[Samba] Compatibility With PaloAlto User Identification

ralph strebbing blackbirdralph at gmail.com
Mon Feb 14 17:58:45 UTC 2022

Hey All,

I've got a PaloAlto 460 that we're working on integrating, and one of
the things we're trying to get set up is the User-ID. Normally they
have you install an agent on the windows Domain Controller to listen
to the event-viewer and relay login and logout events back to the
firewall to correlate Users to IPs.

There was an article posted
that detailed setting Samba up to forward logs via syslogd, and then
set up a listener on the firewall along with a profile to regex parse
the info it needs. This works great for logins. The issue I was
running into was a combination of a cache issue and that the article
is only addressing half the problem.
User ID is being sent, and cached for the specified time (in my case,
30 minutes). However there doesn't seem to be any normalized renewal
of this being sent from Samba, as there are times when the PC we're
testing on just drops to an unauthenticated role, meaning the 30
minutes elapsed without any new logs refreshing the cache had been
received. One solution we tried was turning the timeout off, but this
led to multiple users being identified on the same machine, even if
the other had logged out, and even persisting through reboots. So that
can't work (as it's configured now at least).

Now that the background has been explained (same thing I have in the
ticket to Palo-Alto), I wanted to know if there may be a better
approach to this issue from the samba side of things. Right now the
article's solution is a bit crude, and as noted in my last mail
thread, I have too verbose of logging being spilled out into the
syslog of the domain controller. I know that Event Viewer
functionality is a thing now, so would that work better? Or if someone
else has set this up with a Palo in their environment and has a nicer
solution, I'd appreciate that specific insight.

Thanks in advance!

More information about the samba mailing list