[Samba] Full audit - permission changes

Alan Evangelista alan.vitor at gmail.com
Tue Feb 16 10:08:30 UTC 2021

I want to track permission changes done in a Windows shared drive that is
mapped to a directory in a physical disk managed by Linux. This mapping is
done via Samba. I have enabled auditing with the following settings in

   vfs objects = full_audit

    # audit settings
    full_audit:success = chmod open mkdir rmdir rename create_file fchmod
fchown linkat unlinkat
    full_audit:prefix = %u|%I|%m|%S
    full_audit:failure = none
    full_audit:facility = local5
    full_audit:priority = notice
    recycle:repository = /home/recycle/
    recycle:keeptree = yes
    recycle:versions = yes

When I change permissions on files on the Windows network disk, I expected
to see chmod or fchmod events in the log, but I see none. I only see
permissions retrieval events such as get_nt_acl (even though I have not
requested them in smb.conf), but no fset_nt_acl or the chmod/fchmod events
I requested in the first place. Should I add additional events to the
full_audit:success list or is that behavior expected?

Thanks in advance!

More information about the samba mailing list