[Samba] Samba and Windows auditing

Alan Evangelista alan.vitor at gmail.com
Tue Feb 16 10:24:24 UTC 2021

I have a Linux directory which is mapped to a Windows network drive via
Samba. I'd like to enable Windows auditing on the Windows side so that I
could track filesystem operations. A benefit of auditing those events on
the Windows side (over doing it in the Linux side, e.g. using the full
audit module in Samba) is that I'd be able to get the ID of the process
that started the FS operation and consequently the path of the executable
file that started the FS operation.

I'm using Centrify to map Windows users and permissions to Linux users and
permissions and I can access the network drive contents on Windows without
any problems.

I'm a domain admin in the Windows Server 2016 box and I have enabled
filesystem, file share, and file share details events on the local group
policy editor (I enabled file share related events because I fear I won't
get filesystem events out of Windows, as it's not really accessing the
physical disk, but letting Linux do it instead). I'm now able to enable
auditing on any local folder on the Windows Server 2016 box, except in the
network drive mapped via Samba. I get the following error in the Auditing
tab in the mapped directory properties: "You do not have permission to view
or audit this object's audit settings". Is it possible that Samba is
responsible for that permission error?

Thanks in advance!

More information about the samba mailing list