On 21-08-2023 22:18, Joachim Lindenberg via samba wrote:> Hello Rowland,
> If someone wants full_audit, will adding 'vfs objects = full_audit'
on a DC also have dfs_samba4 and acl_xattr enabled just because running on a DC,
or would this cause both defaults to be turned off?
> Thanks,
> Joachim
I guess Rowland meant to say that you should not do without
"acl_xattr",
which is a fair point.
For full_audit (which means full audit on file-share activities) you
need a little more options.
BTW. I am also using audit on authentication, which provides good
information in case someone has troubles logging in.
All together it becomes something like this:
log level = 3 auth_json_audit:3@/var/log/samba/audit_auth.log
full_audit:success = open fsync_recv fsync_send ftruncate pwrite
pwrite_recv pwrite_send renameat unlinkat write
full_audit:failure = open pread read
full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local6
full_audit:priority = NOTICE
max log size = 0
vfs objects = dfs_samba4, acl_xattr, full_audit
"auth_json_audit:3@/var/log/samba/audit_auth.log" -> this is the
authentication audit log.
"max log size = 0" ensures that Samba will not rotate the logs
(chances
are real that you will lose log information). Do note that you will have
to take care of logrotation yourself by putting something in
/etc/logrotate.d, or your filesystem will fill up.
Set your own "full_audit:success" and "full_audit:failure"
options to
tune what gets logged (too much will slow down your fileserver)
The filesystem audit log is written to syslog, to get it nicely in a
file next to the other samba logs, put this in
/etc/rsyslog.d/samba_audit_smb.conf:
# Prevent logging of 'smbd_audit' in syslog and messages
:programname, startswith, "smbd_audit" {
?-/var/log/samba/audit_smb.log
?stop
}
Restart samba and restart rsyslog.
- Kees.
>
>
> -----Urspr?ngliche Nachricht-----
> Von: samba<samba-bounces at lists.samba.org> Im Auftrag von Rowland
Penny via samba
> Gesendet: Montag, 21. August 2023 19:15
> An:samba at lists.samba.org
> Cc: Rowland Penny<rpenny at samba.org>
> Betreff: Re: [Samba] DFS questions...
>
> On Mon, 21 Aug 2023 19:02:46 +0200
> Kees van Vloten via samba<samba at lists.samba.org> wrote:
>
>> On 21-08-2023 18:17, Joachim Lindenberg wrote:
>>> Hi Kees,
>>> Thanks once more. To be precise:
>>> - you are running this on DCs?
>> Yes
>>> - no links required as on the wiki page?
>> No, there are 2 ways of configuring it, the wiki has the symlink
>> method, below is the other method.
>>
>> I don't like broken symlinks on my machines, therefore this is what
I
>> prefer.
>>
>>> - "vfs objects = dfs_samba4, acl_xattr, full_audit" - I
don?t have
>>> that in my smb.conf. What part(s) of this are default, required, or
>>> special?
>> Sorry, I copied it from my smb.conf, a little to quick. For DFS, you
>> just add "dfs_samb4" to "vfs_objects".
> Sorry to but in here, but 'vfs objects = dfs_samba4 acl_xattr' is
the default for a Samba AD DC
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:https://lists.samba.org/mailman/options/samba
>
>