logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

Samba - General mailing list
Hi,

I am trying to capture from the logs the moment that samba locks an
account. (because of too many failed logon attempts)

This is samba 4.7.2, with:
> log level = 1 auth_audit:3

What we see in the logs is like this:
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:45.102695 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40436] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:47.203867 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40437] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:48.538162 CET] with [Plaintext] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.2.8:40438] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]
>   Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=username,cn=users,dc=samba,dc=company,dc=com] at [Sat, 02 Dec 2017 15:13:52.457240 CET] with [Plaintext] status [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [(null)] remote host [ipv4:192.168.2.8:40439] mapped to [WRKGRP]\[username]. local host [ipv4:192.168.2.16:389]

So, nothing is logged *when* the actual lock happens.

We are using swatch to monitor the logs, and we would like to send an
email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT

Does anyone know what log level for what 'component' is required, to get
a samba to log the actual LOCK when it takes place?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

Samba - General mailing list
On Sat, 2017-12-02 at 15:27 +0100, mj via samba wrote:
> Hi,
>
> I am trying to capture from the logs the moment that samba locks an
> account. (because of too many failed logon attempts)
>
> This is samba 4.7.2, with:
> > log level = 1 auth_audit:3


> We are using swatch to monitor the logs, and we would like to send an
> email notification when an account becomes NT_STATUS_ACCOUNT_LOCKED_OUT
>
> Does anyone know what log level for what 'component' is required, to get
> a samba to log the actual LOCK when it takes place?

I'm sorry, but while we do log it, the news isn't good.

                DEBUG(5, ("Locked out user %s after %d wrong passwords\n",
                          ldb_dn_get_linearized(user_msg->dn), badPwdCount));

That will show up with level 5 globally.

Patches (with tests) to have it moved to the auth_audit infrastructure
would be most welcome :-)

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

Samba - General mailing list
Hi Andrew,

On 12/02/2017 07:20 PM, Andrew Bartlett via samba wrote:
> I'm sorry, but while we do log it, the news isn't good.
>
> DEBUG(5, ("Locked out user %s after %d wrong passwords\n",
>   ldb_dn_get_linearized(user_msg->dn), badPwdCount));
>
> That will show up with level 5 globally.

Ok, patches are difficult now, as we've sponsored quite a lot this year.

But would it also be an idea to move this to a (much) lower log level?
Perhaps even at 1 or 2?

Locking accounts is such a *major* event, and log level 5 is SO high...

Thanks for your reply, Andrew!

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: logline of account becoming NT_STATUS_ACCOUNT_LOCKED_OUT

Samba - General mailing list
On Sat, 2017-12-02 at 20:21 +0100, mj wrote:

> Hi Andrew,
>
> On 12/02/2017 07:20 PM, Andrew Bartlett via samba wrote:
> > I'm sorry, but while we do log it, the news isn't good.
> >
> > DEBUG(5, ("Locked out user %s after %d wrong passwords\n",
> >   ldb_dn_get_linearized(user_msg->dn), badPwdCount));
> >
> > That will show up with level 5 globally.
>
> Ok, patches are difficult now, as we've sponsored quite a lot this year.
>
> But would it also be an idea to move this to a (much) lower log level?
> Perhaps even at 1 or 2?

Sure, and it (and a lot of other messages) needs to be in the auth
logging context, either with

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH

at the top of the file, or by using:

DEBUGC(DBGC_AUTH, ("message"))

where it is mixed with other things.

Could you have a go with at least this much, even if you can't move it
into the auth_audit stuff where it belongs? 

Of course I could write all the patches, but in asking that you have a
go with the patches I'm looking to spread the load a little, and you
have the need and the real-world test.
 
> Locking accounts is such a *major* event, and log level 5 is SO high...

I agree.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba