[Samba] Best way to verify LDAP connections to Samba in AD mode

[Andrew Bartlett]

On Tue, 2020-04-07 at 18:48 +0000, Arianna Brandstetter via samba
wrote:
> I am running Samba in AD mode with 3 Samba DCs.  I am trying to
> verify that I really am seeing all incoming connections in the log
> files to help trouble shooting.  We work with Sernet who are AWESOME
> people, especially Bjorn, but I was wondering if there were any other
> ideas.  Right now we have "log level = 1 auth_audit:3
> auth_json_audit:3" set in our smb.conf.  Are there any other ways
> that I should be checking if someone attempts to bind via LDAP and
> whether that attempt fails or succeeds? 

G'Day Arianna,

The auth_audit and auth_json_audit logging classes are intended (and
tested) to be comprehensive for the AD DC side of things.

Turn up the log level to get successful binds via Kerberised LDAP
(where the authentication was done and logged on the KDC).  Normally
you don't need both auth_audit and auth_audit_json (but we had a bug in
the earliest versions of this feature).

#define AUTH_FAILURE_LEVEL 2
#define AUTH_SUCCESS_LEVEL 3
#define AUTHZ_SUCCESS_LEVEL 4

/* 5 is used for both authentication and authorization */
#define AUTH_ANONYMOUS_LEVEL 5
#define AUTHZ_ANONYMOUS_LEVEL 5

I'm glad to hear the feature is so valuable.  We think having such a
clear authentication and authorization logging framework is a really
neat Samba-only feature. 

While we think we have this one pretty comprehensive, if there are
other aspects of Samba that you would like to contribute similar
tooling for, where it would make your life was a Systems Administrator
easier or allow Samba to integrate into other systems, do let us know!

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba