[Samba] Samba and Windows auditing

Rowland penny rpenny at samba.org
Tue Feb 16 10:40:49 UTC 2021

On 16/02/2021 10:24, Alan Evangelista via samba wrote:
> I have a Linux directory which is mapped to a Windows network drive via
> Samba. I'd like to enable Windows auditing on the Windows side so that I
> could track filesystem operations. A benefit of auditing those events on
> the Windows side (over doing it in the Linux side, e.g. using the full
> audit module in Samba) is that I'd be able to get the ID of the process
> that started the FS operation and consequently the path of the executable
> file that started the FS operation.
> I'm using Centrify to map Windows users and permissions to Linux users and
> permissions and I can access the network drive contents on Windows without
> any problems.
> I'm a domain admin in the Windows Server 2016 box and I have enabled
> filesystem, file share, and file share details events on the local group
> policy editor (I enabled file share related events because I fear I won't
> get filesystem events out of Windows, as it's not really accessing the
> physical disk, but letting Linux do it instead). I'm now able to enable
> auditing on any local folder on the Windows Server 2016 box, except in the
> network drive mapped via Samba. I get the following error in the Auditing
> tab in the mapped directory properties: "You do not have permission to view
> or audit this object's audit settings". Is it possible that Samba is
> responsible for that permission error?
> Thanks in advance!

Alan, why have you asked this question three times in less then half an 
hour ?

You also mention that you are using centrify, which is not produced or 
supported by Samba. I suggest you ask centrify about your problem and 
once you have ruled that out, or moved to winbind, then we can look at 
your problem.


More information about the samba mailing list