Web lists-archives.com

Re: [Samba] logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT




On Sat, 2017-12-02 at 15:27 +0100, mj via samba wrote:
> Hi,
> 
> I am trying to capture from the logs the moment that samba locks an 
> account. (because of too many failed logon attempts)
> 
> This is samba 4.7.2, with:
> > 	log level = 1 auth_audit:3


> We are using swatch to monitor the logs, and we would like to send an 
> email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT
> 
> Does anyone know what log level for what 'component' is required, to get 
> a samba to log the actual LOCK when it takes place?

I'm sorry, but while we do log it, the news isn't good.

		DEBUG(5, ("Locked out user %s after %d wrong passwords\n",
			  ldb_dn_get_linearized(user_msg->dn), badPwdCount));

That will show up with level 5 globally. 

Patches (with tests) to have it moved to the auth_audit infrastructure
would be most welcome :-)

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba