Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Netapp: toasters

Cifs user name mapping.

 

 

Netapp toasters RSS feed   Index | Next | Previous | View Threaded


jeff.cleverley at avagotech

Nov 22, 2011, 12:23 PM

Post #1 of 3 (2215 views)
Permalink
Cifs user name mapping.

Greetings,

We have a cifs share that gets worked on by various people in the
company in different countries and business groups. We have access
opened up to users with a valid Windows 2003 Server domain
authentication. Since we don't know everyone who will have access to
this, we don't have unix accounts for them, or entries in the
usermap.cfg file. This share is also nfs accessed and has unix
security style.

The problem is when we look in the messages files these users seem to
show up with their workstation name followed by the $ sign. It's
difficult to track who owns the machine and who logged into it. Here
is an trimmed example entry:

auth.trace.authenticateUser.loginAccepted:info]: AUTH: Login by
dwc46q1$ from xx.xx.xx.xx accepted.

I'd like a better way to figure out who logged in from dwc46q1$ . The
cifs.trace_login is on.

Thanks,

Jeff
--
Jeff Cleverley
Unix Systems Administrator
4380 Ziegler Road
Fort Collins, Colorado 80525
970-288-4611
_______________________________________________
Toasters mailing list
Toasters [at] teaparty
http://www.teaparty.net/mailman/listinfo/toasters


scl at virginia

Nov 22, 2011, 2:00 PM

Post #2 of 3 (2159 views)
Permalink
Re: Cifs user name mapping. [In reply to]

> Greetings,
>
> We have a cifs share that gets worked on by various people in the
> company in different countries and business groups. We have access
> opened up to users with a valid Windows 2003 Server domain
> authentication. Since we don't know everyone who will have access to
> this, we don't have unix accounts for them, or entries in the
> usermap.cfg file. This share is also nfs accessed and has unix
> security style.
>
> The problem is when we look in the messages files these users seem to
> show up with their workstation name followed by the $ sign. It's
> difficult to track who owns the machine and who logged into it. Here
> is an trimmed example entry:
>
> auth.trace.authenticateUser.loginAccepted:info]: AUTH: Login by
> dwc46q1$ from xx.xx.xx.xx accepted.
>
> I'd like a better way to figure out who logged in from dwc46q1$ . The
> cifs.trace_login is on.
>
> Thanks,
>
> Jeff
> --
> Jeff Cleverley
> Unix Systems Administrator
> 4380 Ziegler Road
> Fort Collins, Colorado 80525
> 970-288-4611
> _______________________________________________
> Toasters mailing list
> Toasters [at] teaparty
> http://www.teaparty.net/mailman/listinfo/toasters
>

Hi Jeff,

We used to use options cifs.trace_login but as you point out,
it omits a lot of information and often (high load?) login
events are not logged. (We run a university wide home directory
service with 60,000 users, so we get a huge number of logins.)

You might want to do this, which works much better:

options cifs.audit.enable on
options cifs.audit.logon_events.enable on
options cifs.audit.account_mgmt_events.enable off
options cifs.audit.file_access_events.enable off

and play with the cifs.audit.autosave options to
control the rotation of the event log files.

These options generate files on the filer named

/etc/log/adtlog.*.evt

The filer accumulates audit events in /etc/log/cifsaudit.alf
(of unknown format) and periodically dumps this to an adtlog.*.evt
file.

The adtlog.*.evt files are in Windows event log format, which you
can view on a Windows box. Sounds like you are a Unix guy
like me. A while back I researched the EVT format and wrote
a perl module to parse the adtlog.*.evt files.

The module and script are fairly short, so I have attached them.
You will need to change this line in dumpevt.pl depending on where
you put evt.pl

require("/na/local/evt.pl");

Usage: dumpevt.pl evtfile ...

I have attached the perl files with .txt appended to the names to
avoid email filters.

