[Samba] vfs full_audit %m and %M variables return IP address

Jay McDermott bedanizer at yahoo.com
Fri Feb 19 15:28:25 UTC 2021

Hey all, I have the full_audit plugin configured on a Samba AD domain member acting as a file server. My issue is that when adding the %m (NetBIOS name) or %M (DNS name) variables in the full_audit:prefix line, they both return the IP addresses of the connected computers, even though they are all domain-joined computers. Is there a way to correct this? 
Here's the smb.conf: 
[global]  workgroup = AD  security = ads  realm = AD.EXAMPLE.COM
  log file = /var/log/samba/%m.log  log level = 1
  idmap config * : backend = tdb  idmap config * : range = 3000-7999  idmap config AD : backend = rid  idmap config AD : range = 10000 - 999999
  winbind use default domain = true  winbind offline logon = false  winbind refresh tickets = yes
  vfs objects = acl_xattr, full_audit  map acl inherit = Yes
  template homedir = /home/%D/%U  template shell = /bin/bash
  username map = /etc/samba/user.map
  disable netbios = yes  smb ports = 445
  full_audit:prefix = %u|%I|%m|%S  full_audit:failure = connect  full_audit:success = open mkdir rmdir pwrite rename unlink  full_audit:facility = local5  full_audit:priority = notice
Thank you.

More information about the samba mailing list