[Samba] DSDB Audit of User Creation/Deletion on Samba DC

Patrick Goetz pgoetz at math.utexas.edu
Fri Feb 25 14:30:38 UTC 2022

On 2/24/22 17:06, Andrew Bartlett via samba wrote:
> That really should be logged then.
> No idea right now on what is going on, you will have to dig further.

Because I want a lot of stuff to happen automatically (e.g. add new user 
to default groups, create a UNIX home directory, turn off password 
expiration, etc.) I wrote a script to create new user accounts, which 
then presumably isn't logged?

That would seem like the normal use case.  I tried creating new users 
using RSAT and found the experience underwhelming.

> Andrew,
> On Thu, 2022-02-24 at 22:36 +0000, Joseph Bell wrote:
>> Thanks Andrew.  I actually use the AD DS RSAT tools on a Windows
>> server that point to my Samba Domain Controller.  It has worked
>> beautifully thus far.
>> From: Andrew Bartlett <abartlet at samba.org>
>> Date: Thursday, February 24, 2022 at 4:30 PM
>> To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org <
>> samba at lists.samba.org>
>> Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC
>> On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote:
>>> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active
>> Directory
>>> Domain Controller, and one of my compliance responsibilities is to
>>> log and audit user creation, deletion, and modification (group
>> member
>>> changes).  I thought I could accomplish this with:
>>> log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5
>>> dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
>>> in smb.conf, and indeed, I do receive a lot of dsdbChange and
>>> groupChange notifications in log.samba.  Further testing of this
>>> though leads me to believe that I either have something missing or
>>> user creation is not logged as a dsdb change.
>>> My question is whether or not that is true, in which case how do I
>>> log user creation, and if it isn’t true, what am I missing in my
>>> configuration?
>> How do you create the users?  If you use command-line tools locally,
>> then local access as root won't be logged to log.samba, it will be
>> logged to the terminal (this wasn't made a priority to address as the
>> root user could just turn off the logs anyway).
>> Perhaps your sudo logging might capture these, or use root less and
>> do
>> remote operations to add users.
>> Andrew Bartlett

More information about the samba mailing list