[Samba] dsdb_password_json_audit and samba-tool

Andrew Bartlett abartlet at samba.org
Thu Aug 20 22:53:25 UTC 2020

On Thu, 2020-08-20 at 18:24 -0400, Robert Marcano via samba wrote:
> Greetings.
> Samba documentation states:
>    Password changes and Password resets are logged under 
> dsdb_password_audit and a JSON representation is logged under the 
> dsdb_password_json_audit.
> I have enabled
>    log level = 0
> dsdb_password_json_audit:4@/var/log/samba/password.log
> and then tried a password change using
>    samba-tool user setpassword <user>
> but no log entry was added. I wonder if samba-tool generated
> password 
> changes aren't logged because it wasn't generated by one of the AD
> RPC 
> calls.
> I am trying to detect if some rogue sysadmin is changing passwords. 
> Thanks in advance.

Thanks for the question.  As samba-tool user setpassword operates
locally on the sam.ldb, the logging is done in the tool - typically to

We realise this isn't ideal.  The cop-out is that someone with local
root access can just edit the database at even lower levels anyway.

Remote password changes should be logged, say if you use -H to specify
the ldap server and the administrator password.

I hope this helps,

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list