[Samba] DSDB Audit of User Creation/Deletion on Samba DC

Joseph Bell joe at iachieved.it
Fri Feb 25 16:01:39 UTC 2022

Anyone up for a “doh!” moment?

I neglected to mention that I run a secondary DC.  Guess who was handling the account creation and didn’t have the dsdb JSON logging enabled?

Yeah.  Thank goodness its Friday.


From: Joseph Bell <joe at iachieved.it>
Date: Friday, February 25, 2022 at 9:50 AM
To: Patrick Goetz <pgoetz at math.utexas.edu>, samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC
Thanks Patrick and Andrew.

So I have a testbed I use separate from my corporate environment, and in the testbed the DSDB logs came across for both user creation (via RSAT) and deletion (likewise):

  {"timestamp": "2022-02-25T15:36:34.076478+0000", "type": "groupChange", "groupChange": {"version": {"major": 1, "minor": 1}, "eventId": 4728, "statusCode": 0, "status": "Success", "action": "Added", "remoteAddress": "ipv4:", "userSid": "S-1-5-21-3939649434-3429806823-329711302-500", "group": "CN=Test User,OU=Domain Users,DC=sd,DC=iachieved,DC=it", "transactionId": "c8c603f6-eabb-4468-ad84-e97614fea98a", "sessionId": "86953890-6df0-4fa7-bbaf-d2b120b19163", "user": "CN=Test User,OU=Domain Users,DC=sd,DC=iachieved,DC=it"}}

  {"timestamp": "2022-02-25T15:37:12.358476+0000", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Delete", "remoteAddress": "ipv4:", "performedAsSystem": false, "userSid": "S-1-5-21-3939649434-3429806823-329711302-500", "dn": "CN=Test User,OU=Domain Users,DC=sd,DC=iachieved,DC=it", "transactionId": "8b03a388-d9a3-4a57-aad8-b62d4c67b31c", "sessionId": "2db06449-f87a-4e41-970c-f00078b33e3d"}}

I reran the test on the corporate DC and the logs did not appear.

Both systems are based on Ubuntu 20.04 and use the stock Ubuntu samba packages.  The only difference that is glaring is that the corporate DC is an ARM64 server in AWS, whereas the testbed is x86 on Proxmox.

I’ll continue to troubleshoot.  Thanks in advance if there are any insights.


From: samba <samba-bounces at lists.samba.org> on behalf of Patrick Goetz via samba <samba at lists.samba.org>
Date: Friday, February 25, 2022 at 8:33 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC

On 2/24/22 17:06, Andrew Bartlett via samba wrote:
> That really should be logged then.
> No idea right now on what is going on, you will have to dig further.

Because I want a lot of stuff to happen automatically (e.g. add new user
to default groups, create a UNIX home directory, turn off password
expiration, etc.) I wrote a script to create new user accounts, which
then presumably isn't logged?

That would seem like the normal use case.  I tried creating new users
using RSAT and found the experience underwhelming.

> Andrew,
> On Thu, 2022-02-24 at 22:36 +0000, Joseph Bell wrote:
>> Thanks Andrew.  I actually use the AD DS RSAT tools on a Windows
>> server that point to my Samba Domain Controller.  It has worked
>> beautifully thus far.
>> From: Andrew Bartlett <abartlet at samba.org>
>> Date: Thursday, February 24, 2022 at 4:30 PM
>> To: Joseph Bell <joe at iachieved.it>, samba at lists.samba.org <
>> samba at lists.samba.org>
>> Subject: Re: [Samba] DSDB Audit of User Creation/Deletion on Samba DC
>> On Thu, 2022-02-24 at 22:26 +0000, Joseph Bell via samba wrote:
>>> I run Samba 4.13 on an Ubuntu 20.04 LTS server as an Active
>> Directory
>>> Domain Controller, and one of my compliance responsibilities is to
>>> log and audit user creation, deletion, and modification (group
>> member
>>> changes).  I thought I could accomplish this with:
>>> log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5
>>> dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
>>> in smb.conf, and indeed, I do receive a lot of dsdbChange and
>>> groupChange notifications in log.samba.  Further testing of this
>>> though leads me to believe that I either have something missing or
>>> user creation is not logged as a dsdb change.
>>> My question is whether or not that is true, in which case how do I
>>> log user creation, and if it isn’t true, what am I missing in my
>>> configuration?
>> How do you create the users?  If you use command-line tools locally,
>> then local access as root won't be logged to log.samba, it will be
>> logged to the terminal (this wasn't made a priority to address as the
>> root user could just turn off the logs anyway).
>> Perhaps your sudo logging might capture these, or use root less and
>> do
>> remote operations to add users.
>> Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list