[Samba] dsdb_password_json_audit and samba-tool
Robert Marcano
robert at marcanoonline.com
Thu Aug 20 23:20:42 UTC 2020
On 8/20/20 6:53 PM, Andrew Bartlett wrote:
> On Thu, 2020-08-20 at 18:24 -0400, Robert Marcano via samba wrote:
>> Greetings.
>>
>> Samba documentation states:
>>
>> Password changes and Password resets are logged under
>> dsdb_password_audit and a JSON representation is logged under the
>> dsdb_password_json_audit.
>>
>> I have enabled
>>
>> log level = 0
>> dsdb_password_json_audit:4@/var/log/samba/password.log
>>
>> and then tried a password change using
>>
>> samba-tool user setpassword <user>
>>
>> but no log entry was added. I wonder if samba-tool generated
>> password
>> changes aren't logged because it wasn't generated by one of the AD
>> RPC
>> calls.
>>
>> I am trying to detect if some rogue sysadmin is changing passwords.
>> Thanks in advance.
>
> Thanks for the question. As samba-tool user setpassword operates
> locally on the sam.ldb, the logging is done in the tool - typically to
> stderr.
>
> We realise this isn't ideal. The cop-out is that someone with local
> root access can just edit the database at even lower levels anyway.
>
> Remote password changes should be logged, say if you use -H to specify
> the ldap server and the administrator password.
>
> I hope this helps,
Thanks for the reply. I manage a few customers domains where sadly these
kind of access is shared by all IT department, usually small businesses.
Sometimes they give full sudo access not knowing that running 'sudo
bash' will erase any trace of the commands they ran. I will have to
update them to a modern distribution supporting session recording in
case they didn't learn this time.
Thanks again for the information.
More information about the samba
mailing list