Web lists-archives.com

Re: [Samba] tracking account lockouts




On 3/23/2018 12:49 PM, Vinicius Bones Silva via samba wrote:
Hi,

I'm trying to track random account lockouts on the domain. Is there any recommendations for log level or log handling that let me see what machines/servers are locking the account?

I'm using samba 4.5.5. as a DC (3 DCs).

My current logging settings are:

logging = syslog
log level = 1 auth:5 passdb:5 winbind:5

Att,
Vinicius




Hello,

    You should see in your samba log file an entry similar to this on wrong password attempts.

Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[username@DOMAIN] at [Fri, 23 Mar 2018 14:06:07.272789 EDT] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:172.16.26.11:53449] mapped to [DOMAIN]\[username]. local host [NULL]

You can see it provides the remote host IP user was on. It looks as if you are not using the correct parameter in your smb.conf. It should be

log level = 1 auth_audit:3 passdb:5 winbind:5


See the Wiki for details https://wiki.samba.org/index.php/Setting_up_Audit_Logging

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba