samba - Dec 2022 - 4.17.3 on debian: vfs_full_audit issues

Upgraded a Debian-11.5 server to samba-4.17.3 (from backports).

Domain membership works, but with vfs_full_audit enabled access to share 
seems broken.


# Global parameters
[global]
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	log level = 1
	printcap name = /dev/null
	realm = MYDOM.INTRA
	security = ADS
	template homedir = /mnt/MSA2040/smb/Homes/%D/%U
	unix charset = iso8859-15
	username map = /etc/samba/samba_usermapping
	winbind cache time = 10
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = NORAS
	full_audit:priority = notice
	full_audit:facility = local5
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:failure = connect
	full_audit:prefix = %u|%I|%m|%S
	idmap config mydom : backend = rid
	idmap config mydom : range = 10000-20000
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999
	acl allow execute always = Yes
	follow symlinks = Yes
	inherit acls = Yes
	map acl inherit = Yes
	store dos attributes = Yes
	vfs objects = acl_xattr full_audit
	wide links = Yes


---

I saw stuff like this:

[2022/12/09 12:17:17.209436,  1] 
../../source3/smbd/smb2_service.c:669(make_connection_snum)
   make_connection_snum: SMB_VFS_CONNECT for service 'IPC$' at
'/tmp'
failed: Erfolg
[2022/12/09 12:17:17.211185,  0] 
../../source3/modules/vfs_full_audit.c:566(init_bitmap)
   init_bitmap: Could not find opname mkdir
[2022/12/09 12:17:17.211286,  0] 
../../source3/modules/vfs_full_audit.c:755(smb_full_audit_connect)
   smb_full_audit_connect: Invalid success operations list. Failing connect
[2022/12/09 12:17:17.211337,  1] 
../../source3/smbd/smb2_service.c:669(make_connection_snum)
   make_connection_snum: SMB_VFS_CONNECT for service 'IPC$' at
'/tmp'
failed: Erfolg
[2022/12/09 12:17:17.214950,  0] 
../../source3/modules/vfs_full_audit.c:566(init_bitmap)
   init_bitmap: Could not find opname mkdir
[2022/12/09 12:17:17.215041,  0] 
../../source3/modules/vfs_full_audit.c:755(smb_full_audit_connect)
   smb_full_audit_connect: Invalid success operations list. Failing connect
[2022/12/09 12:17:17.215077,  1] 
../../source3/smbd/smb2_service.c:669(make_connection_snum)
   make_connection_snum: SMB_VFS_CONNECT for service 'IPC$' at
'/tmp'
failed: Erfolg
[2022/12/09 12:17:17.224604,  0] 
../../source3/modules/vfs_full_audit.c:566(init_bitmap)
   init_bitmap: Could not find opname mkdir

----


Disabled "full_audit", access works now.

For reference:

root at samba:~# apt-cache policy samba
samba:
   Installiert:           2:4.17.3+dfsg-3~bpo11+1
   Installationskandidat: 2:4.17.3+dfsg-3~bpo11+1
   Versionstabelle:
  *** 2:4.17.3+dfsg-3~bpo11+1 100
         100 http://ftp.at.debian.org/debian bullseye-backports/main 
amd64 Packages

[..]

root at samba:~# apt-cache policy samba-vfs-modules
samba-vfs-modules:
   Installiert:           2:4.17.3+dfsg-3~bpo11+1
   Installationskandidat: 2:4.17.3+dfsg-3~bpo11+1
   Versionstabelle:
  *** 2:4.17.3+dfsg-3~bpo11+1 100
         100 http://ftp.at.debian.org/debian bullseye-backports/main 
amd64 Packages

[..]


I keep it disabled for now to let people do their work. Would be great 
to learn what to fix as I should enable auditing there asap again (maybe 
even on the fly without restarting smbd?)

thanks, Stefan

09.12.2022 14:31, Stefan G. Weichinger via samba wrote:
>  ????full_audit:success = mkdir rmdir read pread write pwrite rename unlink
>  ? init_bitmap: Could not find opname mkdir
This is RTFM time.  man 8 vfs_full_audit, see the list of samba VFS operations
at the beginning of the manpage.  There's no "mkdir" there.

This has absolutely nothing to do with Debian, fwiw.

/mjt