Audit log dsdb_group_json_audit with with "userSid": "S-1-5-18"
Cristian Galvani
galvani.cristian at gmail.com
Mon Nov 13 12:37:42 UTC 2023
Hi!,
I have 3 Dc in my network, I enabled dsdb_group_json_audit on all of these
to json file.
smb.conf:
*log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log
dsdb_json_audit:3@/var/log/samba/dsdb_json_audit.log
dsdb_group_json_audit:5@/var/log/samba/dsdb_group_json_audit.log*
Everything is working as expected, if one my colleague on his local DC
change group members the activity is recorded properly.
The problem is this, *on all DCs log file in the same moment* there are
some strange activity recorded with userSid "userSid": "S-1-5-18"
and "remoteAddress": null.
all the activities record the removal of members from some security groups
but some members removed from those groups were not even present, I am sure
of this information because I restored a backup prior to the activity and
the user was not present in the modified group.
Any suggestions?
More information about the samba-technical
mailing list