Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Trace user logins in SAMBA
  • From: "J J" <c_peto@xxxxxxxxxxx>
  • Date: Tue, 04 Nov 2003 18:54:04 +0000
  • Message-id: <Sea2-F311bgIK78ULGK00009991@xxxxxxxxxxx>
Thank you Ian!

Does that solve your question João Reis?

As Ian has kindly pointed out, at log level one you can see a connection to the netlogon share. This is probably a very good indicator of a login. The windows domain login will look at this share for net login batch scripts/profiles, etc. during the domain login process.

So use something like...

sed -ne '/make_connection/{;N;/netlogon/p;}' /var/log/smbd.log


...or use Perl or a shell script or something like that (my sed scripting is poor!)

Having looked further I've got a nasty suspicion that the alternative is to debug IPC$ type RPC calls!! :o


From: Ian David Laws <ian@xxxxxxxxxxxxxxxx>
Reply-To: ian@xxxxxxxxxxxxxxxx
To: suse-security@xxxxxxxx
Subject: Re: [suse-security] Trace user logins in SAMBA
Date: Tue, 4 Nov 2003 19:22:40 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 04 November 2003 13:10, J J wrote:
> My knowledge is somewhat sketchy and from Samba 2.2.1a so forgive me if
> it's no use.
>
<snip>
Entering this "log file = /var/log/%m.log" in the smb.log
this make for each indivual Windoze machine a log. When someone logs in from
that machine you should find this information
[2003/03/04 18:02:45, 1] smbd/service.c:make_connection(615)
xxxx (192.168.100.4) connect to service netlogon as user xxxx (uid=502,
gid=100) (pid 24501)
And that is at log level = 1

Ian

- --
A child of five would understand this.
Send someone to fetch a child of five.
Groucho Marx

- ----------------------------------------------------
This mail has been scanned for virus by
AntiVir for UNIX
Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH.
PGP ID: 589F8449
Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/p+5wKiWi8VifhEkRAiLUAKCLk7F1B9CMqfBjqs7gmrqw7rB2ggCeI6cx
ME6JymmNzT/bkKSXKderoCg=
=Wlvx
-----END PGP SIGNATURE-----


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband


< Previous Next >