Docu review done: Mon 20 Feb 2023 11:04:03 CET

samba

Table of Content

Config test

To run a config syntax check you can execute testparm without any parameter and you will getsomething like this:

$ testparm
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Processing section "[myshare1]"
Processing section "[myshare2]"
Processing section "[myshare3]"
Processing section "[myshare4]"
.
.
.
Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

[myshare1]
        browseable = No
        comment = my share 1
        include = /etc/samba/include/myshare1.conf
        path = /data/myshare1
        read only = No
        valid users = share

[myshare2]
        browseable = No
        comment = my share 2
        include = /etc/samba/include/myshare2.conf
        path = /data/myshare2
        read only = No
        valid users = share
.
.
.

vfs audit logging

vfs audit or vfs full_audit allows you to track down who is doing what on your shares in a very simple way.

To enable it on your share, make sure you have it installed, e.g. for debian you will see the package samba-vfs-modules installed and if you can execute man vfs_full_audit you are on a good position ;)

To enable it in samba, you have to create a small configuration inside the [global] section, which could look like this for example:

vfs objects         = full_audit
full_audit:facility = local7
full_audit:priority = debug
full_audit:prefix   = %u|%I
full_audit:success  = chmod chown link lock open rename rmdir unlink write
full_audit:failure  = chmod chown link lock open rename rmdir unlink write chdir fchmod fchown fsync ftruncate getlock kernel_flock readdir

What is the config above doing:

  • objects : specifies the object of vfs you can also use audit if you really need a very small set of information
  • facility : specifies the logfacility where to send the logs
  • priority : as it says the log priority
  • prefix: it allows you to add some prefix to the log original (%u for user and %I for client IP), these variables can be looked up at man smb.conf
  • success: filters to the given types of loges, it allso allowes !<type> to disable a specific one + to log everything you can just define all
  • failure: same as success, it is a filter for failed logs

After you have configured it based on your needs, you have to restart the samba service.

A reload on its own is to less.

And dont forget to create the log configuration e.g. in your rsyslog or syslog service. You can place a filter, the application/program name is smbd_audit

Whe you have done all the things, you will get something like this:

Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|testing/1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|/data/myshare1/testdir1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|rmdir|ok|testing/1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|unlink|ok|/data/myshare1/testdir1/testing/t1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|open|ok|r|/data/myshare1/testdir1/testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|/data/myshare1/testdir1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|chdir|ok|chdir|/data/myshare1/testdir1
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|rmdir|ok|testing
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|readdir|ok|
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|open|ok|w|/data/myshare1/testdir1/asdf
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|kernel_flock|ok|/data/myshare1/testdir1/asdf
Jan 01 13:37:42 my_samba_server01 smbd_audit[3362]: share|13.37.42.69|kernel_flock|ok|/data/myshare1/testdir1/asdf

Lets have a look at the structure

Date/Timeyour share serverclient samba piduseripaction typesuccess/failure[r/w] for filesdestination
Jan 01 13:37:42my_samba_server01smbd_audit[3362]:share13.37.42.69openokw/data/myshare1/testdir1/asdf

Enable smb1

Add the following line to the smb.conf

ntlm auth = ntlmv1-permitted

After you have done that, restart the samba service

$ systemctl restart smbd.service