NT 4 sp3 audit + samba = total mess

MATHOG at seqaxp.bio.caltech.edu MATHOG at seqaxp.bio.caltech.edu
Wed Jun 16 15:02:32 GMT 1999 

(This was originally posted to mlist.samba and is reposted here by request.)

A samba server (2.0.2 linux/intel) is the primary domain server for "SAF".
5 workstations (nt 4sp3 intel) belong to this domain.  In order to trash the
event viewer, do the following: 

As administrator:

1.  select any file (on C:, this has nothing to do with samba file sharing)
2.  properties
3.  audit
4.  add

at this point it tries to look up the users in SAF, fails, and Dr. Watson
pays a visit.  No matter how quickly I change the group/domain from
SAF to the name of the local machine, this always happens.

But it isn't just a one time crash. After this happens, one or more of the
event viewer logs will refuse to open, with an "enumeration out of range"
error.  

For those of you unfortunate enough to also trip over this glitch, here is
how to get out of this state: 

As administrator
1. control panels -> services
2. select event log
3. change startup to manual
4. reboot  (it's WNT, all fixes require reboots!)
5. when it comes up, delete the .evt files from C:\winnt\system32\config
6. control panels -> services
7. select event log
8. start it. This creates new event logs.
9. change startup to automatic
10. reboot 

So, my question are:

A. Is there a patch/fix so that samba and WNT don't conspire to trash the
   event logs every time I try to turn on auditing?  (Note that I'm 
   auditing the C: drive, the files are not touched by Samba.)

B. Is there some other way to specify the equivalent of the AUDIT command?
   I want event auditing for EVERYONE on certain files, and EVERYONE
   is in the machine list of groups, not in the domain list.  If I could 
   specify this on the command line, the lookup of users in SAF could be
   avoided.

(I need auditing to figure out which files need relaxed protections so
that Corel Dream3D will let "average" users run the program on these
workstations.  Right now the disk is NTFS and all installed software
defaults to everybody:RX.  If one of the users tries to run this, Dream3D
starts, moans about "can't read file" and closes.  It doesn't log anything.
If I can turn on auditing I can find out which file it tried to read.)

Thanks,

David Mathog
mathog at seqaxp.bio.caltech.edu
Manager, sequence analysis facility, biology division, Caltech

More information about the samba-ntdom mailing list