[Samba] tracking user activity - Active Directory
Gregory Carter
gcarter at aesgi.com
Thu Mar 7 18:25:56 MST 2013
Good point.
One further, since we are on the discussion.
Whatever, mischief you say happened, requires for something to have been
changed on the samba server if you have the audit trail turned on for
your shares.
If you haven't done that already, I suggest you turn on the share
auditing features.
But a login doesn't constitute much in the area of evidence other than
circumstantial.
Furthermore, if the SAMBA server was used as a authentication point
only, and the mischief took place on the local workstation, you won't
see that obviously on any samba log.
Obvious perhaps to many here, but stated nonetheless, you should engage
audits for your shares too.
For example:
[SG2TB]
comment = SG2TB
path = /mnt/sdcard
read only = no
; browseable = yes
valid users = gcarter
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir open pwrite
full_audit:prefix = %u|%I|%m|%S
-gc
On 03/07/2013 06:01 PM, Gregory Sloop wrote:
> Pardon me for butting in, and probably you've already considered this,
> but what the heck.
>
> Do you even know that the user actually logged in during the time in
> question? I suppose the logs will at least let you know *if* anyone
> did login, but if the trouble-maker used an already logged in station
> you get nada in the logs.
>
> -Greg
>
More information about the samba
mailing list