Audit log dsdb_group_json_audit with with "userSid": "S-1-5-18"
Cristian Galvani
galvani.cristian at gmail.com
Mon Nov 13 12:57:21 UTC 2023
Right,
is mapped to 'NT Authority\SYSTEM'
Samba version 4.16.11 on all DCs
Il giorno lun 13 nov 2023 alle ore 13:54 Rowland Penny via samba-technical <
samba-technical at lists.samba.org> ha scritto:
> On Mon, 13 Nov 2023 13:37:42 +0100
> Cristian Galvani via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
> > Hi!,
> > I have 3 Dc in my network, I enabled dsdb_group_json_audit on all of
> > these to json file.
> > smb.conf:
> > *log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log
> > dsdb_json_audit:3@/var/log/samba/dsdb_json_audit.log
> > dsdb_group_json_audit:5@/var/log/samba/dsdb_group_json_audit.log*
> > Everything is working as expected, if one my colleague on his local DC
> > change group members the activity is recorded properly.
> > The problem is this, *on all DCs log file in the same moment* there
> > are some strange activity recorded with userSid "userSid": "S-1-5-18"
> > and "remoteAddress": null.
> > all the activities record the removal of members from some security
> > groups but some members removed from those groups were not even
> > present, I am sure of this information because I restored a backup
> > prior to the activity and the user was not present in the modified
> > group.
> >
> > Any suggestions?
>
> 'S-1-5-18' is the SID for 'NT Authority\SYSTEM' and should be mapped,
> what version of Samba are you running ?
>
> Rowland
>
>
More information about the samba-technical
mailing list