Web lists-archives.com

[Samba] logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT




Hi,

I am trying to capture from the logs the moment that samba locks an account. (because of too many failed logon attempts)

This is samba 4.7.2, with:
	log level = 1 auth_audit:3

What we see in the logs is like this:
Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:45.102695 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40436] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:47.203867 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40437] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:48.538162 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40438] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389] Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:52.457240 CET] with [Plaintext] status [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [(null)] remote host [ipv4:192.168.2.8:40439] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]

So, nothing is logged *when* the actual lock happens.

We are using swatch to monitor the logs, and we would like to send an email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT

Does anyone know what log level for what 'component' is required, to get a samba to log the actual LOCK when it takes place?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba