[Samba] VFS full_audit problem

[Tomasz Przewlucki]

Hi all,

I had implemented on one of my shares vfs full_audit module. It was
working with Samba 3.0.x without any problems.

After migration to Samba 3.4.3 this function doesn't work anymore - when
it's enabled then share isn't accessible from users (it's visible but
getting error when trying to connect to it).
Audit and extd_audit vfs's are working fine, but they doesn't meet my
requirements.

I've tried full_audit on shares with and without extended attributes
(ext3 with xattr), getting same results.

In samba debug:10 log i couldn't see anything strange, so i want first
to ask if there is anybody with working vfs full_audit on samba 3.4.3 ?

My smb.conf:

# Global parameters
[global]
workgroup = OBRAM
netbios name = PASSAT
server string = OBRAM_PDC
security = user
interfaces = 192.168.0.13 10.0.0.113
smb ports = 139 445
time server = Yes
#
encrypt passwords = yes
enable privileges = yes
obey pam restrictions = No
username map = /etc/samba/smbusers
#
msdfs root = yes
#
log level = 1 vfs:1
#log level = 10
syslog = 3
log file = /var/log/samba/log.%m
max log size = 10000
#
mangling method = hash2
dos charset = 852
Unix charset = UTF-8
display charset = UTF-8
#
logon script = "%G.bat"
logon drive = H:
logon home =
logon path =
lanman auth = no
ntlm auth = no
client ntlmv2 auth = yes
#
nt acl support = yes
#
map hidden = no
map system = no
map archive = no
ea support = yes
map acl inherit = yes
store dos attributes = yes
#
domain logons = Yes
oslevel = 65
preferred master = Yes
domain master = Yes
wins support = Yes
local master = yes
#
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.40"
#
ldapsam:trusted = yes
ldapsam:editposix = yes
#
ldap admin dn = cn=samba,ou=DSA,dc=obram
ldap suffix = dc=obram
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
#ldap ssl = start tls
ldap ssl = no
ldap delete dn = Yes
ldap passwd sync = Yes
#
idmap uid = 111000-120000
idmap gid = 111000-120000
idmap backend = ldap:"ldap://127.0.0.1 ldap://192.168.0.40"
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmap,dc=obram
idmap alloc config:ldap_user_dn = cn=samba,ou=DSA,dc=obram
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 111000-120000
#
template homedir = /home/samba/users/%U
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
#
create mask = 0640
directory mask = 0750
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
#
preserve case = yes
short preserve case = yes
case sensitive = auto
load printers = Yes
printing = cups
printcap name = cups
show add printer wizard = yes
#
kernel oplocks = no
#
veto oplock files = /*.mdb/*.MDB/*.pst/*.PST/
#
# NEW Samba 3.4
max open files = 10000
max stat cache size = 1024
registry shares = no

#and this unworking with full_audit share:
[temp]
comment = katalog kasowany co noc
path = /home/samba/temp/
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0755
create mask = 0644
vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = mkdir rename rmdir write open
full_audit:failure = none
csc policy = disable
hide files = /desktop.ini/recycled/RECYCLER/autorun.inf/explorer.exe/

Best regards,
Tomasz Przewlucki

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Lennart Sorensen]

On Wed, Dec 09, 2009 at 05:47:18PM +0100, Tomasz Przewlucki wrote:
> I had implemented on one of my shares vfs full_audit module. It was
> working with Samba 3.0.x without any problems.
>
> After migration to Samba 3.4.3 this function doesn't work anymore - when
> it's enabled then share isn't accessible from users (it's visible but
> getting error when trying to connect to it).
> Audit and extd_audit vfs's are working fine, but they doesn't meet my
> requirements.
>
> I've tried full_audit on shares with and without extended attributes
> (ext3 with xattr), getting same results.

Well it broke everything for me too when I enabled it. I did not try
it before though so I have no idea that it used to work. I had to turn
it off right away. It sure seems like tha full_audit is totally broken
at this time (well it logs lots of stuff, it just prevents users from
doing anything too).

--
Len Sorensen

[Volker Lendecke]

On Wed, Dec 09, 2009 at 12:29:21PM -0500, Lennart Sorensen wrote:
> On Wed, Dec 09, 2009 at 05:47:18PM +0100, Tomasz Przewlucki wrote:
> > I had implemented on one of my shares vfs full_audit module. It was
> > working with Samba 3.0.x without any problems.
> >
> > After migration to Samba 3.4.3 this function doesn't work anymore - when
> > it's enabled then share isn't accessible from users (it's visible but
> > getting error when trying to connect to it).
> > Audit and extd_audit vfs's are working fine, but they doesn't meet my
> > requirements.
> >
> > I've tried full_audit on shares with and without extended attributes
> > (ext3 with xattr), getting same results.
>
> Well it broke everything for me too when I enabled it. I did not try
> it before though so I have no idea that it used to work. I had to turn
> it off right away. It sure seems like tha full_audit is totally broken
> at this time (well it logs lots of stuff, it just prevents users from
> doing anything too).

With a freshly compiled v3-4-test (not very far away from
3.4.3, I'm not aware of significant VFS changes), I set up a
share tmp:

[tmp]
path = /tmp
read only = No
available = yes

vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = mkdir rename rmdir write open
full_audit:failure = none

I could connect just fine and do things. What is your exact
problem? Do you have logfiles, or an a bit more exact
description how to reproduce your failure?

Thanks,

Volker

[Lennart Sorensen]

I use posix acl's on ext3 filesystem. I get failures in the log about
getxattr calls. The user can't read any files, but they can browse
directories just fine. The unix permissions alone prevent access,
while the posix acl's are giving access to the users in this case.

The only thing needed to break it is adding 'vfs objects = full_audit'.
Without that, it works fine. It seems at least in my case that the
full_audit breaks posix acl support at least.

What kind of logs would be useful?

[Lennart Sorensen]

The error I see in the audit log is:

Dec 3 16:41:50 rceng01 smbd_audit: <username>|<userip>|getxattr|fail (Operation not supported)|<QA/Test-Procedures-Work/Proc-UCP/scripts/no-static-vlan.txt|user.SAMBA_PAI

[Volker Lendecke]

On Wed, Dec 09, 2009 at 06:13:35PM -0500, Lennart Sorensen wrote:

> I use posix acl's on ext3 filesystem. I get failures in the log about
> getxattr calls. The user can't read any files, but they can browse
> directories just fine. The unix permissions alone prevent access,
> while the posix acl's are giving access to the users in this case.
>
> The only thing needed to break it is adding 'vfs objects = full_audit'.
> Without that, it works fine. It seems at least in my case that the
> full_audit breaks posix acl support at least.
>
> What kind of logs would be useful?

A debug level 10 log of smbd both for the success and the
failure case and your smb.conf would definitely help. I've
tried to reproduce any kind of problem with the full_audit
module for several hours now, for me it just works as
expected.

Volker

[Volker Lendecke]

On Wed, Dec 09, 2009 at 06:14:57PM -0500, Lennart Sorensen wrote:
> The error I see in the audit log is:
>
> Dec 3 16:41:50 rceng01 smbd_audit:
> <username>|<userip>|getxattr|fail (Operation not
> supported)|<QA/Test-Procedures-Work/Proc-UCP/scripts/no-static-vlan.txt|user.SAMBA_PAI

This just means that your file system does not support
xattrs. You don't have it mounted with "user_xattr".

Volker