[Samba] vfs_full_audit log question

d tbsky tbskyd at gmail.com
Mon Sep 11 16:49:08 UTC 2023 

Kees van Vloten via samba <samba at lists.samba.org>
>
>
> Op 11-09-2023 om 12:14 schreef d tbsky via samba:
> > Hi:
> >    today my user report one directory at the samba share disappeared.
> > I had create the vfs_full_audit like below:
> >
> >     vfs objects = recycle full_audit
> >     full_audit:priority = notice
> >     full_audit:facility = local5
> >     full_audit:success = mkdirat renameat unlinkat
> >     full_audit:failure = none
> >     full_audit:prefix = %u|%I
> >
> > but I can not find the related log about the missing directory.
> > normally I can find deleted/renamed files via the log. I wonder if
> > there is some other vfs operations  I should add for monitor
> > directories?
> >
> > thanks a lot for your help!
> Is your question, what full_audit property to add to see a missing
> directory? What exactly do you want to see, the deletion or  a failing
> call that tries to read it or something else?

Hi:
   sorry. I found the missing directory in the audit log. my user told
me the incorrect information so it took me long time to check the log.
I use vfs_full_audit in case when user can not find their stuff, I can
understand what happened.
however currently vfs_full_audit write too many useless data even with
my current configuration above.
for example it would log the data below:

Sep 11 17:57:32 file smbd_audit[42497]: [2023/09/11 17:57:32.207301,
0] ../../lib/util/access.c:372(allow_access)
Sep 11 17:57:32 file smbd_audit[42497]:  Denied connection from
10.11.1.19 (10.11.1.19)
Sep 11 17:57:34 file smbd_audit[42497]: [2023/09/11 17:57:34.265839,
0] ../../lib/util/access.c:372(allow_access)
Sep 11 17:57:34 file smbd_audit[42497]:  Denied connection from
10.11.1.19 (10.11.1.19)
Sep 11 17:57:43 file smbd_audit[35644]: [2023/09/11 17:57:43.858408,
0] ../../source3/smbd/service.c:168(chdir_current_service)
Sep 11 17:57:43 file smbd_audit[35644]:  chdir_current_service:
vfs_ChDir(/share/samba/home/h347) failed: Permission denied. Current
token: uid=11270, gid=10515, 3 groups: 11270 10515 11292

I hope it log only useful data like:
Sep 11 17:37:03 file smbd_audit[35621]:
DOM\bb0809|10.11.11.130|renameat|ok|/share/samba/home/bb0809/a.doc|/share/samba/home/bb0809/B09E48D8.tmp

I am use RHEL9.  so by default the log data will flow from journald to
rsyslog to the file I defined (/var/log/samba/audit.log). which make
more useless data in the system.
I tried to use samba configuration to make the work simple:

log level = 1 full_audit:1@/var/log/samba/audit.log

but the log format is like below:
[2023/09/11 18:04:10.938942,  1]
../../source3/modules/vfs_full_audit.c:643(do_log)
  DOM\h1701|10.99.6.175|unlinkat|ok|/share/samba/public/863B5E69.tmp
[2023/09/11 18:04:21.948413,  1]
../../source3/modules/vfs_full_audit.c:643(do_log)
  DOM\h1701|10.99.6.175|renameat|ok|/share/samba/public/a.xlsx|/share/samba/public/.recycle/h1701/a.xlsx

I got additional " ../../source3/modules/vfs_full_audit.c:643(do_log)"
 for every log. it is really meaningless since the log file is made
only for "vfs_full_audit".

so I am thinking about how to get rid of the useless log data. maybe I
should filter them out via rsyslog and forget about the garbage at
jounrald. but it is much better if the logging won't goto journald at
the beginning.
below is my smb.conf.  I think many useless data come from " hosts
allow" definition.

[global]
   workgroup = DOM
   netbios name = file
   realm = AD.DOM.COM
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 5000-9999
   idmap config DOM:ackend = rid
   idmap config DOM:range = 10000-999999
   idmap config DOM:unix_primary_group = yes
   template homedir = /share/samba/home/%U
   template shell = /bin/false
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind use default domain = yes
   ntlm auth =  ntlmv1-permitted
   server min protocol = NT1
   veto files = /.DS_Store/._.DS_Store/

   # disable printing
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   vfs objects = recycle full_audit
   # audit setting
   full_audit:priority = notice
   full_audit:facility = local5
   full_audit:success = mkdirat renameat unlinkat
   full_audit:failure = none
   full_audit:prefix = %u|%I

[in]
   path = /share/samba/public/in
   read only = No
   create mask = 0775
   force create mode = 0775
   directory mask = 0775
   hide unreadable = No

   # recycle bin
   recycle:keeptree = yes
   recycle:versions = yes
   recycle:touch = yes
   recycle:repository = .recycle/%U
   recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
   recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP

   hosts allow = 10.11.11. 10.11.253. 10.11.100.0/255.255.255.192
10.12.1.160 10.11.249.

[out]
   path = /share/samba/public/out
   read only = No
   create mask = 0775
   force create mode = 0775
   directory mask = 0775
   hide unreadable = No

   # recycle bin
   recycle:keeptree = yes
   recycle:versions = yes
   recycle:touch = yes
   recycle:repository = .recycle/%U
   recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
   recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP

   hosts allow = 10.11.100. 10.11.253.

[mis]
   path = /share/samba/public/mis
   read only = No
   create mask = 0775
   force create mode = 0775
   directory mask = 0775
   hide unreadable = No

[mis$]
   path = /share/samba/public/mis
   read only = Yes
   browseable = No

[homes]
   read only = No
   browseable = No

   # recycle bin
   recycle:keeptree = yes
   recycle:versions = yes
   recycle:touch = yes
   recycle:repository = .recycle
   recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
   recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP

   hosts allow = 10.11.11. 10.11.253. 10.10.10. 10.11.100.0/255.255.255.192

More information about the samba mailing list