1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
<samba:parameter name="log level"
type="string"
context="G"
handler="handle_debug_list"
substitution="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<synonym>debuglevel</synonym>
<description>
<para>
The value of the parameter (a string) allows the debug level (logging level) to be specified in the
<filename moreinfo="none">smb.conf</filename> file.
</para>
<para>This parameter has been extended since the 2.2.x
series, now it allows one to specify the debug level for multiple
debug classes and distinct logfiles for debug classes. This is to give
greater flexibility in the configuration of the system. The following
debug classes are currently implemented:
</para>
<itemizedlist>
<listitem><para><parameter moreinfo="none">all</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">tdb</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">printdrivers</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">lanman</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">smb</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">rpc_parse</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">rpc_srv</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">rpc_cli</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">passdb</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">sam</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">auth</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">winbind</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">vfs</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">idmap</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">quota</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">acls</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">locking</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">msdfs</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dmapi</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">registry</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dns</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">drs_repl</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_group_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dsdb_group_json_audit</parameter></para></listitem>
</itemizedlist>
<para>Various modules register dynamic debug classes at first usage:</para>
<itemizedlist>
<listitem><para><parameter moreinfo="none">catia</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">dfs_samba4</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">extd_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">fileid</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">fruit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">full_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">media_harmony</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">preopen</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">recycle</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">shadow_copy</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">shadow_copy</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">unityed_media</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">virusfilter</parameter></para></listitem>
</itemizedlist>
<para>To configure the logging for specific classes to go into a different
file then <smbconfoption name="log file"/>, you can append
<emphasis>@PATH</emphasis> to the class, eg <parameter>log level = 1
full_audit:1@/var/log/audit.log</parameter>.</para>
<para>Authentication and authorization audit information is logged
under the <parameter>auth_audit</parameter>, and if Samba was not compiled with
--without-json, a JSON representation is logged under
<parameter>auth_json_audit</parameter>.</para>
<para>Support is comprehensive for all authentication and authorisation
of user accounts in the Samba Active Directory Domain Controller,
as well as the implicit authentication in password changes. In
the file server, NTLM authentication, SMB and RPC authorization is
covered.</para>
<para>Log levels for <parameter>auth_audit</parameter> and
<parameter>auth_audit_json</parameter> are:</para>
<itemizedlist>
<listitem><para>2: Authentication Failure</para></listitem>
<listitem><para>3: Authentication Success</para></listitem>
<listitem><para>4: Authorization Success</para></listitem>
<listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem>
</itemizedlist>
<para>Changes to the AD DC <command moreinfo="none">sam.ldb</command>
database are logged under the <parameter>dsdb_audit</parameter>
and a JSON representation is logged under
<parameter>dsdb_json_audit</parameter>.</para>
<para>Group membership changes to the AD DC <command
moreinfo="none">sam.ldb</command> database are logged under the
<parameter>dsdb_group_audit</parameter> and a JSON representation
is logged under
<parameter>dsdb_group_json_audit</parameter>.</para>
<para>Log levels for <parameter>dsdb_audit</parameter>,
<parameter>dsdb_json_audit</parameter>,
<parameter>dsdb_group_audit</parameter>,
<parameter>dsdb_group_json_audit</parameter> and
<parameter>dsdb_json_audit</parameter> are:</para>
<itemizedlist>
<listitem><para>5: Database modifications</para></listitem>
<listitem><para>5: Replicated updates from another DC</para></listitem>
</itemizedlist>
<para>Password changes and Password resets in the AD DC are logged
under <parameter>dsdb_password_audit</parameter> and a JSON
representation is logged under the
<parameter>dsdb_password_json_audit</parameter>. Password changes
will also appears as authentication events via
<parameter>auth_audit</parameter> and
<parameter>auth_audit_json</parameter>.</para>
<para>Log levels for <parameter>dsdb_password_audit</parameter> and
<parameter>dsdb_password_json_audit</parameter> are:</para>
<itemizedlist>
<listitem><para>5: Successful password changes and resets</para></listitem>
</itemizedlist>
<para>Transaction rollbacks and prepare commit failures are logged under
the <parameter>dsdb_transaction_audit</parameter> and a JSON representation is logged under the
<parameter>dsdb_transaction_json_audit</parameter>. </para>
<para>Log levels for <parameter>dsdb_transaction_audit</parameter> and
<parameter>dsdb_transaction_json</parameter> are:</para>
<itemizedlist>
<listitem><para>5: Transaction failure (rollback)</para></listitem>
<listitem><para>10: Transaction success (commit)</para></listitem>
</itemizedlist>
<para>Transaction roll-backs are possible in Samba, and whilst
they rarely reflect anything more than the failure of an
individual operation (say due to the add of a conflicting record),
they are possible. Audit logs are already generated and sent to
the system logs before the transaction is complete. Logging the
transaction details allows the identification of password and
<command moreinfo="none">sam.ldb</command> operations that have
been rolled back, and so have not actually persisted.</para>
<warning><para> Changes to <command
moreinfo="none">sam.ldb</command> made locally by the <command
moreinfo="none">root</command> user with direct access to the
database are not logged to the system logs, but to the
administrator's own console. While less than ideal, any user able
to make such modifications could disable the audit logging in any
case. </para></warning>
</description>
<value type="default">0</value>
<value type="example">3 passdb:5 auth:10 winbind:2</value>
<value type="example">1 full_audit:1@/var/log/audit.log winbind:2</value>
</samba:parameter>
|
