[Samba] tracking user activity - Active Directory

Gregory Carter gcarter at aesgi.com
Thu Mar 7 18:25:56 MST 2013

Good point.

One further, since we are on the discussion.

Whatever, mischief you say happened, requires for something to have been 
changed on the samba server if you have the audit trail turned on for 
your shares.

If you haven't done that already, I suggest you turn on the share 
auditing features.

But a login doesn't constitute much in the area of evidence other than 

Furthermore, if the SAMBA server was used as a authentication point 
only, and the mischief took place on the local workstation, you won't 
see that obviously on any samba log.

Obvious perhaps to many here, but stated nonetheless, you should engage 
audits for your shares too.

For example:

         comment = SG2TB
         path = /mnt/sdcard
         read only = no
;       browseable = yes
         valid users = gcarter
         full_audit:failure = none
         full_audit:success = mkdir rename unlink rmdir open pwrite
         full_audit:prefix = %u|%I|%m|%S


On 03/07/2013 06:01 PM, Gregory Sloop wrote:
> Pardon me for butting in, and probably you've already considered this,
> but what the heck.
> Do you even know that the user actually logged in during the time in
> question? I suppose the logs will at least let you know *if* anyone
> did login, but if the trouble-maker used an already logged in station
> you get nada in the logs.
> -Greg

More information about the samba mailing list