Topic: How to turn on samba auditing please?

[ntblade]

Hi,
How do I turn on samba auditing please?
A user told me he was working on a folder in an i-bay when the contents "dissappeared".  Is there a way to find out if the folder was deleted and who deleted it?

Noz

[kruhm]

Hi,
How do I turn on samba auditing please?
A user told me he was working on a folder in an i-bay when the contents "dissappeared".  Is there a way to find out if the folder was deleted and who deleted it?

Noz

The SME SERVER has a blank Samba loglevel by default. If you need to turn it on, you can customize the setting correctly with a template.

Of course, this won't help in getting the info back.

You can turn on RECYCLEBIN for an ibay (if something is deleted, an ADMIN can get it back).
-db accounts setprop ibayname RecycleBin enabled
-signal-event ibay-modify ibayname

I should probably add this to the WIKI...

Or you can retrieve info with a backup.

[ntblade]

Thanks for that.

The client wasn't too keen to spend much on backup hardware.  I managed to persuade him that he should do some sort of backup so I have an external drive on order.  However, the folder deletion happened AFTER I placed the order.  He understands the importance now!

N

[ntblade]

The SME SERVER has a blank Samba loglevel by default. If you need to turn it on, you can customize the setting correctly with a template.

Sorry, can't see that my smb.conf.  Looks like I should be doing something like this...
http://www.mail-archive.com/samba@lists.samba.org/msg86518.html

???
N

[kruhm]

"He understands the importance now!"
They usually come around after they have 1 or 2 bad episodes. Lucky for him it wasn't a worse case.

"Sorry, can't see that my smb.conf."
Why not?
-cat /etc/samba/smb.conf

[ntblade]

Why not?
-cat /etc/samba/smb.conf

Because I don't know what I'm looking for! ;¬)

After some reading it looks like the samba auditing is "stackable module"...

Code: [Select]

[root@nas samba]# ll /usr/lib/samba/vfs/
total 116
-rwxr-xr-x  1 root root  5780 May 14  2007 audit.so
-rwxr-xr-x  1 root root  8252 May 14  2007 cap.so
-rwxr-xr-x  1 root root  4024 May 14  2007 default_quota.so
-rwxr-xr-x  1 root root  6576 May 14  2007 expand_msdfs.so
-rwxr-xr-x  1 root root  9880 May 14  2007 extd_audit.so
-rwxr-xr-x  1 root root  3284 May 14  2007 fake_perms.so
-rwxr-xr-x  1 root root 19536 May 14  2007 full_audit.so
-rwxr-xr-x  1 root root  8068 May 14  2007 netatalk.so
-rwxr-xr-x  1 root root 15588 May 14  2007 readonly.so
-rwxr-xr-x  1 root root 14048 May 14  2007 recycle.so
-rwxr-xr-x  1 root root  6672 May 14  2007 shadow_copy.so

and from:http://samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html
that we should maybe change the ibay section to...

Code: [Select]

[test]
comment = test ibay


path = /home/e-smith/files/ibays/test/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


vfs objects = audit recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*
Would be great if this were supported in the same manner as turning on the Recycle Bin.  (That part worked perfectly - thanks)

[thomasch]

Thanks for that.

The client wasn't too keen to spend much on backup hardware.  I managed to persuade him that he should do some sort of backup so I have an external drive on order.  However, the folder deletion happened AFTER I placed the order.  He understands the importance now!

N

In case you dont want to spend on backup hardware :

Do a daily backup to FreeNAS installed on top of vmware in the SME or do a daily backup to another partition/disk.
Save you some trouble if you don't have a hardware backup handy.

my 2 cents

[ntblade]

The Plan in this case is to backup to an External USB Drive.  Not Perfect but better than nothing.

For another client I'm going to use another SME Server with 2 x 500G Drives in RAID 1 acting as a NAS box...
http://forums.contribs.org/index.php?topic=39230.0

thanks for the reply

N