Bug 14920 - Authentication messages not sent to auth_audit in 4.15.2
Summary: Authentication messages not sent to auth_audit in 4.15.2
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.15.2
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-11-28 12:32 UTC by Daniel Berteaud
Modified: 2022-05-17 05:18 UTC (History)
1 user (show)

See Also:

Full smb.conf (1.13 KB, text/plain)
2021-11-28 18:16 UTC, Daniel Berteaud
no flags Details
Sample auth.log on samba 4.14.10 (2.93 KB, text/x-log)
2021-11-28 18:19 UTC, Daniel Berteaud
no flags Details
Sample json/auth.log (4.70 KB, text/x-log)
2021-11-28 18:22 UTC, Daniel Berteaud
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Berteaud 2021-11-28 12:32:17 UTC
I'm running a samba DC version 4.14.10. I've configured logging so that

    * Important messages about the service go to the Journal (level 1)
    * auth_audit logs in /var/log/samba/auth.log at level 3
    * auth_json_audit logs in /var/log/samba/json/auth.log at level 4

This is done with

logging = systemd@1 file
log level = auth_audit:3@/var/log/samba/auth.log auth_json_audit:4@/var/log/samba/json/auth.log

After upgrading to samba 4.15.2, there's no authentication message sent anymore in those log files. Only authorization ones (if level >= 4).

Running on Alma Linux 8.5 with samba builds from Tranquil IT (https://samba.tranquil.it/centos8/samba-4.15.2/x86_64/)
Comment 1 Daniel Berteaud 2021-11-28 18:16:23 UTC
Created attachment 17029 [details]
Full smb.conf
Comment 2 Daniel Berteaud 2021-11-28 18:19:11 UTC
Created attachment 17030 [details]
Sample auth.log on samba 4.14.10

Here's a sample of /var/log/samba/auth.conf when running 4.14.10. After upgrading to 4.15.2, this log has no more entry added (Except if I raise log level from 3 to 4, in which case I do get the authorization messages)
Comment 3 Daniel Berteaud 2021-11-28 18:22:17 UTC
Created attachment 17031 [details]
Sample json/auth.log

Here's a sample from /var/log/samba/json/auth.log when running 4.14.10. Note : as it's at log level 4, there're both Authentication and Authorization messages. After upgrade to 4.15.2, no more Authentication message, only Authorization ones are added in this file.
Comment 4 Daniel Berteaud 2021-11-28 18:37:05 UTC
Found the Authentication messages, they are sent in /var/log/samba/log.samba (both plain and json) instead of /var/log/samba/auth.log and /var/log/samba/json/auth.log respectively
Comment 5 Daniel Berteaud 2021-11-28 18:52:59 UTC
Not only the Authentication messages, but also all the various dsdb logs are sent to /var/log/samba/log.samba instead of the specified files (like /var/log/samba/json/dsdb.log)

The problem can also be reproduced with a much simpler config :
- Removing the logging directive (which default to file), so no systemd involved
- Replacing log level with just

log level = auth_audit:3@/var/log/samba/auth.log

Authentication messages still goes to /var/log/samba/log.samba and not /var/log/samba/auth.log
Comment 7 Ralph Böhme 2021-11-29 11:42:51 UTC
I guess you're just missing the patches from https://bugzilla.samba.org/show_bug.cgi?id=14897.

I just tested auth audit logging on a test server and it works just fine.

*** This bug has been marked as a duplicate of bug 14897 ***
Comment 8 Daniel Berteaud 2021-12-25 18:12:05 UTC
Just tested 4.15.3, and the problem is still present. In my smb.conf, the only log related directive being

  log level = auth_audit:3@/var/log/samba/auth.log
  max log size = 0

Yet authentication messages are sent to /var/log/samba/log.samba instead of /var/log/samba/auth.log
Comment 9 Daniel Berteaud 2022-03-26 11:57:10 UTC
While checking various options to debug this issue (which was still affecting me in 4.15.5), I've found out that adding --log-basename=/var/log/samba to my samba command in the systemd unit is fixing the issue, auth_audit (as well as its json variant and all the dsdb_XXX) are now sent again in the log files specified in my log level directive, and not in /var/log/samba/log.samba anymore.
Comment 10 Andrew Bartlett 2022-05-17 05:18:40 UTC
I'm still investigating but it looks to me that logs are being capped by the global log level, even if they are meant to go to a specific file at a higher level.