Bug 272471 - net/samba416 vfs full_audit not logging as expected
Summary: net/samba416 vfs full_audit not logging as expected
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Some People
Assignee: Timur I. Bakeyev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-12 14:44 UTC by rob2g2
Modified: 2023-07-19 10:39 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (timur)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description rob2g2 2023-07-12 14:44:35 UTC 
the following config:

   vfs objects = full_audit
   full_audit: failure = open
   full_audit: success = all
   full_audit: prefix = %U|%I|%m|%S|%L|%R|%a|%T|%D
   full_audit: facility = local7
   full_audit: priority = NOTICE

creates the following log entries when creating a file:

Jul 12 16:05:44 testserver smbd_audit[19042]: myuser|192.168.1.12|testvm|IPC_|ZION|SMB3_11|OSX|2023/07/12 16:05:44|TESTSERVER|chdir|ok|chdir|/
Jul 12 16:05:44 testserver smbd_audit[19042]: myuser|192.168.1.12|testvm|IPC_|ZION|SMB3_11|OSX|2023/07/12 16:05:44|TESTSERVER|stat|ok|/tmp
Jul 12 16:05:44 testserver smbd_audit[19042]: myuser|192.168.1.12|testvm|IPC_|ZION|SMB3_11|OSX|2023/07/12 16:05:44|TESTSERVER|file_id_create|ok|14533708491458043592:34:0

this is also the case with 4.13

On Ubuntu 22.04 with Samba 4.15 and Debian with Samba 4.18, a log entry looks like the following (provides more information, and the information I would need expect):


2023-07-12T16:38:54.432092+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|openat|ok|r|/files/testshare/test - Copy.txt
2023-07-12T16:38:54.432399+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fstat|ok|/files/testshare/test - Copy.txt
2023-07-12T16:38:54.432708+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|file_id_create|ok|65025:654084:0
2023-07-12T16:38:54.432992+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fgetxattr|ok|/files/testshare/test - Copy.txt|user.DOSATTRIB
2023-07-12T16:38:54.433237+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fget_dos_attributes|ok|/files/testshare/test - Copy.txt
2023-07-12T16:38:54.433498+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|file_id_create|ok|65025:654084:0
2023-07-12T16:38:54.433762+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|get_alloc_size|ok|4096
2023-07-12T16:38:54.434045+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fs_file_id|ok|654084
2023-07-12T16:38:54.434295+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|flistxattr|ok|/files/testshare/test - Copy.txt
2023-07-12T16:38:54.434538+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|file_id_create|ok|65025:654084:0
2023-07-12T16:38:54.434813+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|close|ok|/files/testshare/test - Copy.txt


note, the file share name under FreeBSD is wrong and of course the file id should be the path of the file.
Comment 1 rob2g2 2023-07-14 12:03:41 UTC 
further observation:
I have enabled "vfs objects = zfsacl" previously in the shares. Since I am currently investigating strange problems where few users cannot edit files, I disabled that setting, and voila, the logs contain all the information I wanted.