[Samba] How to track attempted breakins, authentication failure logging
abartlet at samba.org
Tue Sep 19 18:51:29 UTC 2017
On Tue, 2017-09-19 at 17:02 +0200, L.P.H. van Belle via samba wrote:
> Hai Mark,
> I see the bugreport for this is still untouched.
I've closed that bug now.
Extensive work has been done to add this feature to Samba 4.7, due out
Two new debug classes, auth_audit and auth_audit_json were added to
control logging of text-string and structured JSON authentication and
> Is vfs_full_audit not an option?
> with %I you can log the IP address of the client machine.
> But i dont know if that wil work of if vfs_full_audit hase that option.
No, this won't get you any information on failed authentication.
> With something like this.
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
> And maybe you need more options in failure and success. ( man vfs_full_audit )
> man smb.conf for all the variable substitutions
At the stage that the module operates it simply does not run if the
password is wrong.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba