[Samba] dsdb_password_json_audit and samba-tool
Andrew Bartlett
abartlet at samba.org
Thu Aug 20 22:53:25 UTC 2020
On Thu, 2020-08-20 at 18:24 -0400, Robert Marcano via samba wrote:
> Greetings.
>
> Samba documentation states:
>
> Password changes and Password resets are logged under
> dsdb_password_audit and a JSON representation is logged under the
> dsdb_password_json_audit.
>
> I have enabled
>
> log level = 0
> dsdb_password_json_audit:4@/var/log/samba/password.log
>
> and then tried a password change using
>
> samba-tool user setpassword <user>
>
> but no log entry was added. I wonder if samba-tool generated
> password
> changes aren't logged because it wasn't generated by one of the AD
> RPC
> calls.
>
> I am trying to detect if some rogue sysadmin is changing passwords.
> Thanks in advance.
Thanks for the question. As samba-tool user setpassword operates
locally on the sam.ldb, the logging is done in the tool - typically to
stderr.
We realise this isn't ideal. The cop-out is that someone with local
root access can just edit the database at even lower levels anyway.
Remote password changes should be logged, say if you use -H to specify
the ldap server and the administrator password.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list