[Samba] Samba and auditd

Jeremy Allison jra at samba.org
Fri Feb 12 01:39:01 UTC 2021

On Thu, Feb 11, 2021 at 10:33:17PM -0300, Alan Evangelista via samba wrote:
>I'm using Samba to share a Linux directory X in a machine A with a Windows
>Server OS installed in a machine B and it's working fine.
>I have recently installed auditd in the Linux system (machine A) to track
>tilesystem events initiated by users in both machines A and B. It works
>fine for file read/writes done in machine A, but I don't see any events
>initiated in machine B in auditd logs. Using strace to track syscalls
>called by smbd processes, I see that the open() syscall is called by samba
>to open files in X when files are read/written in the machine B, so I guess
>smbd is just getting the file request sent by Windows Server, forwarding
>them to the Linux kernel via syscalls and forwarding the syscalls responses
>back to Windows Server.

Yes, that's exactly what we do.

>Is there any difference between an open() syscall called by Samba or by a
>local Linux process (e.g. the touch command) which could explain the
>inconsistency in auditd behavior?

No. Samba smbd *is* a local Linux process on machine A. There's
no reason its file access shouldn't be being logged by the
kernel of machine A.

More information about the samba mailing list