auth_log testing

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

auth_log testing

Samba - samba-technical mailing list
Hi guys!

I need a bit of help :-)

I've implemented authentication logging support with MIT Kerberos:

https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-mit-kdc-ok

However where is the generated logging going too? I thought it is a file but
it looks like the log from MIT KDC is not written to the location it should be
showing up!

Do I need to setup where the authentication needs to be sent to in the KDB
module?


Thanks,


        Andreas

Reply | Threaded
Open this post in threaded view
|

Re: auth_log testing

Samba - samba-technical mailing list
The auth logging code is making standard samba debug calls so it should
be going to the samba logs.

The log levels are:

2 - log authentication failures
3 - successful authentications
4 - successful authorisations
5 - Anonymous authentications and authorisations.

Alternatively the following Debug classes exist.
DBGC_AUTH_AUDIT 24
DBGC_AUTH_AUDIT_JSON 25

Also the events get sent via the messaging api, which is how the tests work.

Hope that this helps

Gary






On 07/11/17 04:53, Andreas Schneider via samba-technical wrote:

> Hi guys!
>
> I need a bit of help :-)
>
> I've implemented authentication logging support with MIT Kerberos:
>
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-mit-kdc-ok
>
> However where is the generated logging going too? I thought it is a file but
> it looks like the log from MIT KDC is not written to the location it should be
> showing up!
>
> Do I need to setup where the authentication needs to be sent to in the KDB
> module?
>
>
> Thanks,
>
>
> Andreas
>


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: auth_log testing

Samba - samba-technical mailing list
On Monday, 6 November 2017 19:06:04 CET Gary Lockyer via samba-technical
wrote:

> The auth logging code is making standard samba debug calls so it should
> be going to the samba logs.
>
> The log levels are:
>
> 2 - log authentication failures
> 3 - successful authentications
> 4 - successful authorisations
> 5 - Anonymous authentications and authorisations.
>
> Alternatively the following Debug classes exist.
> DBGC_AUTH_AUDIT 24
> DBGC_AUTH_AUDIT_JSON 25

Well, that's the problem. The MIT KDC is a different process!

> Also the events get sent via the messaging api, which is how the tests work.

Well, the MIT KDC is its own process loading the Samba KDB module. If the
tests register only for messaging form samba then they do not get it from the
KDC process.


        Andreas

Reply | Threaded
Open this post in threaded view
|

Re: auth_log testing

Samba - samba-technical mailing list

On 08/11/17 02:23, Andreas Schneider via samba-technical wrote:

> On Monday, 6 November 2017 19:06:04 CET Gary Lockyer via samba-technical
> wrote:
>> The auth logging code is making standard samba debug calls so it should
>> be going to the samba logs.
>>
>> The log levels are:
>>
>> 2 - log authentication failures
>> 3 - successful authentications
>> 4 - successful authorisations
>> 5 - Anonymous authentications and authorisations.
>>
>> Alternatively the following Debug classes exist.
>> DBGC_AUTH_AUDIT 24
>> DBGC_AUTH_AUDIT_JSON 25
>
> Well, that's the problem. The MIT KDC is a different process!
>
>> Also the events get sent via the messaging api, which is how the tests work.
>
> Well, the MIT KDC is its own process loading the Samba KDB module. If the
> tests register only for messaging form samba then they do not get it from the
> KDC process.
The tests use the samba python messaging code, take a look in
python/samba/tests/auth_log_base.py.

>
>
> Andreas
>
Gary


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: auth_log testing

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Monday, 6 November 2017 16:53:06 CET Andreas Schneider via samba-technical
wrote:

> Hi guys!
>
> I need a bit of help :-)
>
> I've implemented authentication logging support with MIT Kerberos:
>
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-mit-kd
> c-ok
>
> However where is the generated logging going too? I thought it is a file but
> it looks like the log from MIT KDC is not written to the location it should
> be showing up!
>
> Do I need to setup where the authentication needs to be sent to in the KDB
> module?

Andrew,

how does imessaging work here if some of the logging is coming from a
different process?

Do I need to init imessaging correctly in the KDB module?


Thanks,


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|

Re: auth_log testing

Samba - samba-technical mailing list
On Thu, 2017-11-16 at 08:53 +0100, Andreas Schneider wrote:

> On Monday, 6 November 2017 16:53:06 CET Andreas Schneider via samba-technical
> wrote:
> > Hi guys!
> >
> > I need a bit of help :-)
> >
> > I've implemented authentication logging support with MIT Kerberos:
> >
> > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-mit-kd
> > c-ok
> >
> > However where is the generated logging going too? I thought it is a file but
> > it looks like the log from MIT KDC is not written to the location it should
> > be showing up!
> >
> > Do I need to setup where the authentication needs to be sent to in the KDB
> > module?
>
> Andrew,
>
> how does imessaging work here if some of the logging is coming from a
> different process?
>
> Do I need to init imessaging correctly in the KDB module?

Yes, each process will need to set that up.  

Also for real-world use you should work out that the KDB module is
logging samba DEBUG somewhere, ideally with the rest of the samba logs
and syslog, as that is what real-world users will read.

Thanks!

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: auth_log testing

Samba - samba-technical mailing list
On Thursday, 16 November 2017 21:48:52 CET Andrew Bartlett wrote:

> On Thu, 2017-11-16 at 08:53 +0100, Andreas Schneider wrote:
> > On Monday, 6 November 2017 16:53:06 CET Andreas Schneider via
> > samba-technical>
> > wrote:
> > > Hi guys!
> > >
> > > I need a bit of help :-)
> > >
> > > I've implemented authentication logging support with MIT Kerberos:
> > >
> > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-mi
> > > t-kd c-ok
> > >
> > > However where is the generated logging going too? I thought it is a file
> > > but it looks like the log from MIT KDC is not written to the location
> > > it should be showing up!
> > >
> > > Do I need to setup where the authentication needs to be sent to in the
> > > KDB
> > > module?
> >
> > Andrew,
> >
> > how does imessaging work here if some of the logging is coming from a
> > different process?
> >
> > Do I need to init imessaging correctly in the KDB module?
>
> Yes, each process will need to set that up.  

Can you point me to the code where this is set up?
 
> Also for real-world use you should work out that the KDB module is
> logging samba DEBUG somewhere, ideally with the rest of the samba logs
> and syslog, as that is what real-world users will read.

The way our debugging system has been designed is not really that clever. At
least not in the meantime ...


Thanks,


        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org