How to Log Samba Authentication Attempts for NTLM/AD Integration with Detailed Timestamp Records


2 views

When using Samba 3.5.4 as an intermediary between Squid (NTLM) and Active Directory, authentication requests follow this path:

Squid (NTLM) → Samba Winbind → Active Directory → Samba → Result

Add these parameters to your smb.conf in the [global] section:

[global]
    log level = 3 auth:5 winbind:5
    log file = /var/log/samba/auth.log
    max log size = 5000
    timestamp logs = yes

Create a custom log parser script (log_parser.sh):

#!/bin/bash
LOGFILE="/var/log/samba/auth.log"
OUTFILE="/var/log/samba/auth_attempts.log"
TIMEFORMAT="%Y-%m-%d %H:%M:%S"

grep "authentication for user" $LOGFILE | while read line; do
    timestamp=$(echo $line | awk '{print $1" "$2" "$3}')
    user=$(echo $line | grep -oP 'user \[\K[^\]]+')
    domain=$(echo $line | grep -oP 'domain \[\K[^\]]+')
    status=$(echo $line | grep -oP 'status.*\K\w+')

    printf "%s %s@%s %s\n" "$timestamp" "$user" "$domain" "$status" >> $OUTFILE
done

For more robust tracking, configure auditd rules:

# /etc/audit/rules.d/samba.rules
-w /var/log/samba/auth.log -p wa -k samba_auth
-a always,exit -F arch=b64 -S connect -F a0=0x2 -k samba_network

Create /etc/logrotate.d/samba-auth:

/var/log/samba/auth.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    sharedscripts
    postrotate
        /usr/bin/systemctl reload smbd nmbd winbind
    endscript
}

Use this awk command to generate statistics:

awk '{print $4}' /var/log/samba/auth_attempts.log | sort | uniq -c | sort -nr

If logs aren't appearing:

  1. Verify Samba has write permissions to /var/log/samba
  2. Check SELinux/AppArmor isn't blocking log access
  3. Confirm winbind is running: systemctl status winbind
  4. Test with smbclient -L localhost -U%

When using Samba 3.5.4 as an intermediary between Squid (NTLM) and Active Directory, authentication attempts follow this path:


Client → Squid (NTLM) → Samba → Active Directory → Response Chain

Edit your smb.conf file to enable detailed authentication logging:


[global]
   log level = 3 auth:5
   log file = /var/log/samba/auth.log
   max log size = 10000

Create a custom log parser script (parse_samba_auth.sh):


#!/bin/bash
LOG_FILE="/var/log/samba/auth.log"
OUTPUT_FORMAT="%Y-%m-%d %H:%M:%S    %u@%D    %{STATUS}s"

grep "authentication for" $LOG_FILE | \
awk '{
   timestamp=$1" "$2;
   user=gensub(/.*for user $$(.*)$$.*/,"\\1","g",$0);
   domain=gensub(/.*domain $$(.*)$$.*/,"\\1","g",$0);
   status=gensub(/.*status: (.*)/,"\\1","g",$0);
   print timestamp"    "user"@"domain"    "toupper(status)
}' > /var/log/samba/auth_attempts.log

Create /etc/logrotate.d/samba-auth:


/var/log/samba/auth.log {
    weekly
    missingok
    rotate 12
    compress
    delaycompress
    sharedscripts
    postrotate
        /usr/bin/killall -HUP smbd nmbd
    endscript
}

For live monitoring, use this Python script:


import time, subprocess

def monitor_auth():
    cmd = "tail -F /var/log/samba/auth.log | grep --line-buffered 'authentication for'"
    process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
    
    while True:
        line = process.stdout.readline()
        if "success" in line.lower():
            status = "SUCCESS"
        else:
            status = "FAILURE"
        
        parts = line.split()
        timestamp = " ".join(parts[:2])
        user = parts[6].strip("[]")
        domain = parts[9].strip("[]")
        
        print(f"{timestamp}    {user}@{domain}    {status}")

monitor_auth()

To forward logs to Splunk/ELK:


# For rsyslog configuration (/etc/rsyslog.d/samba.conf)
:programname, isequal, "smbd" {
    *.* @your-siem-server:514
    stop
}