[Samba] samba log level: ldap log file remains empty

Mon Nov 25 16:50:05 UTC 2024

Op 25-11-2024 om 17:06 schreef Hoefle, Marco (Avnet Silica):
> >>Op 25-11-2024 om 11:57 schreef Rowland Penny via samba:
> >>> On Mon, 25 Nov 2024 11:44:28 +0100
> >>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Op 25-11-2024 om 11:35 schreef Rowland Penny via samba:
> >>>>> On Mon, 25 Nov 2024 09:48:19 +0000
> >>>>> "Hoefle, Marco \(Avnet Silica\) via samba" <samba at lists.samba.org>
> >>>>> wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>> I have different services using ldap for user/passwd queries. I am
> >>>>>> using the LDAP server integrated in the samba domain controller.
> >>>>>> For debugging and login attempts I wanted to have all requests in a
> >>>>>> separate log file. I am using the 2:4.19.5+dfsg-4ubuntu9 (standard
> >>>>>> ubuntu 24.04 package) samba package.
> >>>>>>
> >>>>>>
> >>>>>> This is the relevant samba dc config:
> >>>>>>
> >>>>>> server role = active directory domain controller
> >>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRAUTES
> >>>>>> idmap_ldb:use rfc2307 = yes
> >>>>>> allow dns updates = nonsecure and secure
> >>>>>> log level = 2
> >>>>>> auth_json_audit:3@/var/log/samba/domain_join.log
> >>>>>> ldap:10@/var/log/samba/ldap.log auth:5 passdb:5 rpc_srv:5
> >>>>>> rpc_parse:5 dnsupdate:10@/var/log/samba/dnsupdate.log log file =
> >>>>>> /var/log/samba/log.%m
> >>>>>>
> >>>>>> The domain join log file ( /var/log/samba/domain_join.log) is
> >>>>>> created and works (I see each domain join approach). The LDAP
> >>>>>> queries are not in the file. /var/log/samba/ldap.log is created
> >>>>>> but remains empty even after a successful LDAP query.
> >>>>>>
> >>>>>> Generally, I cannot see any ldap requests in the other log files
> >>>>>> either.
> >>>>> Sorry, but this is because there is no 'ldap' debug class. If you
> >>>>> read 'man smb.conf' under 'log level', you will find a full list of
> >>>>> available debug classes. There is 'ldb' if you can use the ldb-tools
> >>>>> instead (note: this may work with ldapsearch etc, but I haven't
> >>>>> tried it.).
> >>>> In 4.21 there is "ldapsrv" to log ldap queries.
> >>>>
> >>> Well, yes there is, but the OP may not be able to update or is not
> >>> allowed to use external repos, but if they can, I would always
> >>> recommend using the latest Samba version possible.
> >>Indeed upgrading is the easiest way to solve it. I still have an
> >>"ldapsrv" patch that works for 4.17 (I can make it available if needed),
> >>however it stopped working in 4.18 and someone updated the patch for
> >>4.21, where it got merged. That does not help much for 4.19.5 :-(
> >>>
> >>> However, the OP seems to be using Samba AD for authentication via ldap,
> >>> they may be able to use kerberos instead, but this would entail joining
> >>> the domain.
>
> >>There are many more services and applications (e.g. web-applications)
> >>that support authentication through LDAP than there are that support
> >>Kerberos. That's why I (have to) use LDAP authentication (and
> >>authorization) in many places.
>
> >>Even a webserver like Apache can do Kerberos for authentication only, if
> >>you want authorization in Apache you still need LDAP as it does not
> >>support looking at the groups in the PAC. Another solution is to use an
> >>intermediate like Keycloak to provide authn+authz through OIDC.
>
> >>- Kees.
>
> Thanks Kees,
> I tried to upgrade by using debian testing (in a docker container) but 
> I get other issues then. I saw that ldapsrv is supported in the debian 
> testing samba version.
> With the current settings I can see the ldap requests in the main log:
>
> samba      | {"timestamp": "2024-11-25T16:06:44.021365+0100", "type": 
> "Authentication", "Authentication": {"version": {"major": 1, "minor": 
> 3}, "eventId": 4624, "logonId": "0", "logonType": 8, "status": 
> "NT_STATUS_OK", "localAddress": "ipv4:10.3.0.5:389", "remoteAddress": 
> "ipv4:10.3.0.6:35370", "serviceDescription": "LDAP", 
> "authDescription": "simple bind", "clientDomain": "xxx", 
> "clientAccount": "CN=binddn,CN=Users,DC=xxx,DC=xxx", "workstation": 
> "DC", "becameAccount": "binddn", "becameDomain": "xxx", "becameSid": 
> "S-1-5-21-3518546476-3047455531-1007412457-1104", "mappedAccount": 
> "binddn", "mappedDomain": "xxx", "netlogonComputer": null, 
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
> "passwordType": "Plaintext", "clientPolicyAccessCheck": null, 
> "serverPolicyAccessCheck": null, "duration": 1995}}
> samba      | Calling samba_kcc script
>
> /Marco
>
>
Samba 4.21.1 is available in Debian backports, no need to use testing. 
The Debian maintainer also has a private repo with recent versions at 
http://www.corpit.ru/mjt/packages/samba/

Docker and Samba are no friends, or better xattrs (used by Samba for 
ntacls) need privileged filesystem access.

- Kees.

>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba 
> <https://lists.samba.org/mailman/options/samba>
>
> We continuously commit to comply with the applicable data protection 
> laws and ensure fair and transparent processing of your personal data.
> Please read our privacy statement including an information notice and 
> data protection policy for detailed information on our website.
>