Arthur Ramsey
2016-07-13 04:07:04 UTC
Hello,
I'm looking for a way to log the following attributes for all
authentication activity (LDAP bind, Kerberos, SMB / CIFS, etc.).
I would like to see:
* Principle name (user name)
* Source IP
* Timestamp (including at least seconds if not milliseconds)
* Authentication result (success / failure)
* Reason for failure: bad password, account lockout, account expired,
password expired, etc.
I believe vfs_full_audit can take care of CIFS activity (without failure
reason?). The samba logs at level >= 3 show Kerberos authentication
result, principle name, timestamp and reason for failure, but not source
IP. I cannot find any way to monitor LDAP bind, which is the most
important in my case. Though I doubt I'm alone: LDAP authentication
seems to be the most popular choice for integrating with Active
Directory, but esp. with Samba domain controller.
I cannot connect with Event Viewer as documentation suggests I can. I
get an error, "The procedure number is out of range(1745)". No
corresponds errors observed at server side.
I searched man pages, wiki and mailing lists, but didn't find any solution.
Certainly a lack of auditing ability is a significant barrier to
enterprise adoption of Samba based domain controllers?
Thanks,
Arthur
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at ***@mediture.com.
I'm looking for a way to log the following attributes for all
authentication activity (LDAP bind, Kerberos, SMB / CIFS, etc.).
I would like to see:
* Principle name (user name)
* Source IP
* Timestamp (including at least seconds if not milliseconds)
* Authentication result (success / failure)
* Reason for failure: bad password, account lockout, account expired,
password expired, etc.
I believe vfs_full_audit can take care of CIFS activity (without failure
reason?). The samba logs at level >= 3 show Kerberos authentication
result, principle name, timestamp and reason for failure, but not source
IP. I cannot find any way to monitor LDAP bind, which is the most
important in my case. Though I doubt I'm alone: LDAP authentication
seems to be the most popular choice for integrating with Active
Directory, but esp. with Samba domain controller.
I cannot connect with Event Viewer as documentation suggests I can. I
get an error, "The procedure number is out of range(1745)". No
corresponds errors observed at server side.
I searched man pages, wiki and mailing lists, but didn't find any solution.
Certainly a lack of auditing ability is a significant barrier to
enterprise adoption of Samba based domain controllers?
Thanks,
Arthur
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at ***@mediture.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba