[Samba] samba log level: ldap log file remains empty
Kees van Vloten
keesvanvloten at gmail.com
Wed Dec 4 16:38:04 UTC 2024
Op 04-12-2024 om 16:04 schreef Hoefle, Marco (Avnet Silica):
>>>>>> On Mon, 25 Nov 2024 11:44:28 +0100
>>>>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>> Op 25-11-2024 om 11:35 schreef Rowland Penny via samba:
>>>>>>>> On Mon, 25 Nov 2024 09:48:19 +0000
>>>>>>>> "Hoefle, Marco \(Avnet Silica\) via samba" <samba at lists.samba.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>> I have different services using ldap for user/passwd queries. I am
>>>>>>>>> using the LDAP server integrated in the samba domain controller.
>>>>>>>>> For debugging and login attempts I wanted to have all requests in a
>>>>>>>>> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9 (standard
>>>>>>>>> ubuntu 24.04 package) samba package.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is the relevant samba dc config:
>>>>>>>>>
>>>>>>>>> server role = active directory domain controller
>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES
>>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>> allow dns updates = nonsecure and secure
>>>>>>>>> log level = 2
>>>>>>>>> auth_json_audit:3@/var/log/samba/domain_join.log
>>>>>>>>> ldap:10@/var/log/samba/ldap.log auth:5 passdb:5 rpc_srv:5
>>>>>>>>> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log log file =
>>>>>>>>> /var/log/samba/log.%m
>>>>>>>>>
>>>>>>>>> The domain join log file ( /var/log/samba/domain_join.log) is
>>>>>>>>> created and works (I see each domain join approach). The LDAP
>>>>>>>>> queries are not in the file. /var/log/samba/ldap.log is created
>>>>>>>>> but remains empty even after a successful LDAP query.
>>>>>>>>>
>>>>>>>>> Generally, I cannot see any ldap requests in the other log files
>>>>>>>>> either.
>>>>>>>> Sorry, but this is because there is no 'ldap' debug class. If you
>>>>>>>> read 'man smb.conf' under 'log level', you will find a full list of
>>>>>>>> available debug classes. There is 'ldb' if you can use the ldb-tools
>>>>>>>> instead (note: this may work with ldapsearch etc, but I haven't
>>>>>>>> tried it.).
>>>>>>> In 4.21 there is "ldapsrv" to log ldap queries.
>>>>>>>
>>>>>> Well, yes there is, but the OP may not be able to update or is not
>>>>>> allowed to use external repos, but if they can, I would always
>>>>>> recommend using the latest Samba version possible.
>>>>> Indeed upgrading is the easiest way to solve it. I still have an
>>>>> "ldapsrv" patch that works for 4.17 (I can make it available if needed),
>>>>> however it stopped working in 4.18 and someone updated the patch for
>>>>> 4.21, where it got merged. That does not help much for 4.19.5 :-(
>>>>>> However, the OP seems to be using Samba AD for authentication via ldap,
>>>>>> they may be able to use kerberos instead, but this would entail joining
>>>>>> the domain.
>>>>> There are many more services and applications (e.g. web-applications)
>>>>> that support authentication through LDAP than there are that support
>>>>> Kerberos. That's why I (have to) use LDAP authentication (and
>>>>> authorization) in many places.
>>>>> Even a webserver like Apache can do Kerberos for authentication only, if
>>>>> you want authorization in Apache you still need LDAP as it does not
>>>>> support looking at the groups in the PAC. Another solution is to use an
>>>>> intermediate like Keycloak to provide authn+authz through OIDC.
>>>>> - Kees.
>>> Thanks Kees,
>>> I tried to upgrade by using debian testing (in a docker container) but I get other issues then. I saw that ldapsrv is supported in the debian testing samba version.
>>> With the current settings I can see the ldap requests in the main log:
>>> samba | {"timestamp": "2024-11-25T16:06:44.021365+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4624, "logonId": "0", >>"logonType": 8, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.3.0.5:389", "remoteAddress": "ipv4:10.3.0.6:35370", "serviceDescription": "LDAP", "authDescription": "simple >>bind", "clientDomain": "xxx", "clientAccount": "CN=binddn,CN=Users,DC=xxx,DC=xxx", "workstation": "DC", "becameAccount": "binddn", "becameDomain": "xxx", "becameSid": >>"S-1-5-21-3518546476-3047455531-1007412457-1104", "mappedAccount": "binddn", "mappedDomain": "xxx", "netlogonComputer": null, "netlogonTrustAccount": null, >>"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "clientPolicyAccessCheck": null, >>"serverPolicyAccessCheck": null, "duration": 1995}}
>>> samba | Calling samba_kcc script
>>> /Marco
>
>>> Samba 4.21.1 is available in Debian backports, no need to use testing. The Debian maintainer also has a private repo with recent versions at >>http://www.corpit.ru/mjt/packages/samba/
>>> Docker and Samba are no friends, or better xattrs (used by Samba for ntacls) need privileged filesystem access.
>>> - Kees.
>
> Thanks Kees,
>
> I have now installed the debian backports:
> root at dc:/# dpkg -l | grep samba-ad
> ii samba-ad-dc 2:4.21.2+dfsg-3 amd64 Samba control files to run AD Domain Controller
>
> and added this
> log level = 2 auth_json_audit:3@/var/log/samba/domain_join.log auth:2@/var/log/samba/auth.log ldapsrv:10@/var/log/samba/ldap.log passdb:2 rpc_srv:2 rpc_parse:2
>
> the file /var/log/samba/ldap.log remains empty even if a successful ldap request has occurred.
>
> I wanted to clean the logging. I noticed that I get every 15 minutes this:
>
> samba | Calling samba_kcc script
> samba | Calling samba_kcc script
> samba | Calling samba_kcc script
> samba | Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[SAMBA-SRV$@XXX.XFAE] at [Wed, 04 Dec 2024 15:58:47.044307 CET] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_PROTOCOL_UNREACHABLE] workstation [(null)] remote host [ipv4:10.3.0.6:53159] mapped to [XXXX]\[SAMBA-SRV$]. local host [NULL]
>
>
> Do you know where this time comes from? There is on samba file server joined to the AD.
If you mean to say: "This is on samba file server joined to the AD.",
then that might be the reason. LDAP queries are made to DC servers, not
to file servers.
- Kees.
>
> /Marco
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data.
> Please read our privacy statement including an information notice and data protection policy for detailed information on our website.
> We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data.
> Please read our privacy statement including an information notice and data protection policy for detailed information on our website.
More information about the samba
mailing list