Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Trace user logins in SAMBA
  • From: "J J" <c_peto@xxxxxxxxxxx>
  • Date: Tue, 04 Nov 2003 12:10:12 +0000
  • Message-id: <Sea2-F27Jc9YXgCs6yF0000018a@xxxxxxxxxxx>
My knowledge is somewhat sketchy and from Samba 2.2.1a so forgive me if it's no use.

My crude understanding is that a login to a domain from a Windows box isn't quite like a unix log in, what you're doing is logging on to the *Windows* box and Windows is asking the unix (samba) domain server whether the user has permission to log on locally.

Later the user will probably start to use shared network resources (shared drives, etc.) from the unix box and these requests will then start a "session" (in SMB terminology) from that user on that Windows box to that share - these "sessions" are the things that are easy to see on the STATUS page of SWAT* or using smbstatus.

But I doubt that's what you want to see. After all, a user could log on and never use network shared resources in theory. The samba log files (eek! - not sure where they've gone! used to be in /var/lock/samba/log.nmbd think they are now in /var/log/samba/) will record what the smbd daemon is doing so somewhere in there there should be some unique kind of SMB message received that corresponds to a domain logon request. Unfortunately I'm not an SMB protocol expert so I couldn't tell you the exact call!

The loglevel parameter increases the amount of logging. At 3 you get a log of stuff, probably more than enough. Remember you'll probably need to restart the smbd daemon to make it pick up the change to the loglevel in smb.conf (YMMV).

Good luck!


*SWAT, if you haven't used it before, is an invaluable tool. It usually comes as part of the samba package (in the rpm) and will probably already be installed. You may need to modify inetd.conf to get it to run. Basically it listens to HTTP requests on port 901. The upshot of this is that you can administer your samba server remotely using a web browser, see who's using what shares, change configuration, restart the servers, etc. Plus view lots of help online!

From: João Reis <joao.reis@xxxxxxxxxxx>
To: suse-linux-e@xxxxxxxx, suse-security@xxxxxxxx
Subject: [suse-security] Trace user logins in SAMBA
Date: Tue, 04 Nov 2003 10:32:25 +0000

Hi to all

I have read a lot of documentation but i cannot find a way to track user logins, from a Windows machine, in Samba.
Does the log parameter in the smb.conf file does the job. I have the log files of the machines present (log.%m) but
they do not register the time when the users login and logout.

is there a way to register this information?


\|/ "Do or do not. There is no try" - Yoda \|/
| 2000Comp - Consultoria e Informática, Lda |
| Tel: +351 22 941 99 32 |
\|/ | Fax: +351 22 941 99 34 | \|/
O | www: | O
-|--| |--|-
\| | João Reis | |/
/ \ |==============================================| / \

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Hotmail messages direct to your mobile phone

< Previous Next >
Follow Ups