Configuring the LDAP directory
For the purposes of this technical note, we used a non-Microsoft Samba 4 LDAP directory installed on a workstation running in Ubuntu 18.04 LTS.
Configuring the directory to log authentication events
Edit the Samba 4 LDAP directory configuration file according to the usage context in your environment. The path to this file may vary depending on your installation.
In our example, the file is located at /usr/local/samba/etc/smb.conf and contains the following configuration:
log level = 3
vfs object = full_audit
full_audit:success = connect
full_audit:failure = disconnect
full_audit:prefix = %u %I | %S
full_audit:facility = local5
Defines which events to log. Level 3 makes it possible to keep logs of authentication events.
|vfs object||Corresponds to the VFS module that Samba uses. In our example, we needed to use the full_audit module.|
Identifies the list of VFS operations that must be logged if they are successful. In our case, we added connect to log connection operations.
The opposite parameter exists for operations that fail, and use full_audit:failure.
Defines the format used to generate logs. Customize it with variables that reference specific elements, such as %u, which corresponds to the user name used.
As these logs are sent to the SN SSO Agent syslog server, which analyzes them with regular expressions, define a format that is adapted to the elements that you want to send.
Associates an application system with the logs that you want to send to the SN SSO Agent syslog server.
For further information, refer to official Samba configuration documentation and official Samba documentation on the "full_audit” VFS module.
After the configuration is modified, run this command so that the daemon will reload its configuration and apply it:
smbcontrol all reload-config
The Samba 4 LDAP directory depends on a syslog client that allows it to send logs in syslog format to the SN SSO Agent syslog server.
In the folder /etc/rsyslog.d/, create a file and name it "00-samba.conf". Add the desired configuration to it in the following format:
In our example, we used the following configuration:
Defines the application system for which the syslog client captures logs.
In our example, it corresponds to the full_audit:facility parameter entered in the Samba 4 LDAP directory configuration.
Corresponds to the severity of the syslogs. Since the application system (facility) is entered, it determines which logs will be sent to the SN SSO Agent syslog server.
Specifies that UDP mode is used to send logs. Communications with the SN SSO Agent syslog server must be in UDP.
Corresponds to the IP address of the SN SSO Agent to which logs will be sent, and the port number that the syslog server will listen on.
We recommend that you use a port higher than or equal to 1024. To use a port lower than 1024, SN SSO Agent must restart with administrator privileges (sudo).
For more information, refer to official syslog documentation.
After the configuration is added, run this command so that the rsyslog daemon will restart:
sudo service syslog restart