Problem
One of the users can't access files on the server after I added samba logging with full_audit. She would click on a file through Active Directory, and immediately be disconnected. After reverting my changes for the auditing, there was no problem.
My FreeNAS Version
When I type 'cat /etc/motd':
What I Changed for Full Audit
We have small group of users (8-9) that access the server through CIFS active directory, set up on computers with windows 7. Today I introduced logging to track user access to files following the suggestions shown here. I editted the /conf/base/etc/local/syslog-ng.conf.freenas and the /etc/local/syslog-ng.conf files with the following line:
The only difference between what I did and what was suggested in the link was the file path so that users could access the log through AD. I also changed the /conf/base/etc/newsyslog.conf file, with the same file path.
After making these changes, I restarted the syslog-ng service, and the logging started.
Troubleshooting
FYI, from my computer it works fine, I access a file, it logs the access. I tried accessing the same files from my PC and was successful.
This is what the /var/log/messages entries are at the time the user tried to access files:
Are these the disconnects I mentioned earlier? Is there any more information here that could pinpoint the source of this user's problem? These messages are then followed by smbd_audit messages of me successfully accessing the files.
What can I do on the client end to troubleshoot this?
This was an inherited setup, I have no prior experience with server maintenance, please forgive my ignorance. We want to track user activity because folders appear to be missing/deleted and would like to know who the last user to access the file was.
One of the users can't access files on the server after I added samba logging with full_audit. She would click on a file through Active Directory, and immediately be disconnected. After reverting my changes for the auditing, there was no problem.
My FreeNAS Version
When I type 'cat /etc/motd':
Code:
FreeBSD 10.3-STABLE (FreeNAS.amd64) #0 1a8180b(9.10-STABLE): Tue Jun 7 13:16:10 PDT 2016
What I Changed for Full Audit
We have small group of users (8-9) that access the server through CIFS active directory, set up on computers with windows 7. Today I introduced logging to track user access to files following the suggestions shown here. I editted the /conf/base/etc/local/syslog-ng.conf.freenas and the /etc/local/syslog-ng.conf files with the following line:
Code:
destination m_samba_audit { file("/mnt/Sigma/Omega/UserLogs/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };The only difference between what I did and what was suggested in the link was the file path so that users could access the log through AD. I also changed the /conf/base/etc/newsyslog.conf file, with the same file path.
After making these changes, I restarted the syslog-ng service, and the logging started.
Troubleshooting
FYI, from my computer it works fine, I access a file, it logs the access. I tried accessing the same files from my PC and was successful.
This is what the /var/log/messages entries are at the time the user tried to access files:
Code:
Mar 13 15:11:20 Sigma kernel: pid 46182 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:11:20 Sigma kernel: pid 21437 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:11:55 Sigma kernel: pid 21451 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:11:55 Sigma kernel: pid 21481 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:14:25 Sigma kernel: pid 21625 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:14:25 Sigma kernel: pid 21676 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:17:45 Sigma kernel: pid 21763 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:17:45 Sigma kernel: pid 21900 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:32:23 Sigma kernel: pid 21914 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:32:23 Sigma kernel: pid 22828 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:46:05 Sigma kernel: pid 22905 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:46:06 Sigma kernel: pid 23697 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:48:00 Sigma kernel: pid 23771 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:48:00 Sigma kernel: pid 23831 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:48:00 Sigma kernel: pid 23848 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:48:00 Sigma kernel: pid 23861 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:48:22 Sigma kernel: pid 23876 (smbd), uid 0: exited on signal 6 (core dumped) Mar 13 15:48:22 Sigma kernel: pid 23904 (smbd), uid 0: exited on signal 6 (core dumped)
Are these the disconnects I mentioned earlier? Is there any more information here that could pinpoint the source of this user's problem? These messages are then followed by smbd_audit messages of me successfully accessing the files.
What can I do on the client end to troubleshoot this?
This was an inherited setup, I have no prior experience with server maintenance, please forgive my ignorance. We want to track user activity because folders appear to be missing/deleted and would like to know who the last user to access the file was.
