Univention Bugzilla – Bug 56092
Periodic messages in auth.log and log.smbd caused by univention-monitoring-client cronjob
Last modified: 2024-03-07 13:32:25 CET
Every five minutes a block of messages is written to auth.log: ========== Mar 21 12:35:01 primary20 CRON[3149]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 21 12:35:01 primary20 CRON[3150]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 21 12:35:11 primary20 ldapsearch: DIGEST-MD5 common mech free Mar 21 12:35:11 primary20 ldapsearch: DIGEST-MD5 common mech free Mar 21 12:35:11 primary20 ldapsearch: DIGEST-MD5 common mech free Mar 21 12:35:19 primary20 smbd: pam_unix(samba:session): session closed for user NT AUTHORITY+ANONYMOUS LOGON Mar 21 12:35:19 primary20 CRON[3150]: pam_unix(cron:session): session closed for user root ========== Looks like these come from the run-parts /usr/share/univention-monitoring-client/scripts/ triggered by /etc/cron.d/univention-monitoring-client Maybe they can be reduced somehow. At least this bug can provide info for supporters. * The "ldapsearch: DIGEST-MD5 common mech free" come from anonymous binds in /usr/share/univention-monitoring-client/scripts/check_univention_joinstatus * The smbd message about guest logon comes from /usr/share/univention-monitoring-client/scripts/check_univention_smbd
At elevated samba/deubg/level this is also accompanied with periodic messages in log.smbd: ========== [2023/07/31 17:55:30.400625, 3, pid=21336] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth) Got user=[root] domain=[UCS50DOMAIN] workstation=[PRIMARY20] len1=0 len2=0 [2023/07/31 17:55:30.400707, 3, pid=21336] ../../source4/auth/ntlm/auth.c:207(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [UCS50DOMAIN]\[root]@[PRIMARY20] auth_check_password_send: user is: [UCS50DOMAIN]\[root]@[PRIMARY20] [2023/07/31 17:55:30.401009, 3, pid=21336] ../../source4/auth/sam.c:1377(authsam_search_account) sam_search_user: Couldn't find user [root] in samdb, under DC=ucs50domain,DC=net [2023/07/31 17:55:30.401111, 4, pid=21336] ../../source3/smbd/sec_ctx.c:444(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2023/07/31 17:55:30.401201, 2, pid=21336] ../../source4/auth/ntlm/auth.c:401(auth_check_password_recv) auth_check_password_recv: sam authentication for user [UCS50DOMAIN\root] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 [2023/07/31 17:55:30.401305, 2, pid=21336] ../../auth/auth_log.c:665(log_authentication_event_human_readable) Auth: [SMB2,NTLMSSP] user [UCS50DOMAIN]\[root] at [Mo, 31 Jul 2023 17:55:30.401293 CEST] with [No-Password] status [NT_STATUS_NO_SUCH_USER] workstation [PRIMARY20] remote host [ipv4:127.0.0.1:33842] mapped to [UCS50DOMAIN]\[root]. local host [ipv4:127.0.0.1:445] {"timestamp": "2023-07-31T17:55:30.401450+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:33842", "serviceDescription": "SMB2", "authDescription": "NTLMSSP", "clientDomain": "UCS50DOMAIN", "clientAccount": "root", "workstation": "PRIMARY20", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "root", "mappedDomain": "UCS50DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "No-Password", "duration": 4333}} [2023/07/31 17:55:30.401596, 3, pid=21336] ../../auth/gensec/spnego.c:1445(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER ========== Maybe we should replace the calls to > smbclient -N -L localhost by > smbclient -P -L localhost which uses the machine credentials and would give NT_STATUS_OK and fewer+nicer messages in auth.log.
The behavior was probably the same with Nagios: /usr/lib/nagios/plugins/check_univention_smbd /usr/lib/nagios/plugins/check_univention_joinstatus The period might be different? It was by default assigned to Default Timeperiod 24x7. Was it executed hourly? It might be good to reduce the execution interval here and for other checks.