[Samba] force samba 4.12.5 to log failed and succeeding authentication
karel.de.macil at free.fr
karel.de.macil at free.fr
Thu Sep 17 10:16:11 UTC 2020
Le 16/09/2020 20:04, Andrew Bartlett via samba a écrit :
> https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>
> See eg (for password changes)
> dsdb_password_json_audit:4@/var/log/samba/password.log
>
> Sadly not yet fully documented in:
> https://wiki.samba.org/index.php/Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes
>
> (but feel free to fix that). I think it is in the man smb.conf
>
> Andrew Bartlett
I have just try to add
log level = 1 auth_audit:7@/var/log/samba/log.auth_audit
to my smb.conf but no luck on this either , this indeed create a
/var/log/samba/log.auth_audit who stay definetly empty...
even after auth attempt. And still after a failed or successfull attempt
there is no trace in the log of the ip of the pc
where the failed/successfull attempt occur, the name of the computer, or
the name of the account used, just nothing.
I have read and try you comment as well as this page :
https://wiki.samba.org/index.php/Setting_up_Audit_Logging
but despite all my effort there is no message like :
[2017/07/04 21:07:41.410381, 4, pid=21757]
../auth/auth_log.c:848(log_successful_authz_event_human_readable)
Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator]
[S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017
21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host
[ipv4:10.99.0.1:445]
who appear in my log.
Thing that can play a role in y situation (or not)
i have 2 DC in different version, the one who is FMSO for all role is
4.12.5 the other is much older. but i can't see any log in any of em.
i have pass GPO to enable log of authentication attemps on client side
via :
Policies -> Windows Settings -> Security Settings -> Local Policies ->
Audit Policy
> On Wed, 2020-09-16 at 16:50 +0200, karel de macil via samba wrote:
>> Hi all,
>>
>> i'm strugling since a few hours to find what i can do to have some
>> debug
>> information in samba on succesfull or unsccessful login attempt.
>> I'm running the standard bulleye samba deb package.
>> Systemd is installed and see some thing , but whatever i put in
>> smb.conf
>>
>> It seems like i can't have access to those information.
>>
>> i have allready try :
>>
>> -log level = 1 auth:5 winbind:5
>> -log level = 5
>> -log level = 10
>>
>> neither the ip or the name of successful or unsuccessful login
>> attempt
>> appear in any place.
>> nor in journalctl -u samba-ad-dc nor in any file in /var/log/samba/
>>
>> can any one help me on this one ?
>>
>> best regards
>>
> --
> Andrew Bartlett https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
More information about the samba
mailing list