Bug 56092 – Periodic messages in auth.log and log.smbd caused by univention-monitoring-client cronjob

Bug 56092 - Periodic messages in auth.log and log.smbd caused by univention-monitoring-client cronjob


Summary:	Periodic messages in auth.log and log.smbd caused by univention-monitoring-cl...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Monitoring (Prometheus or Nagios)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:	56378
	Show dependency tree / graph

Reported:	2023-05-24 18:55 CEST by Arvid Requate
Modified:	2024-03-07 13:32 CET (History)
CC List:	4 users (show)

See Also:	56093
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023011821000427, 2023070521000235, 2024030121000202
Bug group (optional):	bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2023-05-24 18:55:32 CEST

Every five minutes a block of messages is written to auth.log:
==========
Mar 21 12:35:01 primary20 CRON[3149]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 21 12:35:01 primary20 CRON[3150]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 21 12:35:11 primary20 ldapsearch: DIGEST-MD5 common mech free
Mar 21 12:35:11 primary20 ldapsearch: DIGEST-MD5 common mech free
Mar 21 12:35:11 primary20 ldapsearch: DIGEST-MD5 common mech free
Mar 21 12:35:19 primary20 smbd: pam_unix(samba:session): session closed for user NT AUTHORITY+ANONYMOUS LOGON
Mar 21 12:35:19 primary20 CRON[3150]: pam_unix(cron:session): session closed for user root
==========

Looks like these come from the

  run-parts /usr/share/univention-monitoring-client/scripts/

triggered by /etc/cron.d/univention-monitoring-client

Maybe they can be reduced somehow. At least this bug can provide info for supporters.

* The "ldapsearch: DIGEST-MD5 common mech free" come from anonymous binds in
  /usr/share/univention-monitoring-client/scripts/check_univention_joinstatus

* The smbd message about guest logon comes from
  /usr/share/univention-monitoring-client/scripts/check_univention_smbd

Comment 1 Arvid Requate

2023-07-31 18:02:29 CEST

At elevated samba/deubg/level this is also accompanied with periodic messages in log.smbd:
==========
[2023/07/31 17:55:30.400625,  3, pid=21336] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
  Got user=[root] domain=[UCS50DOMAIN] workstation=[PRIMARY20] len1=0 len2=0
[2023/07/31 17:55:30.400707,  3, pid=21336] ../../source4/auth/ntlm/auth.c:207(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [UCS50DOMAIN]\[root]@[PRIMARY20]
  auth_check_password_send: user is: [UCS50DOMAIN]\[root]@[PRIMARY20]
[2023/07/31 17:55:30.401009,  3, pid=21336] ../../source4/auth/sam.c:1377(authsam_search_account)
  sam_search_user: Couldn't find user [root] in samdb, under DC=ucs50domain,DC=net
[2023/07/31 17:55:30.401111,  4, pid=21336] ../../source3/smbd/sec_ctx.c:444(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2023/07/31 17:55:30.401201,  2, pid=21336] ../../source4/auth/ntlm/auth.c:401(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [UCS50DOMAIN\root] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/07/31 17:55:30.401305,  2, pid=21336] ../../auth/auth_log.c:665(log_authentication_event_human_readable)
  Auth: [SMB2,NTLMSSP] user [UCS50DOMAIN]\[root] at [Mo, 31 Jul 2023 17:55:30.401293 CEST] with [No-Password] status [NT_STATUS_NO_SUCH_USER] workstation [PRIMARY20] remote host [ipv4:127.0.0.1:33842] mapped to [UCS50DOMAIN]\[root]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2023-07-31T17:55:30.401450+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:33842", "serviceDescription": "SMB2", "authDescription": "NTLMSSP", "clientDomain": "UCS50DOMAIN", "clientAccount": "root", "workstation": "PRIMARY20", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "root", "mappedDomain": "UCS50DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "No-Password", "duration": 4333}}
[2023/07/31 17:55:30.401596,  3, pid=21336] ../../auth/gensec/spnego.c:1445(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
==========

Maybe we should replace the calls to

> smbclient -N -L localhost

by

> smbclient -P -L localhost

which uses the machine credentials and would give NT_STATUS_OK and fewer+nicer messages in auth.log.

Comment 2 Florian Best

2024-03-07 13:32:25 CET

The behavior was probably the same with Nagios:
/usr/lib/nagios/plugins/check_univention_smbd
/usr/lib/nagios/plugins/check_univention_joinstatus

The period might be different? It was by default assigned to Default Timeperiod 24x7.
Was it executed hourly?

It might be good to reduce the execution interval here and for other checks.