diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml
index 273765c6fbe010f3a10b863d850ef738c02a2ba3..4c6bb5e7e73606b87c000ce5b42cad74e3d5fa3c 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -24,8 +24,6 @@
printdrivers
lanman
smb
- smb2
- smb2_credits
rpc_parse
rpc_srv
rpc_cli
@@ -41,19 +39,24 @@
msdfs
dmapi
registry
- scavenger
- dns
- ldb
- tevent
- auth_audit
- auth_json_audit
- kerberos
- dsdb_audit
- dsdb_json_audit
- dsdb_password_audit
- dsdb_password_json_audit
- dsdb_transaction_audit
- dsdb_transaction_json_audit
+ scavenger
+ dns
+ ldb
+ tevent
+ auth_audit
+ auth_json_audit
+ kerberos
+ drs_repl
+ smb2
+ smb2_credits
+ dsdb_audit
+ dsdb_json_audit
+ dsdb_password_audit
+ dsdb_password_json_audit
+ dsdb_transaction_audit
+ dsdb_transaction_json_audit
+ dsdb_group_audit
+ dsdb_group_json_audit
To configure the logging for specific classes to go into a different
@@ -62,9 +65,9 @@
full_audit:1@/var/log/audit.log.
Authentication and authorization audit information is logged
- under the auth_audit, and if Samba was not compiled with
+ under the auth_audit, and if Samba was not compiled with
--without-json, a JSON representation is logged under
- auth_json_audit.
+ auth_json_audit.
Support is comprehensive for all authentication and authorisation
of user accounts in the Samba Active Directory Domain Controller,
@@ -72,7 +75,8 @@
the file server, NTLM authentication, SMB and RPC authorization is
covered.
- Log levels for auth_audit and auth_audit_json are:
+ Log levels for auth_audit and
+ auth_audit_json are:
2: Authentication Failure
3: Authentication Success
@@ -80,21 +84,69 @@
5: Anonymous Authentication and Authorization Success
- Changes to the sam.ldb database are logged
- under the dsdb_audit and a JSON representation is logged under
- dsdb_json_audit.
+ Changes to the AD DC sam.ldb
+ database are logged under the dsdb_audit
+ and a JSON representation is logged under
+ dsdb_json_audit.
+
+ Group membership changes to the AD DC sam.ldb database are logged under the
+ dsdb_group_audit and a JSON representation
+ is logged under
+ dsdb_group_json_audit.
+
+ Log levels for dsdb_audit,
+ dsdb_json_audit,
+ dsdb_group_audit,
+ dsdb_group_json_audit and
+ dsdb_json_audit are:
+
+ 5: Database modifications
+ 5: Replicated updates from another DC
+
- Password changes and Password resets are logged under
- dsdb_password_audit and a JSON representation is logged under the
- dsdb_password_json_audit.
+ Password changes and Password resets in the AD DC are logged
+ under dsdb_password_audit and a JSON
+ representation is logged under the
+ dsdb_password_json_audit. Password changes
+ will also appears as authentication events via
+ auth_audit and
+ auth_audit_json.
+
+ Log levels for dsdb_password_audit and
+ dsdb_password_json_audit are:
+
+ 5: Successful password changes and resets
+
Transaction rollbacks and prepare commit failures are logged under
- the dsdb_transaction_audit and a JSON representation is logged under the
- password_json_audit. Logging the transaction details allows the
- identification of password and sam.ldb operations that have been rolled
- back.
+ the dsdb_transaction_audit and a JSON representation is logged under the
+ dsdb_transaction_json_audit.
+
+ Log levels for dsdb_transaction_audit and
+ dsdb_transaction_json are:
+
+
+ 5: Transaction failure (rollback)
+ 10: Transaction success (commit)
+
+ Transaction roll-backs are possible in Samba, and whilst
+ they rarely reflect anything more than the failure of an
+ individual operation (say due to the add of a conflicting record),
+ they are possible. Audit logs are already generated and sent to
+ the system logs before the transaction is complete. Logging the
+ transaction details allows the identification of password and
+ sam.ldb operations that have
+ been rolled back, and so have not actually persisted.
