the following config: vfs objects = full_audit full_audit: failure = open full_audit: success = all full_audit: prefix = %U|%I|%m|%S|%L|%R|%a|%T|%D full_audit: facility = local7 full_audit: priority = NOTICE creates the following log entries when creating a file: Jul 12 16:05:44 testserver smbd_audit[19042]: myuser|192.168.1.12|testvm|IPC_|ZION|SMB3_11|OSX|2023/07/12 16:05:44|TESTSERVER|chdir|ok|chdir|/ Jul 12 16:05:44 testserver smbd_audit[19042]: myuser|192.168.1.12|testvm|IPC_|ZION|SMB3_11|OSX|2023/07/12 16:05:44|TESTSERVER|stat|ok|/tmp Jul 12 16:05:44 testserver smbd_audit[19042]: myuser|192.168.1.12|testvm|IPC_|ZION|SMB3_11|OSX|2023/07/12 16:05:44|TESTSERVER|file_id_create|ok|14533708491458043592:34:0 this is also the case with 4.13 On Ubuntu 22.04 with Samba 4.15 and Debian with Samba 4.18, a log entry looks like the following (provides more information, and the information I would need expect): 2023-07-12T16:38:54.432092+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|openat|ok|r|/files/testshare/test - Copy.txt 2023-07-12T16:38:54.432399+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fstat|ok|/files/testshare/test - Copy.txt 2023-07-12T16:38:54.432708+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|file_id_create|ok|65025:654084:0 2023-07-12T16:38:54.432992+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fgetxattr|ok|/files/testshare/test - Copy.txt|user.DOSATTRIB 2023-07-12T16:38:54.433237+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fget_dos_attributes|ok|/files/testshare/test - Copy.txt 2023-07-12T16:38:54.433498+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|file_id_create|ok|65025:654084:0 2023-07-12T16:38:54.433762+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|get_alloc_size|ok|4096 2023-07-12T16:38:54.434045+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|fs_file_id|ok|654084 2023-07-12T16:38:54.434295+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|flistxattr|ok|/files/testshare/test - Copy.txt 2023-07-12T16:38:54.434538+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|file_id_create|ok|65025:654084:0 2023-07-12T16:38:54.434813+02:00 deb12 smbd_audit: myuser|192.168.1.15|win10vm|testshare|DEB12|SMB3_11|Vista|2023/07/12 16:38:54|DEB12|close|ok|/files/testshare/test - Copy.txt note, the file share name under FreeBSD is wrong and of course the file id should be the path of the file.
further observation: I have enabled "vfs objects = zfsacl" previously in the shares. Since I am currently investigating strange problems where few users cannot edit files, I disabled that setting, and voila, the logs contain all the information I wanted.