Univention Bugzilla – Bug 41918
samba log "NT_STATUS_ACCOUNT_LOCKED_OUT" not in debug-category "auth"
Last modified: 2022-02-04 12:19:09 CET
reference: Ticket#2016070621000505 there is atleast one debug-category not correctly set so the following scenario happens (anonym and information provided by the customer) ucr set samba/debug/level='3' ... lock user via samba ... root@SERVER:~# ldapsearch -v -x -H ldaps://SERVER:... -D "cn=stuff,cn=users,dc=<base>" -w"WRONG_PASSWORD" -b "dc=<base>" samAccountName=stuff ldap_initialize( ldaps://SERVER:.../??base ) ldap_bind: Invalid credentials (49) additional info: Simple Bind Failed: NT_STATUS_ACCOUNT_LOCKED_OUT '/var/log/samba/log.samba' produces: root@SERVER:~# grep -A2 -B1 locked /var/log/samba/log.samba [DATE, TIME, 3, pid=PID] ../source4/dsdb/common/util.c:651(samdb_result_passwords) samdb_result_passwords: Account for user CN=stuff,CN=Users,DC=<base> was locked out. [DATE, TIME, 2, pid=PID] ../source4/auth/ntlm/auth.c:429(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\stuff] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT --> good and desired log-message. --- But if you set the following: ucr set samba/debug/level='1 tdb:3 passdb:3 sam:3 auth:3' --> the log message does not appear. Even setting all categories to 3 the desired outcome does not happen: ucr set samba/debug/level="1 tdb:3 printdrivers:3 lanman:3 smb:3 rpc_parse:3 rpc_srv:3 rpc_cli:3 passdb:3 sam:3 auth:3 winbind:3 vfs:3 idmap:3 quota:3 acls:3 locking:3 msdfs:3 dmapi:3 registry:3 scavenger:3 dns:3 ldb:3 tevent:3" --> no logmessage. --- via smbcontrol is verified, that the categorysetting reaches samba and is used: root@ucs:~# ucr set samba/debug/level='1 tdb:3 passdb:3 sam:3 auth:3' root@ucs:~# service samba restart root@ucs:~# smbcontrol all debuglevel root@ucs:~# exit root@ucs:~# ucr set samba/debug/level='1 tdb:3 passdb:3 sam:3 auth:3' Setting samba/debug/level Multifile: /etc/samba/smb.conf root@ucs:~# service samba restart [ ok ] Stopping NetBIOS name server: nmbd. [ ok ] Starting NetBIOS name server: nmbd. Samba is configured as AD DC, service smbd is controlled by the main samba daemon. [ ok ] Stopping Samba AD DC daemon: samba. [ ok ] Starting Samba AD DC daemon: samba. root@ucs:~# smbcontrol all debuglevel PID 4754: all:1 tdb:3 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1 pc_cli:1 passdb:3 sam:3 auth:3 winbind:1 vfs:1 idmap:1 quota:1 acls:1 locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1 PID 4621: all:1 tdb:3 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1 rpc_cli:1 passdb:3 sam:3 auth:3 winbind:1 vfs:1 idmap:1 quota:1 acls:1 locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1 PID 4757: all:1 tdb:3 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1 rpc_cli:1 passdb:3 sam:3 auth:3 winbind:1 vfs:1 idmap:1 quota:1 acls:1 locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1 dfs_samba4:1 PID 4744: all:1 tdb:3 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1 rpc_cli:1 passdb:3 sam:3 auth:3 winbind:1 vfs:1 idmap:1 quota:1 acls:1 locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1 PID 4727: all:1 tdb:3 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1 rpc_cli:1 passdb:3 sam:3 auth:3 winbind:1 vfs:1 idmap:1 quota:1 acls:1 locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1 but the desired logmessage only appears if the global debug-level is set accordingly. Since the SambaLog can get very messy and very big this is not an option for constant monitoring of this event.
This is still not possible, and this would help in bigger environments to debug. I also know at least one customer, who would appreciate this kind of differentiate logging.