Re: [Samba] Lagging failed login attempts
Paul Gienger wrote: It completely depends on your logging settings. Perhaps show your smb.conf global section so we can tell. In my setup, and from the looks of things around here, a lot of other peoples, is that there is a main log.smbd file and then also a log for each machine. Check in those if you are so configured. I'm sure we'll have better info for you once we see your globals. None of which are terribly useful or consice for loggin access attempts. Then you aren't trying hard enough. I 'was' getting stuff like this in my logs all over the place check_ntlm_password: Authentication for user [training] - [training] FAILED with error NT_STATUS_NO_SUCH_USER and check_ntlm_password: Authentication for user [cmcleod] - [cmcleod] FAILED with error NT_STATUS_WRONG_PASSWORD Well I don't see those - I DID look first ! If that isn't a failed login then I don't know what is. Depending on your setup you'll see this in a machine specific file or the unified log file. Trolling through isn't that bad, if you do a grep for NT and then another grep for FAILED you'll get the machine it was coming from (in the file: section of grep) and probably the username (as above) and the reason it was failed (also above). slox:/var/log/samba # ls -l total 6662 drwxr-x---2 root root 648 2004-11-22 08:53 . drwxr-xr-x 10 root root 7736 2004-11-20 00:15 .. -rw-r--r--1 root root 516017 2004-11-22 08:53 log.nmbd -rw-r--r--1 root root31367 2004-05-21 00:15 log.nmbd-20040521.gz -rw-r--r--1 root root31987 2004-11-01 00:15 log.nmbd-20041101.gz -rw-r--r--1 root root41480 2004-11-05 00:15 log.nmbd-20041105.gz -rw-r--r--1 root root36204 2004-11-11 00:15 log.nmbd-2004.gz -rw-r--r--1 root root40248 2004-11-18 00:15 log.nmbd-20041118.gz -rw-r--r--1 root root 591783 2004-11-22 08:52 log.smbd -rw-r--r--1 root root39300 2004-05-28 00:15 log.smbd-20040528.gz -rw-r--r--1 root root46070 2004-11-01 00:15 log.smbd-20041101.gz -rw-r--r--1 root root44033 2004-11-02 00:15 log.smbd-20041102.gz -rw-r--r--1 root root55800 2004-11-03 00:15 log.smbd-20041103.gz -rw-r--r--1 root root55538 2004-11-04 00:15 log.smbd-20041104.gz -rw-r--r--1 root root38379 2004-11-06 00:15 log.smbd-20041106.gz -rw-r--r--1 root root38531 2004-11-11 00:15 log.smbd-2004.gz -rw-r--r--1 root root51668 2004-11-18 00:15 log.smbd-20041118.gz -rw-r--r--1 root root 5120229 2004-10-29 21:12 log.smbd.old slox:/var/log/samba # grep FAILED * slox:/var/log/samba # grep NT * Binary file log.nmbd-20041101.gz matches Binary file log.nmbd-20041118.gz matches Binary file log.smbd-20041104.gz matches Binary file log.smbd-20041106.gz matches Binary file log.smbd-20041118.gz matches slox:/var/log/samba # This was after I'd deliberately done a failed login. If you're not seeing that, turn up your log level until you do. I don't think I've ever operated higher than 2 in production. I still don't get failed login messages at log level 3. I've changed the 'log file' parameter to log to individual machine files, and then did a bad login on my PC, this is what I got in the machine log file (on log level 2) : slox:/var/log/samba # cat log.pc180-shobson [2004/11/22 09:44:03, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1318) failed to decode PDU [2004/11/22 09:44:03, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(504) process_request_pdu: failed to do schannel processing. [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:ldap_open_connection(217) ldap_open_connection: connection opened [2004/11/22 09:44:03, 0] passdb/pdb_ldap.c:ldap_connect_system(316) ldap_connect_system: Binding to ldap server as uid=cyrus,dc=colony,dc=com [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:ldap_connect_system(331) ldap_connect_system: succesful connection to the LDAP server [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:ldap_search_one_user(343) ldap_search_one_user: searching for:[((uid=pc180-shobson$)(objectclass=sambaAccount))] [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:get_single_attribute(441) get_single_attribute: [uid] = [pc180-shobson$] [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(576) Entry found for user: pc180-shobson$ [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:get_single_attribute(441) get_single_attribute: [pwdLastSet] = [1098964404] [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:get_single_attribute(441) get_single_attribute: [logonTime] = [0] [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:get_single_attribute(441) get_single_attribute: [logoffTime] = [0] [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:get_single_attribute(441) get_single_attribute: [kickoffTime] = [0] [2004/11/22 09:44:03, 2] passdb/pdb_ldap.c:get_single_attribute(441) get_single_attribute:
[Samba] Lagging failed login attempts
Samba 2.2.8a on Suse 8 (part of SLOX system - no I can't upgrade until Suse upgrade the system) Windows XP Pro clients Are failed client logins on the XP clients logged anywhere ? How about non-domain member clients accessing shares ? I've been asked to provide a log of failed login attempts with a view to spotting break-in attempts (apparently auditors like that sort of thing). There doesn't seem to be anything useful in syslog, log.smbd, or log.nmbd. Simon -- Simon Hobson MA MIEE, Technology Specialist Colony Gift Corporation Limited Lindal in Furness, Ulverston, Cumbria, LA12 0LD Tel 01229 461100, Fax 01229 461101 Registered in England No. 1499611 Regd. Office : 100 New Bridge Street, London, EC4V 6JA. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Lagging failed login attempts
Are failed client logins on the XP clients logged anywhere ? How about non-domain member clients accessing shares ? It completely depends on your logging settings. Perhaps show your smb.conf global section so we can tell. In my setup, and from the looks of things around here, a lot of other peoples, is that there is a main log.smbd file and then also a log for each machine. Check in those if you are so configured. I'm sure we'll have better info for you once we see your globals. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Lagging failed login attempts
Are failed client logins on the XP clients logged anywhere ? How about non-domain member clients accessing shares ? It completely depends on your logging settings. Perhaps show your smb.conf global section so we can tell. In my setup, and from the looks of things around here, a lot of other peoples, is that there is a main log.smbd file and then also a log for each machine. Check in those if you are so configured. I'm sure we'll have better info for you once we see your globals. None of which are terribly useful or consice for loggin access attempts. You can log successful access attempts into utmp (ala who), but I don't know of anyway to log failed access attempt. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Lagging failed login attempts
Paul Gienger wrote: Are failed client logins on the XP clients logged anywhere ? How about non-domain member clients accessing shares ? It completely depends on your logging settings. Perhaps show your smb.conf global section so we can tell. [global] workgroup = CGC netbios aliases = filestore CDJukebox server string = Colony Main Server encrypt passwords = Yes map to guest = Bad User username map = /etc/samba/smbusers log level = 1 syslog = 0 time server = Yes unix extensions = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY printcap name = CUPS domain admin group = root admin administrator add user script = /usr/sbin/addsmbmachine2ldap %m logon script = logon.bat logon path = logon drive = H: logon home = domain logons = Yes os level = 60 domain master = Yes enhanced browsing = No wins support = Yes ldap port = 389 ldap suffix = dc=colony,dc=com ldap admin dn = uid=cyrus,dc=colony,dc=com ldap ssl = no ldap del only sam attr = Yes admin users = Administrator administrator printing = cups hide files = /desktop.ini/Desktop.ini/ In my setup, and from the looks of things around here, a lot of other peoples, is that there is a main log.smbd file and then also a log for each machine. I'd rather not have to trawl through a separate log for each machine. I was rather hoping there might be something as 'nice and simple' as other services log in syslog : Nov 19 08:57:27 slox imapd[1944]: badlogin: xx.colony.com[xxx.xxx.xxx.xxx] plaintext shobson SASL(-13): authentication failure: checkpass failed Simon -- Simon Hobson MA MIEE, Technology Specialist Colony Gift Corporation Limited Lindal in Furness, Ulverston, Cumbria, LA12 0LD Tel 01229 461100, Fax 01229 461101 Registered in England No. 1499611 Regd. Office : 100 New Bridge Street, London, EC4V 6JA. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Lagging failed login attempts
Adam Tauno Williams wrote: Are failed client logins on the XP clients logged anywhere ? How about non-domain member clients accessing shares ? It completely depends on your logging settings. Perhaps show your smb.conf global section so we can tell. In my setup, and from the looks of things around here, a lot of other peoples, is that there is a main log.smbd file and then also a log for each machine. Check in those if you are so configured. I'm sure we'll have better info for you once we see your globals. None of which are terribly useful or consice for loggin access attempts. Then you aren't trying hard enough. I 'was' getting stuff like this in my logs all over the place check_ntlm_password: Authentication for user [training] - [training] FAILED with error NT_STATUS_NO_SUCH_USER and check_ntlm_password: Authentication for user [cmcleod] - [cmcleod] FAILED with error NT_STATUS_WRONG_PASSWORD If that isn't a failed login then I don't know what is. Depending on your setup you'll see this in a machine specific file or the unified log file. Trolling through isn't that bad, if you do a grep for NT and then another grep for FAILED you'll get the machine it was coming from (in the file: section of grep) and probably the username (as above) and the reason it was failed (also above). If you're not seeing that, turn up your log level until you do. I don't think I've ever operated higher than 2 in production. I also see lots of valid connection results, so if you want 'successful' connections, it's in there too. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba