Help PLEASE ... SMB shares deny access after VFS FULL AUDIT is enabled

[JBK]

Spent the last 7 hours on this and I am almost blind with all the research. Seen it read it done it. Does not work. That means it has to be so simple that I am just overlooking it!

Truenas (started this process at 12.0-8.1 kept upgrading until I got to the latest 13-3.1 where I am now. Dell server 8 cores etc ... just a test box (mirrored SSD's).

I have a major project coming up that requires FULL auditing, if anything happens I have to be able to tell the FBI .... etc ... who/what/when ... and I am beginning to feel I have made the wrong choice for storage and getting ready to toss it and go back to Windows storage or call Netapp (theirs works).

Simple SMB setup, AD joined permissions set to domain users modify, Domain admins FC. - EVEYTHING WORKS PERFECT - until I enable vfs_object = full audit, then NOBDY gets in. I followed this post for logging:

TrueNAS-12.0-U3.1 SMB full_audit

Hello there, I have migrated from FreeNAS 11.1-U7 to TrueNAS 12.0-U3.1 but smb full_auditing not working. I have applied these settings; 1. Edit the file "/conf/base/etc/local/syslog-ng.conf.freenas" and add: # # samba activity logs # # destination m_samba_audit {...

www.truenas.com

And everything works perfectly, I get a detailed log of every time I try to access the share, but I can click all I want because the regular log says:

Code:

Nov 23 14:59:50 ttest 1 2022-11-23T14:59:50.707156-06:00 ttest.*****.local smbd_audit 4186 - -   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337

Nov 23 14:59:50 ttest 1 2022-11-23T14:59:50.708908-06:00 ttest.*****.local smbd_audit 4186 - - [2022/11/23 14:59:50.708903,  1] ../../source3/modules/vfs_posixacl.c:192(smb_ace_to_internal)

Nov 23 14:59:50 ttest 1 2022-11-23T14:59:50.708917-06:00 ttest.******.local smbd_audit 4186 - -   ACL tag type ACL_EVERYONE. FreeBSD with ZFS? Use 'vfs objects = zfsacl'

I tried the vfs objects = zfsacl to no avail, it just makes THAT error go away.

Here is my config:

[smbtest]
ea support = No
kernel share modes = No
path = /mnt/tank/smbtest
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = full_audit
full_audit:failure = connect
full_audit:success = renameat write pwrite unlinkat linkat
full_audit:prefix = %u|%I|%S
full_audit:priority = NOTICE
full_audit:facility = LOCAL5
nfs4:chown = true
shadow:include = fss-*
shadow:ignore_empty_snaps = false

I am brain wrecked.

 

[Samuel Tai]

You may need to explicitly specify both VFS modules, e.g., vfs objects = full_audit zfsacl.

 

[JBK]

Done it. It made the "specify zfsacl error go away but still no access to any share that had full_audit fail. I have removed every option one at a time (restarting between each) to no avail.

Don't get me wrong it is auditing, every audit record says |ok| and then the messages log says access denied ... I am giving up for today. Thank you though Samuel, you are always a great help.

 

[Samuel Tai]

I wonder if you're hitting a prefix issue. The man page for vfs_full_audit uses prefix = %u|%I as a default. %S, according to the man page for smb.conf, isn't available until the connection has been established.

 

[JBK]

I wonder if you're hitting a prefix issue. The man page for vfs_full_audit uses prefix = %u|%I as a default. %S, according to the man page for smb.conf, isn't available until the connection has been established.

Nope. Tried it with the same results.

 

[JBK]

I am now having a new problem. I added the lines for logging to the:

/conf/base/etc/local/syslog-ng.conf.freenas as:

destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); };

It is working (except still failing), but EVERY TIME I REBOOT it deletes the log file?? This is getting out of hand. I have to go into the /var/log/samba4/ directory and touch activity.log on every reboot?

 

[Hellrazorx]

I am now having a new problem. I added the lines for logging to the:

/conf/base/etc/local/syslog-ng.conf.freenas as:

destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); };

It is working (except still failing), but EVERY TIME I REBOOT it deletes the log file?? This is getting out of hand. I have to go into the /var/log/samba4/ directory and touch activity.log on every reboot?

Nothing new here?
have you fixed the Access issue?

 

[JBK]

I fixed the original issue, I had to go to file level permissions and add @owner to the filesystem so that it could monitor. Found that through log traces (messages). This particular dataset is high security so I had removed all permissions except explicit people/groups.

As far as the audit log, I created a new dataset and set the compression to high and let it roll over.

Still not fully tested. I switched back to Windows storage .... TrueNAS is just not there yet for the type of work we do.