[Samba] kpasswd_samdb_set_password: domain\user (S-...) is changing password of user at domain

Fri Sep 14 17:27:09 UTC 2018

On Fri, 2018-09-14 at 13:19 -0400, Bill Baird wrote:
> Is there a way to translate the userSid into a human readable format,
> so I don't have to look it up each time?

Not in that log, while we understand the desire here these logs could
be stored for quite some time and the meaning of the username could
have changed in the meantime.  

SIDs and GUIDs are good long-term stable and predictably formatted
identifiers. 

It shouldn't be hard to convert using wbinfo for example, these are
intended for machine parsing and machines are good at doing that kind
of thing.

> For now, my workaround for now is to set my log level to 5, but then
> turn lots of stuff down to 1 manually. Like this:
> 
> log level = 5 tdb:1 printdrivers:1 lanman:1 smb:1 rpc_parse:1
> rpc_srv:1 rpc_cli:1 passdb:1 sam:1 auth:1 winbind:1 vfs:1 idmap:1
> quota:1 acls:1 locking:1 msdfs:1  dmapi:1 registry:1 scavenger:1 
> dns:1 ldb:1 tevent:1 auth_audit:5 auth_json_audit:5 kerberos:1
> drs_repl:1 smb2:1 smb2_credits:1 dsdb_audit:5 dsdb_json_audit:5
> dsdb_password_audit:5 dsdb_password_json_audit:5
> dsdb_transaction_audit:5 dsdb_transaction_json_audit:5
> dsdb_group_audit:5 dsdb_group_json_audit:5

The message you were looking at won't show all password resets, only
some that are via kerberos.  That is why we added the new logs.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba