# These users will run file ops as the super-user admin users = pfowler # Allow wide linking, even with unix extensions = yes allow insecure wide links = no # Allow trusted domains other then the one smbd is using allow trusted domains = yes # Order of auth to use, sam = local auth methods = guest sam winbind # Force a files group. # Using a prepended + will set the group # only if the user belongs to that group force group = groupname # If a bogus domain is given (like local workstation); # then the domain name is changed to the smbd domain map untrusted to domain = yes
smbclient -U username%password -W=domain //server/share # User a credentials file # username = # password = # domain = smbclient -A=filename
Add this section to the global
# Audit settings full_audit:prefix = %u|%I|%S full_audit:failure = connect full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath full_audit:facility = local5 full_audit:priority = notice
Would be a good idea to restrict what events are logged. The above will be very very noisy. Try:
full_audit:success = connect mkdir rmdir write rename unlink pwrite read
Then in each share, add:
vfs object = full_audit
To setup the syslog
*.info;local5.none;mail.none;authpriv.none;cron.none /var/log/messages local5.notice /var/log/samba/audit.log
Now create /etc/logrotate.d/samba.audit
/var/log/samba/audit.log { weekly missingok rotate 7 postrotate /etc/init.d/syslog reload > /dev/null 2>&1 || true endscript compress notifempty }
Sub | description |
---|---|
%U | session username (the username that the client wanted, not necessarily the same as the one they got). |
%G | primary group name of %U. |
%h | the Internet hostname that Samba is running on. |
%m | the NetBIOS name of the client machine (very useful). |
%M | the Internet name of the client machine. |
%R | the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. |
%d | the process id of the current server process. |
%a | The architecture of the remote machine. |
%I | the IP address of the client machine. |
%i | the local IP address to which a client connected. |
%T | the current date and time. |
%D | name of the domain or workgroup of the current user. |
%w | the winbind separator. |
%$(envvar) | the value of the environment variable envar. |
%S | the name of the current service, if any. |
%P | the root directory of the current service, if any. |
%u | username of the current service, if any. |
%g | primary group name of %u. |
%H | the home directory of the user given by %u. |