Spent the last 7 hours on this and I am almost blind with all the research. Seen it read it done it. Does not work. That means it has to be so simple that I am just overlooking it!
Truenas (started this process at 12.0-8.1 kept upgrading until I got to the latest 13-3.1 where I am now. Dell server 8 cores etc ... just a test box (mirrored SSD's).
I have a major project coming up that requires FULL auditing, if anything happens I have to be able to tell the FBI .... etc ... who/what/when ... and I am beginning to feel I have made the wrong choice for storage and getting ready to toss it and go back to Windows storage or call Netapp (theirs works).
Simple SMB setup, AD joined permissions set to domain users modify, Domain admins FC. - EVEYTHING WORKS PERFECT - until I enable vfs_object = full audit, then NOBDY gets in. I followed this post for logging:
www.truenas.com
And everything works perfectly, I get a detailed log of every time I try to access the share, but I can click all I want because the regular log says:
I tried the vfs objects = zfsacl to no avail, it just makes THAT error go away.
Here is my config:
[smbtest]
ea support = No
kernel share modes = No
path = /mnt/tank/smbtest
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = full_audit
full_audit:failure = connect
full_audit:success = renameat write pwrite unlinkat linkat
full_audit:prefix = %u|%I|%S
full_audit:priority = NOTICE
full_audit:facility = LOCAL5
nfs4:chown = true
shadow:include = fss-*
shadow:ignore_empty_snaps = false
I am brain wrecked.
Truenas (started this process at 12.0-8.1 kept upgrading until I got to the latest 13-3.1 where I am now. Dell server 8 cores etc ... just a test box (mirrored SSD's).
I have a major project coming up that requires FULL auditing, if anything happens I have to be able to tell the FBI .... etc ... who/what/when ... and I am beginning to feel I have made the wrong choice for storage and getting ready to toss it and go back to Windows storage or call Netapp (theirs works).
Simple SMB setup, AD joined permissions set to domain users modify, Domain admins FC. - EVEYTHING WORKS PERFECT - until I enable vfs_object = full audit, then NOBDY gets in. I followed this post for logging:
TrueNAS-12.0-U3.1 SMB full_audit
Hello there, I have migrated from FreeNAS 11.1-U7 to TrueNAS 12.0-U3.1 but smb full_auditing not working. I have applied these settings; 1. Edit the file "/conf/base/etc/local/syslog-ng.conf.freenas" and add: # # samba activity logs # # destination m_samba_audit {...
www.truenas.com
And everything works perfectly, I get a detailed log of every time I try to access the share, but I can click all I want because the regular log says:
Code:
Nov 23 14:59:50 ttest 1 2022-11-23T14:59:50.707156-06:00 ttest.*****.local smbd_audit 4186 - - smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337 Nov 23 14:59:50 ttest 1 2022-11-23T14:59:50.708908-06:00 ttest.*****.local smbd_audit 4186 - - [2022/11/23 14:59:50.708903, 1] ../../source3/modules/vfs_posixacl.c:192(smb_ace_to_internal) Nov 23 14:59:50 ttest 1 2022-11-23T14:59:50.708917-06:00 ttest.******.local smbd_audit 4186 - - ACL tag type ACL_EVERYONE. FreeBSD with ZFS? Use 'vfs objects = zfsacl'
I tried the vfs objects = zfsacl to no avail, it just makes THAT error go away.
Here is my config:
[smbtest]
ea support = No
kernel share modes = No
path = /mnt/tank/smbtest
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = full_audit
full_audit:failure = connect
full_audit:success = renameat write pwrite unlinkat linkat
full_audit:prefix = %u|%I|%S
full_audit:priority = NOTICE
full_audit:facility = LOCAL5
nfs4:chown = true
shadow:include = fss-*
shadow:ignore_empty_snaps = false
I am brain wrecked.
