You could check in /etc/samba/smb.conf to make sure that the audit logging entries have been created.
I did this:
cp /etc/samba/smb.conf /etc/samba/smb.conf-
db accounts setprop Primary Audit enabled
signal-event ibay-modify Primary
diff -u /etc/samba/smb.conf /etc/samba/smb.conf-
The results looked like this (sorry - I 'diffed' them in the wrong order, so the new content is marked with a minus):
diff -u /etc/samba/smb.conf /etc/samba/smb.conf-
--- /etc/samba/smb.conf 2018-02-03 07:51:52.966527426 -0500
+++ /etc/samba/smb.conf- 2018-02-03 07:41:50.807661212 -0500
@@ -153,12 +153,6 @@
-vfs objects = full_audit
- full_audit:priority=notice
- full_audit:success=opendir mkdir rmdir open write rename unlink
- full_audit:failure=connect
- full_audit:facility=local5
- full_audit:prefix=%u|%I|%S
(with the new content in the section related to '[Primary]').
As soon as I accessed the Primary i-bay using samba from my macbook, the audit log was populated:
tail /var/log/samba/tail samba_audit
Feb 3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:18 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:18 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:18 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:23 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:23 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb 3 07:52:23 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
The same procedure didn't work on another "ibay" -- until I realized that the other ibay was actually a user account.
Adding the 'full_audit' directives shown above to the [homes] section of /etc/samba/smb.conf, then restarting smbd (sv t smbd) started generating samba_audit entries when I access my user folder. You'd need a custom copy of /etc/samba/smb.conf/50homes if you wanted to enable audit logging on user folders persistently.