[Samba] How should audit logging work?

Nick Howitt nick at howitts.co.uk
Tue Oct 12 09:14:56 UTC 2021 

I am running samba-4.10.16-15.el7_9.x86_64 on a simple file server and 
trying to enable auditing of shares. I have  a menu entry checkbox which 
allows me to do this but I can't find the logging anywhere. My smb.conf 
is (with default shares pruned):

Server role: ROLE_DOMAIN_PDC

# Global parameters
[global]
         add machine script = /usr/sbin/samba-add-machine "%u"
         domain logons = Yes
         domain master = Yes
         guest account = guest
         interfaces = lo enp2s0f1 wlp0s16u3
         ldap admin dn = cn=manager,ou=Internal,dc=system,dc=lan
         ldap connection timeout = 8
         ldap group suffix = ou=Groups,ou=Accounts
         ldap idmap suffix = ou=Idmap
         ldap machine suffix = ou=Computers,ou=Accounts
         ldap ssl = no
         ldap suffix = dc=system,dc=lan
         ldap user suffix = ou=Users,ou=Accounts
         log file = /var/log/samba/%L-%m
         logon drive = U:
         logon home = \\%L\%U
         logon path =
         logon script = logon.cmd
         max log size = 0
         netbios name = MYSERVER
         ntlm auth = ntlmv1-permitted
         passdb backend = ldapsam:ldap://127.0.0.1
         passwd chat = *password:* %n\n *password:* %n\n *successfully.*
         passwd chat timeout = 10
         passwd program = /usr/sbin/userpasswd %u
         preferred master = Yes
         printcap name = /etc/printcap
         security = USER
         server string = MyServer
         template homedir = /home/%U
         template shell = /sbin/nologin
         unix password sync = Yes
         username map = /etc/samba/smbusers
         utmp = Yes
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind expand groups = 1
         winbind offline logon = Yes
         winbind separator = +
         winbind use default domain = Yes
         wins support = Yes
         workgroup = CLEARSYSTEM
         idmap config * : ldap_user_dn = 
cn=manager,ou=Internal,dc=system,dc=lan
         idmap config * : ldap_base_dn = ou=Idmap,dc=system,dc=lan
         idmap config * : ldap_url = ldap://127.0.0.1
         idmap config * : range = 20000000-29999999
         idmap config * : backend = ldap
         include = /etc/samba/flexshare.conf


[test]
         comment = Test Share
         create mask = 0664
         directory mask = 0775
         path = /var/flexshare/shares/test
         read only = No
         valid users = @%D\njhtest @njhtest
         veto files = /.flexshare*/
         vfs objects = full_audit:audit
         audit:priority = NOTICE
         audit:facility = LOCAL5
         audit:failure = all
         audit:success = open opendir
         audit:prefix = %u

In my rsyslog.conf I have a line "local5.*  /var/log/compliance". In the 
past I believe this used to work, but I am certainly not now seeing any 
logging in /var/log/compliance or anywhere in the other locations such 
as the messages and secure logs or any of the samba logs when I open, 
edit, create and delete files on the shares.

This link - 
https://unix.stackexchange.com/questions/658691/samba-has-a-module-vfs-full-audit-what-does-each-object-actually-mean-within-th 
- says "If you are using samba 4, forget the audit logs."

Is my set up incorrect and is it possible to get it working?

If I manually hack the share set up and change:

         vfs objects = full_audit:audit
         audit:priority = NOTICE
         audit:facility = LOCAL5
         audit:failure = all
         audit:success = open opendir
         audit:prefix = %u

to

         vfs objects = full_audit
         full_audit:priority = NOTICE
         full_audit:facility = LOCAL5
         full_audit:failure = all
         full_audit:success = open opendir
         full_audit:prefix = %u

I do seem to get something but is this correct?

Thanks,

Nick

More information about the samba mailing list