[Samba] Full_Audit preventing file writing
Fabio Bonilha
fabio at bonilha.eti.br
Wed Jan 13 11:27:27 MST 2010
The smb.conf is the following:
[global]
workgroup = XXXX
netbios name = PDC-XXXX
server string = CentOS
smb ports = 139
security = user
encrypt passwords = yes
guest account = nobody
log file = /var/log/samba/%m.log
max log size = 500
os level = 100
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
admin users = administrador root
logon script = logon.bat
logon path = \\%L\profiles\%U
wins support = yes
dns proxy = no
ldap ssl = off
ldap passwd sync = yes
ldap delete dn = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=user,dc=company,dc=com,dc=br
ldap suffix = dc=company,dc=com,dc=br
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-15000
idmap gid = 10000-15000
template shell = /bin/false
winbind use default domain = no
passwd program=/usr/bin/passwd %u
passwd chat = *New*password* %n *Retype*new*password* %n
;#*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
add machine script = /usr/sbin/smbldap-useradd -w %u
#ldap ssl = start tls
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = UTF-8
unix charset = UTF-8
enable privileges = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
log level = 0 vfs:10
###### Audit (If the comments are removed from the following lines the
problem happens, even if the only first one)
#vfs objects = full_audit
#full_audit:prefix = %u|%I|%S
#full_audit:success = open, write, unlink, rename, mkdir, rmdir, chmod,chown
#full_audit:failure = none
#full_audit:facility = LOCAL6
#full_audit:priority = NOTICE
######## END AUDITORIA
[homes]
comment = Home
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
force user = %U
[netlogon]
path = /home/sys/netlogon
write list = user1, user2
[profiles]
path = /home/sys/profiles
browseable = no
writeable = yes
create mode = 0600
directory mode = 0700
nt acl support = yes
profile acls = yes
read only = no
[raiz]
path = /
browseable = no
writeable = yes
force user = %U
valid users = user1,user2
[printers]
comment = Impressoras
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[comum]
writeable = yes
valid users = +"Domain Users"
path = /home/comum
write list = +"Domain Users"
force group = "Domain Users"
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Atendimento]
writeable = yes
valid users = +Atendimento
path = /home/dados/arquivos/atendimento
write list = +Atendimento
force group = Atendimento
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Juridico]
valid users = +Juridico
writeable = yes
write list = +Juridico
path = /home/dados/arquivos/juridico
force group = Juridico
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Telemark]
valid users = +Telemarketing
writeable = yes
write list = +Telemarketing
path = /home/dados/arquivos/telemarketing
force group = Telemarketing
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Administ]
valid users = +Administrativo
writeable = yes
write list = +Administrativo
path = /home/dados/arquivos/administrativo
force group = Administrativo
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Finance]
valid users = +Financeiro
writeable = yes
write list = +Financeiro
path = /home/dados/arquivos/financeiro
force group = Financeiro
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Fin_read]
valid users = +Fin-Leitura
writeable = no
path = /home/dados/arquivos/financeiro
force group = Financeiro
read only = yes
browseable = yes
[Info]
valid users = +Informatica
writeable = yes
write list = +Informatica
path = /home/dados/arquivos/informatica
force group = Informatica
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Planeja]
valid users = +Planejamento
writeable = yes
write list = +Planejamento
path = /home/dados/arquivos/planejamento
force group = Planejamento
read only = no
browseable = yes
create mode = 0775
directory mode = 0775
[Dados]
browseable = yes
writeable = yes
write list = @"Domain Users"
path = /home/dados
force group = "Domain Users"
valid users = @"Domain Users"
create mode = 0775
directory mode = 0775
-----------------------------------------
The level 10 debug is more like a monster, maybe it's easier if you tell
what I should look for.
Regards.
Volker Lendecke escreveu:
> On Wed, Jan 13, 2010 at 11:05:53AM -0200, Fabio Bonilha wrote:
>> When VFS full_audit is activated the server doesn't allow users to write
>> changes in any file.
>>
>> The log vfs:10 shows:
>>
>> Jan 12 22:22:00 loginserver smbd_audit:
>> aaaa.bbbb|192.168.23.10|get_real_filename|fail (Operation not
>> supported)|/Novo
>> Documento de Texto.txt->(null)
>> Jan 12 22:22:00 loginserver smbd_audit:
>> aaaa.bbbb|192.168.23.10|fchmod_acl|fail
>> (No data available)|Novo Documento de Texto.txt|100764
>
> There have been several reports about this now, but although
> I've tried I have not been able to reproduce this so far.
> Can you please send me (if necessary in private mail) your
> smb.conf and a full debug level 10 log of smbd?
>
> Thanks,
>
> Volker
More information about the samba
mailing list