+ Changes to sam.ldb made locally by the root user with direct access to the
+ database are not logged to the system logs, but to the
+ administrator's own console. While less than ideal, any user able
+ to make such modifications could disable the audit logging in any
+ case.
0
3 passdb:5 auth:10 winbind:2
diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml
index 1ae2dbfb61af4ed11b0a2a95d1f735db2e4182c3..87ccf02a8f4139e39060f136da09f8a8b1263325 100644
--- a/docs-xml/smbdotconf/logon/autheventnotification.xml
+++ b/docs-xml/smbdotconf/logon/autheventnotification.xml
@@ -10,16 +10,19 @@
registering as the service
auth_event.
- This should be considered a developer option (it assists
- in the Samba testsuite) rather than a facility for external
- auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around). Additionally Samba must be
- compiled with the jansson support for this option to be
- effective.
+ This is not needed for the audit
+ logging described in .
+
+ Instead, this should instead be considered a developer
+ option (it assists in the Samba testsuite) rather than a
+ facility for external auditing, as message delivery is not
+ guaranteed (a feature that the testsuite works around).
The authentication events are also logged via the normal
logging methods when the is
- set appropriately.
+ set appropriately, say to
+ auth_json_audit:3.
+
no
diff --git a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
index 7df46e1d68ca1c3d27a4f7bf95fb69af6a5e9264..279ac3d29ef707d54ca11d152a9cf9f903e28624 100644
--- a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml
@@ -10,14 +10,18 @@
registering as the service
dsdb_event.
- This should be considered a developer option (it assists
- in the Samba testsuite) rather than a facility for external
- auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around).
+ This is not needed for the audit
+ logging described in .
+
+ Instead, this should instead be considered a developer
+ option (it assists in the Samba testsuite) rather than a
+ facility for external auditing, as message delivery is not
+ guaranteed (a feature that the testsuite works around).
The Samba database events are also logged via the normal
logging methods when the is
- set appropriately.
+ set appropriately, say to
+ dsdb_json_audit:5.
diff --git a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
index 6354979538bdf43ec14f134fd930173ec54ec6f2..3972e72b60f343e8c8fc15d81d686ea057a1a43e 100644
--- a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml
@@ -10,14 +10,18 @@
registering as the service
dsdb_group_event.
- This should be considered a developer option (it assists
- in the Samba testsuite) rather than a facility for external
- auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around).
+ This is not needed for the audit
+ logging described in .
- The group events are also logged via the normal
+ Instead, this should instead be considered a developer
+ option (it assists in the Samba testsuite) rather than a
+ facility for external auditing, as message delivery is not
+ guaranteed (a feature that the testsuite works around).
+
+ The Samba database events are also logged via the normal
logging methods when the is
- set appropriately.
+ set appropriately, say to
+ dsdb_group_json_audit:5.
diff --git a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
index 984321b98fc4505541a658895a95c73892f37470..cd2cc98ff42e95ab4468ccf10909e1035d7d0b75 100644
--- a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
+++ b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml
@@ -10,14 +10,18 @@
events by registering as the service
password_event.
- This should be considered a developer option (it assists
- in the Samba testsuite) rather than a facility for external
- auditing, as message delivery is not guaranteed (a feature
- that the testsuite works around).
+ This is not needed for the audit
+ logging described in .
- The password events are also logged via the normal
+ Instead, this should instead be considered a developer
+ option (it assists in the Samba testsuite) rather than a
+ facility for external auditing, as message delivery is not
+ guaranteed (a feature that the testsuite works around).
+
+ The Samba database events are also logged via the normal
logging methods when the is
- set appropriately.
+ set appropriately, say to
+ dsdb_password_json_audit:5.