If you modify the log level line in /etc/samba/smb.conf to read:
log level = 1 winbind:5
You do get the information I'm after (by default logged to /var/log/samba/log.DOMAIN), but it's very noisy and the log messages are split over two lines. Not exactly what I'm looking for but it might have to do.
On the samba log files, authentication-related information is tagged with the check_ntlm_password module (assuming that's what you are using). If you want date and hour, you have to capture the line before the one with actual information.
Here are some examples. The name of the user was replaced with xxx.yyy in all cases. Note how the capitalization for authentication is different for success and failure cases.
[2011/11/08 10:22:40.604819, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [xxx.yyy] -> [xxx.yyy] -> [xxx.yyy] succeeded
[2012/01/11 09:09:00.430424, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [xxx.yyy] -> [xxx.yyy] FAILED with error NT_STATUS_WRONG_PASSWORD
There are other messages beyond these two. These lines were produced by a Samba from the backports repository of lenny. The samba version is 3.5.6, the actual package version is 2:3.5.6~dfsg-3~bpo50+1. The exact configuration for logging on smb.conf was:
if you're hitting AD, then you should see the logon attempts in the "security log". It should contain not only the username, but also the source IP (which should be your squid host).
If you modify the
log level
line in/etc/samba/smb.conf
to read:log level = 1 winbind:5
You do get the information I'm after (by default logged to
/var/log/samba/log.DOMAIN
), but it's very noisy and the log messages are split over two lines. Not exactly what I'm looking for but it might have to do.On the samba log files, authentication-related information is tagged with the
check_ntlm_password
module (assuming that's what you are using). If you want date and hour, you have to capture the line before the one with actual information.Here are some examples. The name of the user was replaced with
xxx.yyy
in all cases. Note how the capitalization forauthentication
is different for success and failure cases.There are other messages beyond these two. These lines were produced by a Samba from the backports repository of lenny. The samba version is 3.5.6, the actual package version is 2:3.5.6~dfsg-3~bpo50+1. The exact configuration for logging on
smb.conf
was:if you're hitting AD, then you should see the logon attempts in the "security log". It should contain not only the username, but also the source IP (which should be your squid host).
Here's a good article on setting it up: http://www.windowsecurity.com/articles/windows-active-directory-auditing.html
I would caution on auditing success though, as it tends to fill up the logs fast.