[Samba] logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

mj lists at merit.unu.edu
Sat Dec 2 14:27:11 UTC 2017


Hi,

I am trying to capture from the logs the moment that samba locks an 
account. (because of too many failed logon attempts)

This is samba 4.7.2, with:
> 	log level = 1 auth_audit:3

What we see in the logs is like this:
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:45.102695 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40436] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] 
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:47.203867 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40437] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] 
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:48.538162 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40438] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] 
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:52.457240 CET] with [Plaintext] status [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [(null)] remote host [ipv4:192.168.2.8:40439] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] 

So, nothing is logged *when* the actual lock happens.

We are using swatch to monitor the logs, and we would like to send an 
email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT

Does anyone know what log level for what 'component' is required, to get 
a samba to log the actual LOCK when it takes place?

MJ



More information about the samba mailing list