Kees van Vloten via samba <samba at
lists.samba.org>>
>
> Op 11-09-2023 om 12:14 schreef d tbsky via samba:
> > Hi:
> > today my user report one directory at the samba share disappeared.
> > I had create the vfs_full_audit like below:
> >
> > vfs objects = recycle full_audit
> > full_audit:priority = notice
> > full_audit:facility = local5
> > full_audit:success = mkdirat renameat unlinkat
> > full_audit:failure = none
> > full_audit:prefix = %u|%I
> >
> > but I can not find the related log about the missing directory.
> > normally I can find deleted/renamed files via the log. I wonder if
> > there is some other vfs operations I should add for monitor
> > directories?
> >
> > thanks a lot for your help!
> Is your question, what full_audit property to add to see a missing
> directory? What exactly do you want to see, the deletion or a failing
> call that tries to read it or something else?
Hi:
sorry. I found the missing directory in the audit log. my user told
me the incorrect information so it took me long time to check the log.
I use vfs_full_audit in case when user can not find their stuff, I can
understand what happened.
however currently vfs_full_audit write too many useless data even with
my current configuration above.
for example it would log the data below:
Sep 11 17:57:32 file smbd_audit[42497]: [2023/09/11 17:57:32.207301,
0] ../../lib/util/access.c:372(allow_access)
Sep 11 17:57:32 file smbd_audit[42497]: Denied connection from
10.11.1.19 (10.11.1.19)
Sep 11 17:57:34 file smbd_audit[42497]: [2023/09/11 17:57:34.265839,
0] ../../lib/util/access.c:372(allow_access)
Sep 11 17:57:34 file smbd_audit[42497]: Denied connection from
10.11.1.19 (10.11.1.19)
Sep 11 17:57:43 file smbd_audit[35644]: [2023/09/11 17:57:43.858408,
0] ../../source3/smbd/service.c:168(chdir_current_service)
Sep 11 17:57:43 file smbd_audit[35644]: chdir_current_service:
vfs_ChDir(/share/samba/home/h347) failed: Permission denied. Current
token: uid=11270, gid=10515, 3 groups: 11270 10515 11292
I hope it log only useful data like:
Sep 11 17:37:03 file smbd_audit[35621]:
DOM\bb0809|10.11.11.130|renameat|ok|/share/samba/home/bb0809/a.doc|/share/samba/home/bb0809/B09E48D8.tmp
I am use RHEL9. so by default the log data will flow from journald to
rsyslog to the file I defined (/var/log/samba/audit.log). which make
more useless data in the system.
I tried to use samba configuration to make the work simple:
log level = 1 full_audit:1@/var/log/samba/audit.log
but the log format is like below:
[2023/09/11 18:04:10.938942, 1]
../../source3/modules/vfs_full_audit.c:643(do_log)
DOM\h1701|10.99.6.175|unlinkat|ok|/share/samba/public/863B5E69.tmp
[2023/09/11 18:04:21.948413, 1]
../../source3/modules/vfs_full_audit.c:643(do_log)
DOM\h1701|10.99.6.175|renameat|ok|/share/samba/public/a.xlsx|/share/samba/public/.recycle/h1701/a.xlsx
I got additional " ../../source3/modules/vfs_full_audit.c:643(do_log)"
for every log. it is really meaningless since the log file is made
only for "vfs_full_audit".
so I am thinking about how to get rid of the useless log data. maybe I
should filter them out via rsyslog and forget about the garbage at
jounrald. but it is much better if the logging won't goto journald at
the beginning.
below is my smb.conf. I think many useless data come from " hosts
allow" definition.
[global]
workgroup = DOM
netbios name = file
realm = AD.DOM.COM
security = ads
idmap config *:backend = tdb
idmap config *:range = 5000-9999
idmap config DOM:ackend = rid
idmap config DOM:range = 10000-999999
idmap config DOM:unix_primary_group = yes
template homedir = /share/samba/home/%U
template shell = /bin/false
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
ntlm auth = ntlmv1-permitted
server min protocol = NT1
veto files = /.DS_Store/._.DS_Store/
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
vfs objects = recycle full_audit
# audit setting
full_audit:priority = notice
full_audit:facility = local5
full_audit:success = mkdirat renameat unlinkat
full_audit:failure = none
full_audit:prefix = %u|%I
[in]
path = /share/samba/public/in
read only = No
create mask = 0775
force create mode = 0775
directory mask = 0775
hide unreadable = No
# recycle bin
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:repository = .recycle/%U
recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
hosts allow = 10.11.11. 10.11.253. 10.11.100.0/255.255.255.192
10.12.1.160 10.11.249.
[out]
path = /share/samba/public/out
read only = No
create mask = 0775
force create mode = 0775
directory mask = 0775
hide unreadable = No
# recycle bin
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:repository = .recycle/%U
recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
hosts allow = 10.11.100. 10.11.253.
[mis]
path = /share/samba/public/mis
read only = No
create mask = 0775
force create mode = 0775
directory mask = 0775
hide unreadable = No
[mis$]
path = /share/samba/public/mis
read only = Yes
browseable = No
[homes]
read only = No
browseable = No
# recycle bin
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:repository = .recycle
recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
hosts allow = 10.11.11. 10.11.253. 10.10.10. 10.11.100.0/255.255.255.192