Thank you Ian! Does that solve your question João Reis? As Ian has kindly pointed out, at log level one you can see a connection to the netlogon share. This is probably a very good indicator of a login. The windows domain login will look at this share for net login batch scripts/profiles, etc. during the domain login process. So use something like... sed -ne '/make_connection/{;N;/netlogon/p;}' /var/log/smbd.log ...or use Perl or a shell script or something like that (my sed scripting is poor!) Having looked further I've got a nasty suspicion that the alternative is to debug IPC$ type RPC calls!! :o
From: Ian David Laws
Reply-To: ian@the-laws-clan.de To: suse-security@suse.com Subject: Re: [suse-security] Trace user logins in SAMBA Date: Tue, 4 Nov 2003 19:22:40 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday 04 November 2003 13:10, J J wrote:
My knowledge is somewhat sketchy and from Samba 2.2.1a so forgive me if it's no use.
<snip> Entering this "log file = /var/log/%m.log" in the smb.log this make for each indivual Windoze machine a log. When someone logs in from that machine you should find this information [2003/03/04 18:02:45, 1] smbd/service.c:make_connection(615) xxxx (192.168.100.4) connect to service netlogon as user xxxx (uid=502, gid=100) (pid 24501) And that is at log level = 1
Ian
- -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx
- ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. PGP ID: 589F8449 Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE/p+5wKiWi8VifhEkRAiLUAKCLk7F1B9CMqfBjqs7gmrqw7rB2ggCeI6cx ME6JymmNzT/bkKSXKderoCg= =Wlvx -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
_________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband