[Samba] Best way to verify LDAP connections to Samba in AD mode

Andrew Bartlett abartlet at samba.org
Tue Apr 7 20:11:04 UTC 2020

On Tue, 2020-04-07 at 18:48 +0000, Arianna Brandstetter via samba
> I am running Samba in AD mode with 3 Samba DCs.  I am trying to
> verify that I really am seeing all incoming connections in the log
> files to help trouble shooting.  We work with Sernet who are AWESOME
> people, especially Bjorn, but I was wondering if there were any other
> ideas.  Right now we have "log level = 1 auth_audit:3
> auth_json_audit:3" set in our smb.conf.  Are there any other ways
> that I should be checking if someone attempts to bind via LDAP and
> whether that attempt fails or succeeds? 

G'Day Arianna,

The auth_audit and auth_json_audit logging classes are intended (and
tested) to be comprehensive for the AD DC side of things.

Turn up the log level to get successful binds via Kerberised LDAP
(where the authentication was done and logged on the KDC).  Normally
you don't need both auth_audit and auth_audit_json (but we had a bug in
the earliest versions of this feature).


/* 5 is used for both authentication and authorization */

I'm glad to hear the feature is so valuable.  We think having such a
clear authentication and authorization logging framework is a really
neat Samba-only feature. 

While we think we have this one pretty comprehensive, if there are
other aspects of Samba that you would like to contribute similar
tooling for, where it would make your life was a Systems Administrator
easier or allow Samba to integrate into other systems, do let us know!

Andrew Bartlett
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list