Re: [Samba] eventlog functionality
- Date: Tue, 11 Sep 2018 13:01:35 -0500
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] eventlog functionality
On Tue, 2018-09-11 at 15:52 +0000, ray klassen via samba wrote:
> so I sent you the dump separately. and i tried a persistent drive
> mapping to \\DC\netlogon which I figured should create a more
> permanent session as you described. That worked the same.
> On Tuesday, 11 September 2018, 08:21:50 GMT-7, Andrew Bartlett
> via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On Tue, 2018-09-11 at 15:14 +0000, ray klassen via samba wrote:
> > Yes, after further research the solution could possibly be to
> > create
> > a python script to monitor the json output in log.samba and push
> > out
> > eventlog formatted events to 'Security' with eventlogadm. Seems a
> > lot
> > of work.
> That still assumes the appliance is reading the same type of event
> (because the eventlog RPC service was superseeded by eventlog6 and
> WMI thin, which is the reason I asked for details).
> > The appliance in question also supports getting the necessary info
> > via the netapi call "netsessionenum" I have tried that and a
> > wireshark dump shows samba replying with WERR_INVALID_LEVEL.
> > if you could shed any light on that, I would appreciate it.
> If you could get the exact details on that, or the capture file if
> confidential, that would be good.
This showed that it uses srvsvc_NetSessEnum level 10, whereas Samba
only supports level 0 and 1. Perhaps have a go at implementing level
10? It looks like just a cut down version of level 1.
The tests could do with some work however, they are at:
but don't actually check for anything, including if the call even
worked, let alone expected data...
> Note however that the Samba AD DC doesn't have a persistent
> from the client unless you mount a share, so even if it worked it
> wouldn't show up all the clients reliably.
> (A domain login to AD can be done with just a kerberos ticket
A persistent drive mapping would fix that, certainly.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the