[Samba] How to track attempted breakins, authentication failure logging

Andrew Bartlett abartlet at samba.org
Tue Sep 19 18:51:29 UTC 2017

On Tue, 2017-09-19 at 17:02 +0200, L.P.H. van Belle via samba wrote:
> Hai Mark, 
> I see the bugreport for this is still untouched. 
> https://bugzilla.samba.org/show_bug.cgi?id=11998 

I've closed that bug now.

Extensive work has been done to add this feature to Samba 4.7, due out
this week:


Two new debug classes, auth_audit and auth_audit_json were added to
control logging of text-string and structured JSON authentication and
authorization logging.

> Is vfs_full_audit not an option? 
> with %I you can log the IP address of the client machine. 
> But i dont know if that wil work of if vfs_full_audit hase that option.

No, this won't get you any information on failed authentication. 

> With something like this. 
> full_audit:prefix = %u|%I|%m|%S 
> full_audit:failure = connect
> full_audit:success = connect disconnect 
> And maybe you need more options in failure and success. ( man vfs_full_audit ) 
> man smb.conf for all the variable substitutions

At the stage that the module operates it simply does not run if the
password is wrong. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list