Audit log dsdb_group_json_audit with with "userSid": "S-1-5-18"
Cristian Galvani
galvani.cristian at gmail.com
Mon Nov 13 13:04:51 UTC 2023
Right,
is mapped to 'NT Authority\SYSTEM'
Samba version 4.16.11 on all DCs
Il giorno lun 13 nov 2023 alle ore 13:57 Cristian Galvani <
galvani.cristian at gmail.com> ha scritto:
> Right,
> is mapped to 'NT Authority\SYSTEM'
> Samba version 4.16.11 on all DCs
>
> Il giorno lun 13 nov 2023 alle ore 13:54 Rowland Penny via samba-technical
> <samba-technical at lists.samba.org> ha scritto:
>
>> On Mon, 13 Nov 2023 13:37:42 +0100
>> Cristian Galvani via samba-technical <samba-technical at lists.samba.org>
>> wrote:
>>
>> > Hi!,
>> > I have 3 Dc in my network, I enabled dsdb_group_json_audit on all of
>> > these to json file.
>> > smb.conf:
>> > *log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log
>> > dsdb_json_audit:3@/var/log/samba/dsdb_json_audit.log
>> > dsdb_group_json_audit:5@/var/log/samba/dsdb_group_json_audit.log*
>> > Everything is working as expected, if one my colleague on his local DC
>> > change group members the activity is recorded properly.
>> > The problem is this, *on all DCs log file in the same moment* there
>> > are some strange activity recorded with userSid "userSid": "S-1-5-18"
>> > and "remoteAddress": null.
>> > all the activities record the removal of members from some security
>> > groups but some members removed from those groups were not even
>> > present, I am sure of this information because I restored a backup
>> > prior to the activity and the user was not present in the modified
>> > group.
>> >
>> > Any suggestions?
>>
>> 'S-1-5-18' is the SID for 'NT Authority\SYSTEM' and should be mapped,
>> what version of Samba are you running ?
>>
>> Rowland
>>
>>
>
More information about the samba-technical
mailing list