[Samba] tracking account lockouts
abartlet at samba.org
Fri Mar 23 23:28:25 UTC 2018
On Fri, 2018-03-23 at 14:21 -0400, lingpanda101 via samba wrote:
> On 3/23/2018 12:49 PM, Vinicius Bones Silva via samba wrote:
> > Hi,
> > I'm trying to track random account lockouts on the domain. Is there
> > any recommendations for log level or log handling that let me see what
> > machines/servers are locking the account?
> > I'm using samba 4.5.5. as a DC (3 DCs).
> > My current logging settings are:
> > logging = syslog
> > log level = 1 auth:5 passdb:5 winbind:5
> > Att,
> > Vinicius
> You should see in your samba log file an entry similar to this on
> wrong password attempts.
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[username at DOMAIN] at [Fri, 23 Mar 2018 14:06:07.272789 EDT]
> with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD]
> workstation [(null)] remote host [ipv4:172.16.26.11:53449] mapped to
> [DOMAIN]\[username]. local host [NULL]
> You can see it provides the remote host IP user was on. It looks as if
> you are not using the correct parameter in your smb.conf. It should be
> log level = 1 auth_audit:3 passdb:5 winbind:5
> See the Wiki for details
You need to upgrade to Samba 4.7 to get this feature.
With Samba 4.8 the 'auth' debug level also works for the AD DC part, so
you can more easily find the message when the final lockout occurs.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba