Currently failed auth requests are logged as: auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD On the mailinglist the request to include the remote IP address has come up several times. Jeremy Allision replied: "We should probably have something in the server that logs this as an official "event". I filed this RFE by request of Jeremy Allision, see here: https://lists.samba.org/archive/samba/2016-June/200714.html
Fixed by 12cd7ab60a1d2cf891c061652fbcad6f8fed56d1 in master for Samba 4.7.0
Extensive work has been done to add this feature to Samba 4.7: https://wiki.samba.org/index.php/Setting_up_Audit_Logging Two new debug classes, auth_audit and auth_audit_json were added to control logging of text-string and structured JSON authentication and authorization logging.