[Samba] suspicious dsdb audit log entry conaining 0ADEL

Tim Taylor tim.taylor at stud.hs-kempten.de
Wed Sep 18 09:53:45 UTC 2024 

Hi all,

running an Samba-AD with
   dsdb_json_audit:5
in smb.conf perfectly for months, yesterday in the logs a messed up / 
suspicious entry containing "CN=[...]\0ADEL:[someId]" as CN showed up. I 
could not find any information what this means or what could have this 
triggered, and maybe this means kind of "newline"+"DEL". No other 
Delete-entry have this appendix in a string. The domain name also 
includes "CN=Deleted Objects", so maybe this was the final delete from 
some kind of trash folder?

There are 5 entries that show this "\0ADEL" appendix after a valid CN, 
all report deletion of a test object for "Hildegard Test" within only a 
few milliseconds, all have result==Success which makes me wonder because 
this object should exist only once and should never be deleted, and 
especially it can not be deleted five times.

The given userSid S-1-5-18 belongs to "NT Authority\SYSTEM 5" accordings 
to wbinfo and remoteAddress==null I don't understand, too. The sessionId 
seeams to be an internal server id, because for the given sessionId 
there are numerous login+logout messages for a very long time and for 
several users.

How to find out
- what (user/machine/process/...) triggered the deletion of those objects,
- why the message in the log is formatted like "[Name]\0ADEL[id]"?

Thanks in advance,
Tim

Server: Debian 12 bookworm
Samba version: 4.17.12-Debian

Some of the JSON log suspicuous entries in dsdb_json_audig.log
   {"timestamp": "2024-09-17T09:26:55.672484+0200", "type": 
"dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
"statusCode": 0, "status": "Success", "operation": "Delete", 
"remoteAddress": null, "performedAsSystem": false, "userSid": 
"S-1-5-18", "dn": "CN=Hildegard 
Test\\0ADEL:6f6ada50-75c5-4b58-b2c2-9c536c3bd2dd,CN=Deleted 
Objects,DC=hs[...]", "transactionId": 
"aaba9cf0-ad49-4090-848e-387421a7ece2", "sessionId": 
"56478359-facb-4e2d-aaff-b651a73eb325"}}
   {"timestamp": "2024-09-17T09:26:55.698738+0200", "type": 
"dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
"statusCode": 0, "status": "Success", "operation": "Delete", 
"remoteAddress": null, "performedAsSystem": false, "userSid": 
"S-1-5-18", "dn": "cn=Hildegard 
Test\\0ADEL:adc46a65-499d-437c-80aa-7dc258a5545d,CN=Deleted 
Objects,DC=hs[...]", "transactionId": 
"ef24dde8-eb30-4c6a-a90b-82aa4a1c4b1b", "sessionId": 
"56478359-facb-4e2d-aaff-b651a73eb325"}}
   {"timestamp": "2024-09-17T09:26:55.713554+0200", "type": 
"dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, 
"statusCode": 0, "status": "Success", "operation": "Delete", 
"remoteAddress": null, "performedAsSystem": false, "userSid": 
"S-1-5-18", "dn": "cn=Hildegard 
Test\\0ADEL:448acc07-8e15-44fa-9db3-30d93885ceb9,CN=Deleted 
Objects,DC=hs[...]", "transactionId": 
"053607b2-cb55-4340-a7f6-c6fe504fe512", "sessionId": 
"56478359-facb-4e2d-aaff-b651a73eb325"}}

More information about the samba mailing list