Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Trace user logins in SAMBA
  • From: "J J" <c_peto@xxxxxxxxxxx>
  • Date: Tue, 04 Nov 2003 18:54:04 +0000
  • Message-id: <Sea2-F311bgIK78ULGK00009991@xxxxxxxxxxx>
Thank you Ian!

Does that solve your question João Reis?

As Ian has kindly pointed out, at log level one you can see a connection to the netlogon share. This is probably a very good indicator of a login. The windows domain login will look at this share for net login batch scripts/profiles, etc. during the domain login process.

So use something like...

sed -ne '/make_connection/{;N;/netlogon/p;}' /var/log/smbd.log

...or use Perl or a shell script or something like that (my sed scripting is poor!)

Having looked further I've got a nasty suspicion that the alternative is to debug IPC$ type RPC calls!! :o

From: Ian David Laws <ian@xxxxxxxxxxxxxxxx>
Reply-To: ian@xxxxxxxxxxxxxxxx
To: suse-security@xxxxxxxx
Subject: Re: [suse-security] Trace user logins in SAMBA
Date: Tue, 4 Nov 2003 19:22:40 +0100

Hash: SHA1

On Tuesday 04 November 2003 13:10, J J wrote:
> My knowledge is somewhat sketchy and from Samba 2.2.1a so forgive me if
> it's no use.
Entering this "log file = /var/log/%m.log" in the smb.log
this make for each indivual Windoze machine a log. When someone logs in from
that machine you should find this information
[2003/03/04 18:02:45, 1] smbd/service.c:make_connection(615)
xxxx ( connect to service netlogon as user xxxx (uid=502,
gid=100) (pid 24501)
And that is at log level = 1


- --
A child of five would understand this.
Send someone to fetch a child of five.
Groucho Marx

- ----------------------------------------------------
This mail has been scanned for virus by
AntiVir for UNIX
Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH.
PGP ID: 589F8449
Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Tired of 56k? Get a FREE BT Broadband connection

< Previous Next >