[Samba] DSDB Audit of User Creation/Deletion on Samba DC

[Joseph Bell]

Thanks Andrew.  I actually use the AD DS RSAT tools on a Windows server that point to my Samba Domain Controller.  It has worked beautifully thus far.

From: Andrew Bartlett <abartlet at samba.org>
Date: Thursday, February 24, 2022 at 4:30 PM
To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC
On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote:
> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active Directory
> Domain Controller, and one of my compliance responsibilities is to
> log and audit user creation, deletion, and modification (group member
> changes).  I thought I could accomplish this with:
>
> log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5
> dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
>
> in smb.conf, and indeed, I do receive a lot of dsdbChange and
> groupChange notifications in log.samba.  Further testing of this
> though leads me to believe that I either have something missing or
> user creation is not logged as a dsdb change.
>
> My question is whether or not that is true, in which case how do I
> log user creation, and if it isn’t true, what am I missing in my
> configuration?

How do you create the users?  If you use command-line tools locally,
then local access as root won't be logged to log.samba, it will be
logged to the terminal (this wasn't made a priority to address as the
root user could just turn off the logs anyway).

Perhaps your sudo logging might capture these, or use root less and do
remote operations to add users.

Andrew Bartlett

--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions