Quantcast

Log Level and Failed Authentication Attempts

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Log Level and Failed Authentication Attempts

Samba - General mailing list
Hello Samba Friends,

For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful?

Thanks,
Matthew

©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Level and Failed Authentication Attempts

Samba - General mailing list
Hey Samba Friends,

Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file.

I then purposely failed to log into an account on my Windows 10 machine until the account was locked.

I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account:

tail -n 3000 x | grep -A 1 username

Nothing appears.

Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it?

Thanks,
Matthew

> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <[hidden email]> wrote:
>
> Hello Samba Friends,
>
> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful?
>
> Thanks,
> Matthew


©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Level and Failed Authentication Attempts

Samba - General mailing list
On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote:

> Hey Samba Friends,
>
> Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file.
>
> I then purposely failed to log into an account on my Windows 10 machine until the account was locked.
>
> I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account:
>
> tail -n 3000 x | grep -A 1 username
>
> Nothing appears.
>
> Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it?
>
> Thanks,
> Matthew
>
>> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <[hidden email]> wrote:
>>
>> Hello Samba Friends,
>>
>> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful?
>>
>> Thanks,
>> Matthew
>
> ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
>
>

Take a look at these two threads.

https://lists.samba.org/archive/samba/2017-February/206405.html

https://lists.samba.org/archive/samba/2016-June/200710.html

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Level and Failed Authentication Attempts

Samba - General mailing list
Hello James,

Thank you for pointing me in the right direction. It sounds like Andrew Bartlett is committed to bringing this capability to a future version of Samba. Hopefully, he’ll find the process of adding this feature to be easier then he anticipates, and it’s available to all of us who need to perform forensics on failed logins.

Have a great week,
Matthew

 

> On 2017.04.24, at 9:19 AM, lingpanda101 via samba <[hidden email]> wrote:
>
> On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote:
>> Hey Samba Friends,
>>
>> Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file.
>>
>> I then purposely failed to log into an account on my Windows 10 machine until the account was locked.
>>
>> I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account:
>>
>> tail -n 3000 x | grep -A 1 username
>>
>> Nothing appears.
>>
>> Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it?
>>
>> Thanks,
>> Matthew
>>
>>> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <[hidden email]> wrote:
>>>
>>> Hello Samba Friends,
>>>
>>> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful?
>>>
>>> Thanks,
>>> Matthew
>>
>> ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
>>
>>
>
> Take a look at these two threads.
>
> https://lists.samba.org/archive/samba/2017-February/206405.html
>
> https://lists.samba.org/archive/samba/2016-June/200710.html
>
> --
> --
> James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Level and Failed Authentication Attempts

Samba - General mailing list
On 4/24/2017 10:35 AM, Matthew Delfino wrote:

> Hello James,
>
> Thank you for pointing me in the right direction. It sounds like Andrew Bartlett is committed to bringing this capability to a future version of Samba. Hopefully, he’ll find the process of adding this feature to be easier then he anticipates, and it’s available to all of us who need to perform forensics on failed logins.
>
> Have a great week,
> Matthew
>
>  
>> On 2017.04.24, at 9:19 AM, lingpanda101 via samba <[hidden email]> wrote:
>>
>> On 4/21/2017 1:28 PM, Matthew Delfino via samba wrote:
>>> Hey Samba Friends,
>>>
>>> Maybe the below question is too general. How about this: I’ve set my "log level = auth:10" in the global parameters of my smb.conf file.
>>>
>>> I then purposely failed to log into an account on my Windows 10 machine until the account was locked.
>>>
>>> I’ve run the following command where x equals the syslog, the log.samba, log.smbd and log.winbindd, and username is the name of my test user account:
>>>
>>> tail -n 3000 x | grep -A 1 username
>>>
>>> Nothing appears.
>>>
>>> Is it possible to get samba to log those failed attempts? If so, how, and in which file should I expect to see it?
>>>
>>> Thanks,
>>> Matthew
>>>
>>>> On 2017.04.20, at 11:49 AM, Matthew Delfino via samba <[hidden email]> wrote:
>>>>
>>>> Hello Samba Friends,
>>>>
>>>> For those of you who have had to sift through Samba logs for clues on how to determine what caused an account to lock after repeated failed logon attempts, what "log level" settings have you found to be most helpful?
>>>>
>>>> Thanks,
>>>> Matthew
>>> ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
>>>
>>>
>> Take a look at these two threads.
>>
>> https://lists.samba.org/archive/samba/2017-February/206405.html
>>
>> https://lists.samba.org/archive/samba/2016-June/200710.html
>>
>> --
>> --
>> James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
> ©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
>
What I did until then was to send all workstation/server logs to a
central syslog server to capture these events.


--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Level and Failed Authentication Attempts

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 2017-04-24 at 09:35 -0500, Matthew Delfino via samba wrote:
> Hello James,
>
> Thank you for pointing me in the right direction. It sounds like
> Andrew Bartlett is committed to bringing this capability to a future
> version of Samba. Hopefully, he’ll find the process of adding this
> feature to be easier then he anticipates, and it’s available to all
> of us who need to perform forensics on failed logins.

The patches for this did land, and will be part of Samba 4.7.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Level and Failed Authentication Attempts

Samba - General mailing list
Hey Andrew,

That’s great news!

Thank you for everything you do to help all of us Samba users. You and your amazing team are greatly appreciated. :-)

Thanks,
Matthew

> On 2017.04.24, at 2:23 PM, Andrew Bartlett via samba <[hidden email]> wrote:
>
> On Mon, 2017-04-24 at 09:35 -0500, Matthew Delfino via samba wrote:
>> Hello James,
>>
>> Thank you for pointing me in the right direction. It sounds like
>> Andrew Bartlett is committed to bringing this capability to a future
>> version of Samba. Hopefully, he’ll find the process of adding this
>> feature to be easier then he anticipates, and it’s available to all
>> of us who need to perform forensics on failed logins.
>
> The patches for this did land, and will be part of Samba 4.7.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



©2017 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...