[Samba] logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

Andrew Bartlett abartlet at samba.org
Sat Dec 2 18:20:38 UTC 2017

On Sat, 2017-12-02 at 15:27 +0100, mj via samba wrote:
> Hi,
> I am trying to capture from the logs the moment that samba locks an 
> account. (because of too many failed logon attempts)
> This is samba 4.7.2, with:
> > 	log level = 1 auth_audit:3

> We are using swatch to monitor the logs, and we would like to send an 
> email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT
> Does anyone know what log level for what 'component' is required, to get 
> a samba to log the actual LOCK when it takes place?

I'm sorry, but while we do log it, the news isn't good.

		DEBUG(5, ("Locked out user %s after %d wrong passwords\n",
			  ldb_dn_get_linearized(user_msg->dn), badPwdCount));

That will show up with level 5 globally. 

Patches (with tests) to have it moved to the auth_audit infrastructure
would be most welcome :-)

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list