How do I log authentication attempts with samba?

Question

I have users authenticating with squid (NTLM) to an Active Directory server using Samba 3.5.4 and I'd like to log users' login attempts.

I'd like a line showing something like:
TIMESTAMP username@DOMAIN SUCCESS/FAILURE

score 5 · Answer 1 · edited Sep 07 '17 at 20:07

5

If you modify the log level line in /etc/samba/smb.conf to read:

log level = 1 winbind:5

You do get the information I'm after (by default logged to /var/log/samba/log.DOMAIN), but it's very noisy and the log messages are split over two lines. Not exactly what I'm looking for but it might have to do.

edited Sep 07 '17 at 20:07

ndemou

1,215
2
16
27

answered Sep 14 '10 at 01:24

Harley

2,177
6
25
29

3

I'm not too sure why you put "log level: " at the beginning. Works a lot better without it! Also, on my end I was trying to understand why a log in failed and I used: `log level = 10 all:10` to really get all the info. The manual page also lists all the other capabilities such as windbind and passwd. – Alexis Wilke Mar 08 '13 at 04:25
I was trying to find out with which user-name the windows account connects in order to properly fill in the username mapping. The answer of @AlexisWilke helped with that. – exhuma May 13 '18 at 08:15

score 1 · Answer 2 · answered Jan 31 '12 at 13:30

On the samba log files, authentication-related information is tagged with the check_ntlm_password module (assuming that's what you are using). If you want date and hour, you have to capture the line before the one with actual information.

Here are some examples. The name of the user was replaced with xxx.yyy in all cases. Note how the capitalization for authentication is different for success and failure cases.

[2011/11/08 10:22:40.604819,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [xxx.yyy] -> [xxx.yyy] -> [xxx.yyy] succeeded

[2012/01/11 09:09:00.430424,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [xxx.yyy] -> [xxx.yyy] FAILED with error NT_STATUS_WRONG_PASSWORD

There are other messages beyond these two. These lines were produced by a Samba from the backports repository of lenny. The samba version is 3.5.6, the actual package version is 2:3.5.6~dfsg-3~bpo50+1. The exact configuration for logging on smb.conf was:

syslog = 0
debug level = 2
log file = /var/log/samba/%m.log
max log size = 1024
panic action = /usr/share/samba/panic-action %d

score -1 · Answer 3 · answered Jan 27 '12 at 04:06

if you're hitting AD, then you should see the logon attempts in the "security log". It should contain not only the username, but also the source IP (which should be your squid host).

Here's a good article on setting it up: http://www.windowsecurity.com/articles/windows-active-directory-auditing.html

I would caution on auditing success though, as it tends to fill up the logs fast.

How do I log authentication attempts with samba?

3 Answers3