Re: [Samba] tracking account lockouts
- Date: Fri, 23 Mar 2018 14:21:26 -0400
- From: lingpanda101 via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] tracking account lockouts
On 3/23/2018 12:49 PM, Vinicius Bones Silva via samba wrote:
I'm trying to track random account lockouts on the domain. Is there
any recommendations for log level or log handling that let me see what
machines/servers are locking the account?
I'm using samba 4.5.5. as a DC (3 DCs).
My current logging settings are:
logging = syslog
log level = 1 auth:5 passdb:5 winbind:5
You should see in your samba log file an entry similar to this on
wrong password attempts.
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[username@DOMAIN] at [Fri, 23 Mar 2018 14:06:07.272789 EDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD]
workstation [(null)] remote host [ipv4:172.16.26.11:53449] mapped to
[DOMAIN]\[username]. local host [NULL]
You can see it provides the remote host IP user was on. It looks as if
you are not using the correct parameter in your smb.conf. It should be
log level = 1 auth_audit:3 passdb:5 winbind:5
See the Wiki for details
To unsubscribe from this list go to the following URL and read the