[Pkg-samba-maint] Bug#1007835: samba: Full audit logs all activity instead of selected only -- error after upgrade from buster to bullseye

Leszek Dubiel leszek at dubiel.pl
Thu Mar 17 15:45:45 GMT 2022 

Package: samba
Version: 2:4.13.13+dfsg-1~deb11u3
Severity: normal

After upgrade from buster to bullseye samba full audit started to log ALL activity
despite opitons in /etc/samba/smb.conf stayed the same.

There are two options in /etc/samba/smb.conf

	vfs objects = full_audit
	full_audit:success = mkdir rmdir open rename unlink

Then I rename file from "old" to "new" and logs show:

Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|renameat|ok|/home/leszek/Prywatny/aa/old|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|close|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|getxattr|ok|/home/leszek/Prywatny/aa/new|user.DOSATTRIB
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_dos_attributes|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:54616484:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|sys_acl_get_file|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|sys_acl_get_file|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_nt_acl_at|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|sys_acl_get_file|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|sys_acl_get_file|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_nt_acl_at|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:54616484:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:64129:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|chdir|ok|chdir|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:54616484:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|getwd|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:54616484:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|realpath|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|connectpath|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|openat|ok|r|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|chdir|ok|chdir|/home/leszek/Prywatny
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:64129:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|stat|ok|/home/leszek/Prywatny
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|fstat|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|create_file|ok|0x80|file|open|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|getxattr|ok|/home/leszek/Prywatny/aa/new|user.DOSATTRIB
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_dos_attributes|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_alloc_size|ok|0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|fstat|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|file_id_create|ok|26:54616484:0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|getxattr|ok|/home/leszek/Prywatny/aa/new|user.DOSATTRIB
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_dos_attributes|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|get_alloc_size|ok|0
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|fs_file_id|ok|10992394656229373408
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|flistxattr|ok|/home/leszek/Prywatny/aa/new
Mar 17 16:40:27 wawel smbd_audit: leszek|192.168.18.35|close|ok|/home/leszek/Prywatny/aa/new




-- Package-specific info:
* /etc/samba/smb.conf present, and attached
* /var/lib/samba/dhcp.conf present, and attached

-- System Information:
Debian Release: 11.2
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-12-amd64 (SMP w/8 CPU threads)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii  adduser              3.118
ii  dpkg                 1.20.9
ii  init-system-helpers  1.60
ii  libbsd0              0.11.3-1
ii  libc6                2.31-13+deb11u2
ii  libgnutls30          3.7.1-5
ii  libldb2              2:2.2.3-2~deb11u1
ii  libpam-modules       1.4.0-9+deb11u1
ii  libpam-runtime       1.4.0-9+deb11u1
ii  libpopt0             1.18-2
ii  libpython3.9         3.9.2-1
ii  libtalloc2           2.3.1-2+b1
ii  libtasn1-6           4.16.0-2
ii  libtdb1              1.4.3-1+b1
ii  libtevent0           0.10.2-1
ii  libwbclient0         2:4.13.13+dfsg-1~deb11u3
ii  lsb-base             11.1.0
ii  procps               2:3.3.17-5
ii  python3              3.9.2-3
ii  python3-dnspython    2.0.0-1
ii  python3-samba        2:4.13.13+dfsg-1~deb11u3
ii  samba-common         2:4.13.13+dfsg-1~deb11u3
ii  samba-common-bin     2:4.13.13+dfsg-1~deb11u3
ii  samba-libs           2:4.13.13+dfsg-1~deb11u3
ii  tdb-tools            1.4.3-1+b1

Versions of packages samba recommends:
pn  attr                <none>
ii  logrotate           3.18.0-2
pn  python3-markdown    <none>
pn  samba-dsdb-modules  <none>
ii  samba-vfs-modules   2:4.13.13+dfsg-1~deb11u3

Versions of packages samba suggests:
ii  bind9                     1:9.16.22-1~deb11u1
ii  bind9-utils [bind9utils]  1:9.16.22-1~deb11u1
pn  ctdb                      <none>
pn  ldb-tools                 <none>
ii  ntp                       1:4.2.8p15+dfsg-1
pn  smbldap-tools             <none>
pn  ufw                       <none>
pn  winbind                   <none>

-- Configuration Files:
/etc/logrotate.d/samba changed:
/var/log/samba/log.smbd {
	daily
	missingok
	rotate 90
	postrotate
		[ ! -x /usr/bin/smbcontrol ] || [ ! -f /run/samba/smbd.pid ] || /usr/bin/smbcontrol smbd reload-config
	endscript
	compress
	delaycompress
	notifempty
}
/var/log/samba/log.nmbd {
	daily
	missingok
	rotate 90
	postrotate
		[ ! -x /usr/bin/smbcontrol ] || [ ! -f /run/samba/nmbd.pid ] || /usr/bin/smbcontrol nmbd reload-config
	endscript
	compress
	delaycompress
	notifempty
}
/var/log/samba/log.samba {
	daily
	missingok
	rotate 90
	postrotate
		if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet samba-ad-dc; then
			systemctl kill --kill-who all --signal=SIGHUP samba-ad-dc
		elif [ -f /run/samba/samba.pid ]; then
			# This only sends to main pid, See #803924
			kill -HUP `cat /run/samba/samba.pid`
		fi
	endscript
	compress
	delaycompress
	notifempty
}


-- debconf information:
* samba/tdbsam: true
   samba/nmbd_from_inetd:
   samba/generate_smbpasswd: false
* samba/log_files_moved:
   samba-common/title:
* samba/run_mode: daemons

More information about the Pkg-samba-maint mailing list