9535 – BSM auditing mostly disabled when winbind is used

Bug 9535 - BSM auditing mostly disabled when winbind is used

Summary: BSM auditing mostly disabled when winbind is used

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.5.8
Hardware:	x86 Solaris

Importance:	P5 major
Target Milestone:	---
Assignee:	Michael Adam
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-01-03 12:24 UTC by Stefan Sonnenberg-Carstens
Modified:	2018-03-22 00:19 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Sonnenberg-Carstens 2013-01-03 12:24:08 UTC

I configured a Solaris 10u10 machine on a VM Ware host with
BSM auditing, which worked fine and produced the correct messages in
the correspondig files.

After configuring smb, winbind etc. and joining our domain
only the login/logoff events are recorded, even if I've instructed BSM
to audit even ex events.

/etc/security/audit_control
dir:/var/audit
flags:lo,ex
minfree:10
naflags:lo,ex
plugin: name=audit_syslog.so; p_flags=all

/etc/security/audit_user
root:lo,ex:no

/etc/samba/smb.conf
[global]
        log level = 1
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        netbios name = server
        server string = %h - Solaris 10u10 x86-64 (Samba %v)
        unix extensions = yes
        workgroup = DOMAIN
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = yes
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        idmap backend = idmap_rid:DOMAIN=16777216-33554431
        kerberos method = system keytab
        realm = DOMAIN.DE
        security = ADS
        local master = No
        domain master = No
        encrypt passwords = yes
        username level = 5
        password server = *
        name resolve order = host wins bcast
        template homedir = /export/home/%U
        template shell = /usr/bin/bash
        winbind refresh tickets = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = yes
        winbind cache time = 60
        winbind offline logon = yes
        # ACL Support funktioniert nur bei UFS / ZFS / NFSv4 !
        nt acl support = yes
        inherit acls = yes
        map acl inherit = yes
        map archive = yes
        map hidden = yes
        map read only = yes
        map system = yes
        store dos attributes = yes
        inherit permissions = yes
        create mask = 755
        directory mask = 755
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

/etc/pam.conf
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth sufficient         pam_winbind.so try_first_pass cached_login
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
passwd  auth required           pam_passwd_auth.so.1
cron    account required        pam_unix_account.so.1
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_winbind.so try_first_pass cached_login
other   session sufficient      pam_winbind.so mkhomedir
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

/etc/nsswitch.conf
passwd:     files winbind
group:      files winbind
hosts:      files dns
ipnodes:   files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files

If I reverd these settings and reboot, the auditing works as expected.

Comment 1 Björn Jacke 2018-03-22 00:19:30 UTC

I can't see where samba does something wrong here.