Samba full audit not working

[ronc]

I’m setting up full auditing under TrueNAS-12.0-U6.1 on a SMB share and finding that I’m not able to enable multiple VFS modules without the share becoming inaccessible.

Currently what is working under share aux parameters,

vfs objects = zfsacl full_audit

full_audit:prefix = %u | %I | %m | %S

full_audit:failure = connect

full_audit:success = connect

full_audit:facility = LOCAL7

full_audit:priority = NOTICE

and this works,

vfs objects = zfsacl full_audit

full_audit:prefix = %u | %I | %m | %S

full_audit:failure = connect

full_audit:success = all

full_audit:facility = LOCAL7

full_audit:priority = NOTICE



However, auditsuccess = all is to much logging and only want the following for success below. Essentially looking to monitor Create files /write data Create folders /append data.

full_audit:success = create_file write renameat mkdirat unlinkat



This however doesn’t work and will cause the SMB share to become unavailable after restarting SMB service. I’m referencing Samba full audit settings from here so the above should be valid to use.

vfs_full_audit (samba.org)

 

[ronc]

I’m setting up full auditing under TrueNAS-12.0-U6.1 on a SMB share and finding that I’m not able to enable multiple VFS modules without the share becoming inaccessible.

Currently what is working under share aux parameters,

vfs objects = zfsacl full_audit

full_audit:prefix = %u | %I | %m | %S

full_audit:failure = connect

full_audit:success = connect

full_audit:facility = LOCAL7

full_audit:priority = NOTICE

and this works,

vfs objects = zfsacl full_audit

full_audit:prefix = %u | %I | %m | %S

full_audit:failure = connect

full_audit:success = all

full_audit:facility = LOCAL7

full_audit:priority = NOTICE



However, auditsuccess = all is to much logging and only want the following for success below. Essentially looking to monitor Create files /write data Create folders /append data.

full_audit:success = create_file write renameat mkdirat unlinkat



This however doesn’t work and will cause the SMB share to become unavailable after restarting SMB service. I’m referencing Samba full audit settings from here so the above should be valid to use.

vfs_full_audit (samba.org

I figured out my problem. for anyone experiencing this same issue, I found this error message in the log.smbd
Error log message INTERNAL ERROR: vfs_full_audit.c: name table not in sync with vfs_op_type enums
in pid 72640 (4.13.14)
and found that its a bug in version 12.0 u6.1. After installing update 12.0 u8 the problem is gone.
Bug report https://jira.ixsystems.com/browse/NAS-113336

 

[baron802]

I’m setting up full auditing under TrueNAS-12.0-U6.1 on a SMB share and finding that I’m not able to enable multiple VFS modules without the share becoming inaccessible.

Currently what is working under share aux parameters,

vfs objects = zfsacl full_audit

full_audit:prefix = %u | %I | %m | %S

full_audit:failure = connect

full_audit:success = connect

full_audit:facility = LOCAL7

full_audit:priority = NOTICE

and this works,

vfs objects = zfsacl full_audit

full_audit:prefix = %u | %I | %m | %S

full_audit:failure = connect

full_audit:success = all

full_audit:facility = LOCAL7

full_audit:priority = NOTICE



However, auditsuccess = all is to much logging and only want the following for success below. Essentially looking to monitor Create files /write data Create folders /append data.

full_audit:success = create_file write renameat mkdirat unlinkat



This however doesn’t work and will cause the SMB share to become unavailable after restarting SMB service. I’m referencing Samba full audit settings from here so the above should be valid to use.

vfs_full_audit (samba.org)

Thank you it work, I try to fix this issue hole day.