Steve Losen scl [at] virginia phone: 434-924-0640

University of Virginia ITC Unix Support
Attachments: dumpevt.pl.txt (0.55 KB)
  evt.pl.txt (3.82 KB)


jeff.cleverley at avagotech

Nov 22, 2011, 2:56 PM

Post #3 of 3 (2185 views)
Permalink
Re: Cifs user name mapping. [In reply to]

Steve,

Thanks for the information and the modules. I'll look into everything
next week when I get back. I had tried the strings command on the
cifsaudit.alf file but it only gave me IP addresses of the clients.

The only audit setting we had differently was the
cifs.audit.file_access_events.enable. I've turned it off as you
mentioned since it probably won't cause too much trouble. I'll see
what the evt files come up with when they are created.

Thanks,

Jeff

On Tue, Nov 22, 2011 at 3:00 PM, Steve Losen <scl [at] virginia> wrote:
>
>> Greetings,
>>
>> We have a cifs share that gets worked on by various people in the
>> company in different countries and business groups.  We have access
>> opened up to users with a valid Windows 2003 Server domain
>> authentication.  Since we don't know everyone who will have access to
>> this, we don't have unix accounts for them, or entries in the
>> usermap.cfg file.  This share is also nfs accessed and has unix
>> security style.
>>
>> The problem is when we look in the messages files these users seem to
>> show up with their workstation name followed by the $ sign.  It's
>> difficult to track who owns the machine and who logged into it.  Here
>> is an trimmed example entry:
>>
>> auth.trace.authenticateUser.loginAccepted:info]: AUTH: Login by
>> dwc46q1$ from xx.xx.xx.xx accepted.
>>
>> I'd like a better way to figure out who logged in from dwc46q1$ .  The
>> cifs.trace_login is on.
>>
>> Thanks,
>>
>> Jeff
>> --
>> Jeff Cleverley
>> Unix Systems Administrator
>> 4380 Ziegler Road
>> Fort Collins, Colorado 80525
>> 970-288-4611
>> _______________________________________________
>> Toasters mailing list
>> Toasters [at] teaparty
>> http://www.teaparty.net/mailman/listinfo/toasters
>>
>
> Hi Jeff,
>
> We used to use options cifs.trace_login but as you point out,
> it omits a lot of information and often (high load?) login
> events are not logged.  (We run a university wide home directory
> service with 60,000 users, so we get a huge number of logins.)
>
> You might want to do this, which works much better:
>
> options cifs.audit.enable on
> options cifs.audit.logon_events.enable on
> options cifs.audit.account_mgmt_events.enable off
> options cifs.audit.file_access_events.enable off
>
> and play with the cifs.audit.autosave options to
> control the rotation of the event log files.
>
> These options generate files on the filer named
>
> /etc/log/adtlog.*.evt
>
> The filer accumulates audit events in /etc/log/cifsaudit.alf
> (of unknown format) and periodically dumps this to an adtlog.*.evt
> file.
>
> The adtlog.*.evt files are in Windows event log format, which you
> can view on a Windows box.  Sounds like you are a Unix guy
> like me.  A while back I researched the EVT format and wrote
> a perl module to parse the adtlog.*.evt files.
>
> The module and script are fairly short, so I have attached them.
> You will need to change this line in dumpevt.pl depending on where
> you put evt.pl
>
> require("/na/local/evt.pl");
>
> Usage:  dumpevt.pl evtfile ...
>
> I have attached the perl files with .txt appended to the names to
> avoid email filters.
>
> Steve Losen   scl [at] virginia    phone: 434-924-0640
>
> University of Virginia               ITC Unix Support
>
>



--
Jeff Cleverley
Unix Systems Administrator
4380 Ziegler Road
Fort Collins, Colorado 80525
970-288-4611

_______________________________________________
Toasters mailing list
Toasters [at] teaparty
http://www.teaparty.net/mailman/listinfo/toasters

Netapp toasters RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.