recv in the log.  Perhaps the change is due to an
> upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in
> my original email below mj's).
>
> Anyway, samba does (or did) have access to the hostname of the offending computer. The one
> shown above, ROVER, is actual my home laptop's host name, said computer being miles away from
> the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely
> must have knowledge of the computer's IP?
>
> Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of
> Internet security in this day-and-age of cyber criminals it would be useful to know the IP of
> attackers so appropriate countermeasures could be taken.
>
> Rowland, I will investigate pam_tally[2] to see what it does. I've not heard of it before.
>
> I suppose I could also run tcpdump continuously against the specific port(s) where such logins
> can occur, but that is a bit of work, esp. since the timestamp of the samba log message is
> detached to a separate message preceding the one listing the failed user.
>
> --Mark
>
>>> To: samba at lists.samba.org
>>> From: mj <lists at merit.unu.edu>
>>> Date: Sat, 25 Jun 2016 22:48:13 +0200
>>> Subject: Re: [Samba] Need IP on failed logins in logfile
>>>
>>>
>>> On 06/25/2016 06:32 PM, Mark Foley wrote:
>>>> I think I've read something on this before, but I can't seem to find it.
>>> As far as we know, this is impossible. :-(
>>>
>>> It a feature we would also VERY much like to see, for exactly the same
>>> reason.
>>>
>>> MJ
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Sat, 25 Jun 2016 12:32:54 -0400
>> To: samba at lists.samba.org
>> Subject: [Samba] Need IP on failed logins in logfile
>>
>> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba
>> messages to /var/log/samba/log.samba with logging set to the following in smb.conf:
>>
>> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>>
>> I have a script that scans this logfile for message like the following:
>>
>> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
>> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
>>
>> Usually, these are not a big deal as they are the results of a local domain user mistyping
>> either their login ID or password. However, occasionally the attempts are clearly outsiders
>> trying to break in.
>>
>> Is there some way to get the logger to show the IP of the failure? Currently it shows only the
>> domain and user.
>>
>> I think I've read something on this before, but I can't seem to find it.
>>
>> Thanks, Mark

After a bit of thought, I remembered that you can set up logging for 
each machine, so I added 'log file = /usr/local/samba/var/log.%m' to my 
DCs smb.conf and restarted samba.

I then tried to connect to the share with smbclient as a none existing user:

rowland at devstation:~$ smbclient \\\\dc1\\data -U derf%gggfdwsscvo

When I examined the resulting logfile on the DC:

root at dc1:~# nano /usr/local/samba/var/log.192.168.0.180

I found this:

[2016/06/26 09:11:28.226254,  2] 
../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
   auth_check_password_recv: sam_ignoredomain authentication for user 
[SAMDOM\derf] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/06/26 09:11:28.226339,  2] 
../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/06/26 09:16:55.243885,  2] ../source3/smbd/service.c:1140(close_cnum)
   192.168.0.180 (ipv4:192.168.0.180:59351) closed connection to service 
data

So, if you are looking for an ipaddress of a failed login attempt, it 
seems you can get it.

Rowland



More information about the samba mailing list