I am running samba-4.10.16-15.el7_9.x86_64 on a simple file server and
trying to enable auditing of shares. I have? a menu entry checkbox which
allows me to do this but I can't find the logging anywhere. My smb.conf
is (with default shares pruned):
Server role: ROLE_DOMAIN_PDC
# Global parameters
[global]
??????? add machine script = /usr/sbin/samba-add-machine "%u"
??????? domain logons = Yes
??????? domain master = Yes
??????? guest account = guest
??????? interfaces = lo enp2s0f1 wlp0s16u3
??????? ldap admin dn = cn=manager,ou=Internal,dc=system,dc=lan
??????? ldap connection timeout = 8
??????? ldap group suffix = ou=Groups,ou=Accounts
??????? ldap idmap suffix = ou=Idmap
??????? ldap machine suffix = ou=Computers,ou=Accounts
??????? ldap ssl = no
??????? ldap suffix = dc=system,dc=lan
??????? ldap user suffix = ou=Users,ou=Accounts
??????? log file = /var/log/samba/%L-%m
??????? logon drive = U:
??????? logon home = \\%L\%U
??????? logon path ??????? logon script = logon.cmd
??????? max log size = 0
??????? netbios name = MYSERVER
??????? ntlm auth = ntlmv1-permitted
??????? passdb backend = ldapsam:ldap://127.0.0.1
??????? passwd chat = *password:* %n\n *password:* %n\n *successfully.*
??????? passwd chat timeout = 10
??????? passwd program = /usr/sbin/userpasswd %u
??????? preferred master = Yes
??????? printcap name = /etc/printcap
??????? security = USER
??????? server string = MyServer
??????? template homedir = /home/%U
??????? template shell = /sbin/nologin
??????? unix password sync = Yes
??????? username map = /etc/samba/smbusers
??????? utmp = Yes
??????? winbind enum groups = Yes
??????? winbind enum users = Yes
??????? winbind expand groups = 1
??????? winbind offline logon = Yes
??????? winbind separator = +
??????? winbind use default domain = Yes
??????? wins support = Yes
??????? workgroup = CLEARSYSTEM
??????? idmap config * : ldap_user_dn =
cn=manager,ou=Internal,dc=system,dc=lan
??????? idmap config * : ldap_base_dn = ou=Idmap,dc=system,dc=lan
??????? idmap config * : ldap_url = ldap://127.0.0.1
??????? idmap config * : range = 20000000-29999999
??????? idmap config * : backend = ldap
??????? include = /etc/samba/flexshare.conf
[test]
??????? comment = Test Share
??????? create mask = 0664
??????? directory mask = 0775
??????? path = /var/flexshare/shares/test
??????? read only = No
??????? valid users = @%D\njhtest @njhtest
??????? veto files = /.flexshare*/
??????? vfs objects = full_audit:audit
??????? audit:priority = NOTICE
??????? audit:facility = LOCAL5
??????? audit:failure = all
??????? audit:success = open opendir
??????? audit:prefix = %u
In my rsyslog.conf I have a line "local5.*? /var/log/compliance". In
the
past I believe this used to work, but I am certainly not now seeing any
logging in /var/log/compliance or anywhere in the other locations such
as the messages and secure logs or any of the samba logs when I open,
edit, create and delete files on the shares.
This link -
https://unix.stackexchange.com/questions/658691/samba-has-a-module-vfs-full-audit-what-does-each-object-actually-mean-within-th
- says "If you are using samba 4, forget the audit logs."
Is my set up incorrect and is it possible to get it working?
If I manually hack the share set up and change:
??????? vfs objects = full_audit:audit
??????? audit:priority = NOTICE
??????? audit:facility = LOCAL5
??????? audit:failure = all
??????? audit:success = open opendir
??????? audit:prefix = %u
to
??????? vfs objects = full_audit
??????? full_audit:priority = NOTICE
??????? full_audit:facility = LOCAL5
??????? full_audit:failure = all
??????? full_audit:success = open opendir
??????? full_audit:prefix = %u
I do seem to get something but is this correct?
Thanks,
Nick