How do I log authentication attempts with samba?

Solution 1:

If you modify the log level line in /etc/samba/smb.conf to read:

log level = 1 winbind:5

You do get the information I'm after (by default logged to /var/log/samba/log.DOMAIN), but it's very noisy and the log messages are split over two lines. Not exactly what I'm looking for but it might have to do.

Solution 2:

On the samba log files, authentication-related information is tagged with the check_ntlm_password module (assuming that's what you are using). If you want date and hour, you have to capture the line before the one with actual information.

Here are some examples. The name of the user was replaced with xxx.yyy in all cases. Note how the capitalization for authentication is different for success and failure cases.

[2011/11/08 10:22:40.604819,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [xxx.yyy] -> [xxx.yyy] -> [xxx.yyy] succeeded

[2012/01/11 09:09:00.430424,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [xxx.yyy] -> [xxx.yyy] FAILED with error NT_STATUS_WRONG_PASSWORD

There are other messages beyond these two. These lines were produced by a Samba from the backports repository of lenny. The samba version is 3.5.6, the actual package version is 2:3.5.6~dfsg-3~bpo50+1. The exact configuration for logging on smb.conf was:

syslog = 0
debug level = 2
log file = /var/log/samba/%m.log
max log size = 1024
panic action = /usr/share/samba/panic-action %d