Bug 11998 - include IP in the logs with failed authentication attempts
include IP in the logs with failed authentication attempts
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.4.4
All All
: P5 enhancement
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
https://wiki.samba.org/index.php/Sett...
:
Depends on: 12865
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-26 13:37 UTC by heupink
Modified: 2017-09-19 18:48 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description heupink 2016-06-26 13:37:55 UTC
Currently failed auth requests are logged as:

auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD

On the mailinglist the request to include the remote IP address has come up several times.

Jeremy Allision replied: "We should probably have something in the server that logs this as an official "event".

I filed this RFE by request of Jeremy Allision, see here:
https://lists.samba.org/archive/samba/2016-June/200714.html
Comment 1 Andrew Bartlett 2017-09-19 18:46:10 UTC
Fixed by 12cd7ab60a1d2cf891c061652fbcad6f8fed56d1 in master for Samba 4.7.0
Comment 2 Andrew Bartlett 2017-09-19 18:48:27 UTC
Extensive work has been done to add this feature to Samba 4.7:

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

Two new debug classes, auth_audit and auth_audit_json were added to control logging of text-string and structured JSON authentication and authorization logging.