[Samba] logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT
mj
lists at merit.unu.edu
Sat Dec 2 14:27:11 UTC 2017
Hi,
I am trying to capture from the logs the moment that samba locks an
account. (because of too many failed logon attempts)
This is samba 4.7.2, with:
> log level = 1 auth_audit:3
What we see in the logs is like this:
> Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:45.102695 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40436] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
> Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:47.203867 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40437] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
> Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:48.538162 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40438] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
> Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:52.457240 CET] with [Plaintext] status [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [(null)] remote host [ipv4:192.168.2.8:40439] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
So, nothing is logged *when* the actual lock happens.
We are using swatch to monitor the logs, and we would like to send an
email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT
Does anyone know what log level for what 'component' is required, to get
a samba to log the actual LOCK when it takes place?
MJ
More information about the samba
mailing list