[Samba] VFS full_audit problem

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Wed Dec 9 10:29:21 MST 2009


On Wed, Dec 09, 2009 at 05:47:18PM +0100, Tomasz Przewlucki wrote:
> I had implemented on one of my shares vfs full_audit module. It was  
> working with Samba 3.0.x without any problems.
>
> After migration to Samba 3.4.3 this function doesn't work anymore - when  
> it's enabled then share isn't accessible from users (it's visible but  
> getting error when trying to connect to it).
> Audit and extd_audit vfs's are working fine, but they doesn't meet my  
> requirements.
>
> I've tried full_audit on shares with and without extended attributes  
> (ext3 with xattr), getting same results.

Well it broke everything for me too when I enabled it.  I did not try
it before though so I have no idea that it used to work.  I had to turn
it off right away.  It sure seems like tha full_audit is totally broken
at this time (well it logs lots of stuff, it just prevents users from
doing anything too).

> In samba debug:10 log i couldn't see anything strange, so i want first  
> to ask if there is anybody with working vfs full_audit on samba 3.4.3  ?
>
> My smb.conf:
>
> # Global parameters
> [global]
> workgroup = OBRAM
> netbios name = PASSAT
> server string = OBRAM_PDC
> security = user
> interfaces = 192.168.0.13 10.0.0.113
> smb ports = 139 445
> time server = Yes
> #
> encrypt passwords = yes
> enable privileges = yes
> obey pam restrictions = No
> username map = /etc/samba/smbusers
> #
> msdfs root = yes
> #
> log level = 1 vfs:1
> #log level = 10
> syslog = 3
> log file = /var/log/samba/log.%m
> max log size = 10000
> #
> mangling method = hash2
> dos charset = 852
> Unix charset = UTF-8
> display charset = UTF-8
> #
> logon script = "%G.bat"
> logon drive = H:
> logon home =
> logon path =
> lanman auth = no
> ntlm auth = no
> client ntlmv2 auth = yes
> #
> nt acl support = yes
> #
> map hidden = no
> map system = no
> map archive = no
> ea support = yes
> map acl inherit = yes
> store dos attributes = yes
> #
> domain logons = Yes
> oslevel = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> local master = yes
> #
> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.40"
> #
> ldapsam:trusted = yes
> ldapsam:editposix = yes
> #
> ldap admin dn = cn=samba,ou=DSA,dc=obram
> ldap suffix = dc=obram
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Idmap
> #ldap ssl = start tls
> ldap ssl = no
> ldap delete dn = Yes
> ldap passwd sync = Yes
> #
> idmap uid = 111000-120000
> idmap gid = 111000-120000
> idmap backend = ldap:"ldap://127.0.0.1 ldap://192.168.0.40"
> idmap alloc backend = ldap
> idmap alloc config:ldap_base_dn = ou=Idmap,dc=obram
> idmap alloc config:ldap_user_dn = cn=samba,ou=DSA,dc=obram
> idmap alloc config:ldap_url = ldap://localhost
> idmap alloc config:range = 111000-120000
> #
> template homedir = /home/samba/users/%U
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> #
> create mask = 0640
> directory mask = 0750
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> #
> preserve case = yes
> short preserve case = yes
> case sensitive = auto
> load printers = Yes
> printing = cups
> printcap name = cups
> show add printer wizard = yes
> #
> kernel oplocks = no
> #
> veto oplock files = /*.mdb/*.MDB/*.pst/*.PST/
> #
> # NEW Samba 3.4
> max open files = 10000
> max stat cache size = 1024
> registry shares = no
>
> #and this unworking with full_audit share:
> [temp]
>     comment = katalog kasowany co noc
>     path = /home/samba/temp/
>     browseable = Yes
>     guest ok = Yes
>     read only = No
>     directory mask = 0755
>     create mask = 0644
>     vfs objects = full_audit
>     full_audit:prefix = %u|%I
>     full_audit:success = mkdir rename rmdir write open
>     full_audit:failure = none
>     csc policy = disable
>     hide files = /desktop.ini/recycled/RECYCLER/autorun.inf/explorer.exe/
>
> Best regards,
> Tomasz Przewlucki

-- 
Len Sorensen


More information about the samba mailing list