[Samba] tracking user activity - Active Directory
Günter Kukkukk
linux at kukkukk.com
Thu Mar 7 18:41:53 MST 2013
Am Freitag, 8. März 2013, 02:25:56 schrieb Gregory Carter:
> Good point.
>
> One further, since we are on the discussion.
>
> Whatever, mischief you say happened, requires for something to have been
> changed on the samba server if you have the audit trail turned on for
> your shares.
>
> If you haven't done that already, I suggest you turn on the share
> auditing features.
>
> But a login doesn't constitute much in the area of evidence other than
> circumstantial.
>
> Furthermore, if the SAMBA server was used as a authentication point
> only, and the mischief took place on the local workstation, you won't
> see that obviously on any samba log.
>
> Obvious perhaps to many here, but stated nonetheless, you should engage
> audits for your shares too.
>
> For example:
>
> [SG2TB]
> comment = SG2TB
> path = /mnt/sdcard
> read only = no
> ; browseable = yes
> valid users = gcarter
> full_audit:failure = none
> full_audit:success = mkdir rename unlink rmdir open pwrite
> full_audit:prefix = %u|%I|%m|%S
To make full_audit work, you also need
vfs objects = full_audit
in [global] or inside those [share] sections you want to audit.
See also:
http://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/
http://www.samba.org/samba/docs/man/manpages-3/ for a list of vfs_* audit modules
http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html
Cheers, Günter
>
> -gc
>
> On 03/07/2013 06:01 PM, Gregory Sloop wrote:
> > Pardon me for butting in, and probably you've already considered this,
> > but what the heck.
> >
> > Do you even know that the user actually logged in during the time in
> > question? I suppose the logs will at least let you know *if* anyone
> > did login, but if the trouble-maker used an already logged in station
> > you get nada in the logs.
> >
> > -Greg
More information about the samba
mailing list