# These users will run file ops as the super-user admin users = pfowler # Allow wide linking, even with unix extensions = yes allow insecure wide links = no # Allow trusted domains other then the one smbd is using allow trusted domains = yes # Order of auth to use, sam = local auth methods = guest sam winbind # Force a files group. # Using a prepended + will set the group # only if the user belongs to that group force group = groupname # If a bogus domain is given (like local workstation); # then the domain name is changed to the smbd domain map untrusted to domain = yes
smbclient -U username%password -W=domain //server/share # User a credentials file # username = # password = # domain = smbclient -A=filename
Add this section to the global
# Audit settings full_audit:prefix = %u|%I|%S full_audit:failure = connect full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath full_audit:facility = local5 full_audit:priority = notice
Would be a good idea to restrict what events are logged. The above will be very very noisy. Try:
full_audit:success = connect mkdir rmdir write rename unlink pwrite read
Then in each share, add:
vfs object = full_audit
To setup the syslog
*.info;local5.none;mail.none;authpriv.none;cron.none /var/log/messages local5.notice /var/log/samba/audit.log
Now create /etc/logrotate.d/samba.audit
/var/log/samba/audit.log {
weekly
missingok
rotate 7
postrotate
/etc/init.d/syslog reload > /dev/null 2>&1 || true
endscript
compress
notifempty
}
| Sub | description |
|---|---|
| %U | session username (the username that the client wanted, not necessarily the same as the one they got). |
| %G | primary group name of %U. |
| %h | the Internet hostname that Samba is running on. |
| %m | the NetBIOS name of the client machine (very useful). |
| %M | the Internet name of the client machine. |
| %R | the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. |
| %d | the process id of the current server process. |
| %a | The architecture of the remote machine. |
| %I | the IP address of the client machine. |
| %i | the local IP address to which a client connected. |
| %T | the current date and time. |
| %D | name of the domain or workgroup of the current user. |
| %w | the winbind separator. |
| %$(envvar) | the value of the environment variable envar. |
| %S | the name of the current service, if any. |
| %P | the root directory of the current service, if any. |
| %u | username of the current service, if any. |
| %g | primary group name of %u. |
| %H | the home directory of the user given by %u. |