smb full_audit logs all instead of configured actions

[Henning Kessler]

Hello,

it looks like samba is logging all its operations instead of only the configured ones since I upgrade to TrueNAS 12.1-U1

these are the log entries:

Code:

Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973351+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|chdir|ok|chdir|/mnt/tank01/shares/Archiv
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973366+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|stat|ok|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973377+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|file_id_create|ok|15546827089506629248:4:0
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973396+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|stat|ok|/mnt/tank01/shares/Archiv
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973411+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|fstat|ok|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973438+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|create_file|ok|0x100080|dir|open|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973451+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|get_dos_attributes|ok|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973485+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|get_nt_acl|ok|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973500+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|get_alloc_size|ok|0
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973521+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|fstat|ok|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973533+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|file_id_create|ok|15546827089506629248:16209467:0
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973582+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|get_dos_attributes|ok|/mnt/tank01/shares/Archiv/SOMEFILES
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973599+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|get_alloc_size|ok|0
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973609+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - DOMAIN\administrator|192.168.192.39|pkg|Archiv|fs_file_id|ok|16209467
Jan 18 23:02:27 nas 1 2021-01-18T23:02:27.973627+01:00 nas.int.DOMAIN.com smbd_audit 44924 - - KIOSQUEBERLIN\administrator|192.168.192.39|pkg|Archiv|stat|ok|/mnt/tank01/shares/Archiv/SOMEFILES

And these are the Auxiliary Parameters for the share:

Code:

full_audit:prefix = %u|%I|%m|%S
full_audit:failure = none
full_audit:success = rename unlink rmdir mkdir write pwrite link
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
vfs objects = fruit full_audit ixnas streams_xattr zfs_space zfsacl

Any ideas?

 

[hikingpete]

I just ran into this after an upgrade. I eventually discovered on the Samba mailing lists that some of the vfs operations have changed names and "If a particular VFS operation no longer exists, then full_audit will default to logging _everything_, which isn't great.". The short of it is:

rename -> renameat
unlink -> unlinkat
rmdir ->
mkdir -> mkdirat
link -> linkat

For details, consult the samba documentation

[Samba] Samba "vfs_full_audit" Operations

vfs_full_audit

 

[anodos]

I just ran into this after an upgrade. I eventually discovered on the Samba mailing lists that some of the vfs operations have changed names and "If a particular VFS operation no longer exists, then full_audit will default to logging _everything_, which isn't great.". The short of it is:

rename -> renameat
unlink -> unlinkat
rmdir ->
mkdir -> mkdirat
link -> linkat

For details, consult the samba documentation

[Samba] Samba "vfs_full_audit" Operations

vfs_full_audit

Right. If you find thread on samba technical, you'll see the solution that's being adopted for TN 12.0-U3.

vfs_full_audit annoyances on major version upgrades

I still need to upstream the fix, but a few too many irons in the fire at the moment due to adding NFSv41 ACL support to SCALE.

 

[hikingpete]

I'm glad to see that. Thanks for the update.

 

[Rhazzit]

Thanks for the tip, i wasted a lot of time on it.
But now, i´ve facing another problem: the vfs operation create_file is generating too much garbage even without any files being created.

share auxiliary parameters:
vfs objects=full_audit
full_audit:facility=LOCAL5
full_audit:priority=NOTICE
full_audit:prefix=%u|%I
full_audit:success=linkat, mkdirat, renameat, unlinkat, create_file
full_audit:failure=none

log:
Nov 21 13:57:53 ... - - user|ip|create_file|ok|0x100080|dir|open|/mnt/z-perc6/ShareTest
Nov 21 13:57:56 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
Nov 21 13:58:03 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
Nov 21 13:58:04 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
Nov 21 13:58:15 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
Nov 21 13:58:16 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
Nov 21 13:58:24 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
Nov 21 13:58:25 ... - - user|ip|create_file|ok|0x100080|dir|open|//mnt/z-perc6/ShareTest
.
.
.

Anyone with same problem?