[Samba] Need IP on failed logins in logfile

Rowland penny rpenny at samba.org
Sun Jun 26 20:18:53 UTC 2016

On 26/06/16 20:22, Mark Foley wrote:
> On Sun, 26 Jun 2016 09:24:16 Rowland penny <rpenny at samba.org> wrote:
>> ...
>> So, if you are looking for an ipaddress of a failed login attempt, it
>> seems you can get it.
> That looked interesting.  I tried creating the logfile /var/log/samba/.log.samba.%m and restart
> samba.  What it did was immediately create separate log files for each currently attached
> workstation: log.samba., log.samba., etc.  I then tried connecting
> remotely with a bad password as I had done before.  It created a file log.samba.%m (no IP) with
> the entry
> [2016/06/26 14:56:28.119286,  2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
>    auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\mark] FAILED with error NT_STATUS_WRONG_PASSWORD
> In the log files with IPs, e.g. log.samba., I do see IP addresses on messages with
> "closed connection" text, but the failed login logfile does not have this message, no closed
> connection. Probably because a connection was never established.
> You also have "SPNEGO login failed" whereas I have nothing like that. In my case, I'm trying to
> use Remote Desktop Connection to log into a Windows 7 workstations, so perhaps the mechanism is
> different.
> In any case -- not working for me :(

Well, it looks like I have found something that works easily on a DC, 
but with extreme difficulty on a domain member. :-)

I tested against a DC and it worked, but when I tested the other way, 
from the DC, nothing :-(

So I started to raise the log level, I ended up at 10 before I got this:

root at devstation:/home/rowland# cat /usr/local/samba/var/log. 
| grep 'receive_smb_raw_talloc failed'
   receive_smb_raw_talloc failed for client ipv4: read 

To be honest, I started at 0 and went up the log levels, one at a time 
until 4, at this point I just jumped to 10.


More information about the samba mailing list