LinuxQuestions.org - Unknown entries in samba log

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Unknown entries in samba log (https://www.linuxquestions.org/questions/linux-security-4/unknown-entries-in-samba-log-843173/)

Unknown entries in samba log

Hello all,

I have been getting the following in the samba section of the log watch report for the past few days. But don't know what it means.

Code:

**Unmatched Entries**

 auth/auth.c:get_ntlm_challenge(136)  auth_context challenge created by random : 5 Time(s)

 auth/auth.c:get_ntlm_challenge(137)  challenge is:  : 5 Time(s)

 auth/auth.c:get_ntlm_challenge(96)  auth_get_challenge: module guest did not want to specify a challenge : 5 Time(s)

 auth/auth.c:get_ntlm_challenge(96)  auth_get_challenge: module sam did not want to specify a challenge : 5 Time(s)

 auth/auth.c:get_ntlm_challenge(96)  auth_get_challenge: module winbind did not want to specify a challenge : 5 Time(s)

 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match guest : 5 Time(s)

 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match sam : 5 Time(s)

 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match trustdomain : 5 Time(s)

 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match winbind:trustdomain : 5 Time(s)

 auth/auth.c:load_auth_module(412)  load_auth_module: auth method guest has a valid init : 5 Time(s)

 auth/auth.c:load_auth_module(412)  load_auth_module: auth method sam has a valid init : 5 Time(s)

 auth/auth.c:load_auth_module(412)  load_auth_module: auth method trustdomain has a valid init : 5 Time(s)

 auth/auth.c:load_auth_module(412)  load_auth_module: auth method winbind has a valid init : 5 Time(s)

 auth/auth.c:make_auth_context_subsystem(485)  Making default auth method list for DC, security=user, encrypt passwords = yes : 5 Time(s)

 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend guest : 5 Time(s)

 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend ntdomain : 5 Time(s)

 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend sam : 5 Time(s)

 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend sam_ignoredomain : 5 Time(s)

 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend smbserver : 5 Time(s)

.

.

.

and more. What does it mean? Does it mean any attempt to hack or is it some kind of status update? If this is not a threat and can be suppressed, how can I do this?

Will be very helpful if somebody can explain this.

Thanks

Quote:

Originally Posted by guna_pmk (Post 4153391)

Code:

**Unmatched Entries**

Unmatched entries means /path/to/logwatch/scripts/services/samba does not contain filters to either mark this as a problem or filter it out as harmless.

Quote:

Originally Posted by guna_pmk (Post 4153391)

What does it mean? Does it mean any attempt to hack or is it some kind of status update?

Logwatch gives you a summary. So if there is no context to glean the meaning of the message from the easiest thing to do is to look up the specific message and the actual order of log lines in a log file. From the order of log lines you should find that these are from common authentication methods that cause recurring log entries.

Quote:

Originally Posted by guna_pmk (Post 4153391)

(..) can be suppressed, how can I do this?

Locate your /path/to/logwatch/scripts/services/samba and open it in a text editor and below "#Don't care about these..." (line 147) add your exclusions, test the filters and maybe submit them to the Logwatch maintainers for inclusion as the last CVS revision was 1.31 on 2008/05/06.

Hi unSpawn,
Thanks for the explanation and apologies for the delay in replying. If this is something that does not need to be worried, should be fine for now. I shall implement your solution and give an update here later.

Thanks