Doku review done: Mon 20 Feb 2023 11:04:03 CET
Table of Content
Config test
To run a config syntax check you can execute testparm without any parameter and you will getsomething like this:
$ testparm
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Processing section "[myshare1]"
Processing section "[myshare2]"
Processing section "[myshare3]"
Processing section "[myshare4]"
.
.
.
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[myshare1]
browseable = No
comment = my share 1
include = /etc/samba/include/myshare1.conf
path = /data/myshare1
read only = No
valid users = share
[myshare2]
browseable = No
comment = my share 2
include = /etc/samba/include/myshare2.conf
path = /data/myshare2
read only = No
valid users = share
.
.
.
vfs audit logging
vfs audit or vfs full_audit allows you to track down who is doing what on your shares in a very simple way.
To enable it on your share, make sure you have it installed, e.g. for debian you will see the package samba-vfs-modules installed and if you can execute man vfs_full_audit you are on a good position ;)
To enable it in samba, you have to create a small configuration inside the [global] section, which could look like this for example:
vfs objects = full_audit
full_audit:facility = local7
full_audit:priority = debug
full_audit:prefix = %u|%I
full_audit:success = chmod chown link lock open rename rmdir unlink write
full_audit:failure = chmod chown link lock open rename rmdir unlink write chdir fchmod fchown fsync ftruncate getlock kernel_flock readdir
What is the config above doing:
objects: specifies the object ofvfsyou can also useauditif you really need a very small set of informationfacility: specifies the logfacility where to send the logspriority: as it says the log priorityprefix: it allows you to add some prefix to the log original (%ufor user and%Ifor client IP), these variables can be looked up atman smb.confsuccess: filters to the given types of loges, it allso allowes!<type>to disable a specific one + to log everything you can just defineallfailure: same assuccess, it is a filter for failed logs
After you have configured it based on your needs, you have to restart the samba service.
A reload on its own is to less.
And dont forget to create the log configuration e.g. in your
rsyslogorsyslogservice. You can place a filter, the application/program name issmbd_audit
Whe you have done all the things, you will get something like this:
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|testing/1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|/data/myshare1/testdir1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|rmdir|ok|testing/1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|unlink|ok|/data/myshare1/testdir1/testing/t1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|open|ok|r|/data/myshare1/testdir1/testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|/data/myshare1/testdir1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|/data/myshare1/testdir1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|rmdir|ok|testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|open|ok|w|/data/myshare1/testdir1/asdf
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|kernel_flock|ok|/data/myshare1/testdir1/asdf
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|kernel_flock|ok|/data/myshare1/testdir1/asdf
Lets have a look at the structure
| Date/Time | your share server | client samba pid | user | ip | action type | success/failure | [r/w] for files | destination |
|---|---|---|---|---|---|---|---|---|
| Jan 01 13:37:42 | my_samba_server01 | smbd_audit[3362]: | share | 13.37.42.69 | open | ok | w | /data/myshare1/testdir1/asdf |
Enable smb1
Add the following line to the smb.conf
ntlm auth = ntlmv1-permitted
After you have done that, restart the samba service
$ systemctl restart smbd.service