Audit log dsdb_group_json_audit with with "userSid": "S-1-5-18"
Rowland Penny
rpenny at samba.org
Mon Nov 13 12:53:24 UTC 2023
On Mon, 13 Nov 2023 13:37:42 +0100
Cristian Galvani via samba-technical <samba-technical at lists.samba.org>
wrote:
> Hi!,
> I have 3 Dc in my network, I enabled dsdb_group_json_audit on all of
> these to json file.
> smb.conf:
> *log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log
> dsdb_json_audit:3@/var/log/samba/dsdb_json_audit.log
> dsdb_group_json_audit:5@/var/log/samba/dsdb_group_json_audit.log*
> Everything is working as expected, if one my colleague on his local DC
> change group members the activity is recorded properly.
> The problem is this, *on all DCs log file in the same moment* there
> are some strange activity recorded with userSid "userSid": "S-1-5-18"
> and "remoteAddress": null.
> all the activities record the removal of members from some security
> groups but some members removed from those groups were not even
> present, I am sure of this information because I restored a backup
> prior to the activity and the user was not present in the modified
> group.
>
> Any suggestions?
'S-1-5-18' is the SID for 'NT Authority\SYSTEM' and should be mapped,
what version of Samba are you running ?
Rowland
More information about the samba-technical
mailing list