From: Lennart Sorensen on
On Wed, Dec 09, 2009 at 05:47:18PM +0100, Tomasz Przewlucki wrote:
> I had implemented on one of my shares vfs full_audit module. It was
> working with Samba 3.0.x without any problems.
>
> After migration to Samba 3.4.3 this function doesn't work anymore - when
> it's enabled then share isn't accessible from users (it's visible but
> getting error when trying to connect to it).
> Audit and extd_audit vfs's are working fine, but they doesn't meet my
> requirements.
>
> I've tried full_audit on shares with and without extended attributes
> (ext3 with xattr), getting same results.

Well it broke everything for me too when I enabled it. I did not try
it before though so I have no idea that it used to work. I had to turn
it off right away. It sure seems like tha full_audit is totally broken
at this time (well it logs lots of stuff, it just prevents users from
doing anything too).

> In samba debug:10 log i couldn't see anything strange, so i want first
> to ask if there is anybody with working vfs full_audit on samba 3.4.3 ?
>
> My smb.conf:
>
> # Global parameters
> [global]
> workgroup = OBRAM
> netbios name = PASSAT
> server string = OBRAM_PDC
> security = user
> interfaces = 192.168.0.13 10.0.0.113
> smb ports = 139 445
> time server = Yes
> #
> encrypt passwords = yes
> enable privileges = yes
> obey pam restrictions = No
> username map = /etc/samba/smbusers
> #
> msdfs root = yes
> #
> log level = 1 vfs:1
> #log level = 10
> syslog = 3
> log file = /var/log/samba/log.%m
> max log size = 10000
> #
> mangling method = hash2
> dos charset = 852
> Unix charset = UTF-8
> display charset = UTF-8
> #
> logon script = "%G.bat"
> logon drive = H:
> logon home =
> logon path =
> lanman auth = no
> ntlm auth = no
> client ntlmv2 auth = yes
> #
> nt acl support = yes
> #
> map hidden = no
> map system = no
> map archive = no
> ea support = yes
> map acl inherit = yes
> store dos attributes = yes
> #
> domain logons = Yes
> oslevel = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> local master = yes
> #
> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.40"
> #
> ldapsam:trusted = yes
> ldapsam:editposix = yes
> #
> ldap admin dn = cn=samba,ou=DSA,dc=obram
> ldap suffix = dc=obram
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Idmap
> #ldap ssl = start tls
> ldap ssl = no
> ldap delete dn = Yes
> ldap passwd sync = Yes
> #
> idmap uid = 111000-120000
> idmap gid = 111000-120000
> idmap backend = ldap:"ldap://127.0.0.1 ldap://192.168.0.40"
> idmap alloc backend = ldap
> idmap alloc config:ldap_base_dn = ou=Idmap,dc=obram
> idmap alloc config:ldap_user_dn = cn=samba,ou=DSA,dc=obram
> idmap alloc config:ldap_url = ldap://localhost
> idmap alloc config:range = 111000-120000
> #
> template homedir = /home/samba/users/%U
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> #
> create mask = 0640
> directory mask = 0750
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> #
> preserve case = yes
> short preserve case = yes
> case sensitive = auto
> load printers = Yes
> printing = cups
> printcap name = cups
> show add printer wizard = yes
> #
> kernel oplocks = no
> #
> veto oplock files = /*.mdb/*.MDB/*.pst/*.PST/
> #
> # NEW Samba 3.4
> max open files = 10000
> max stat cache size = 1024
> registry shares = no
>
> #and this unworking with full_audit share:
> [temp]
> comment = katalog kasowany co noc
> path = /home/samba/temp/
> browseable = Yes
> guest ok = Yes
> read only = No
> directory mask = 0755
> create mask = 0644
> vfs objects = full_audit
> full_audit:prefix = %u|%I
> full_audit:success = mkdir rename rmdir write open
> full_audit:failure = none
> csc policy = disable
> hide files = /desktop.ini/recycled/RECYCLER/autorun.inf/explorer.exe/
>
> Best regards,
> Tomasz Przewlucki

--
Len Sorensen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on
On Wed, Dec 09, 2009 at 12:29:21PM -0500, Lennart Sorensen wrote:
> On Wed, Dec 09, 2009 at 05:47:18PM +0100, Tomasz Przewlucki wrote:
> > I had implemented on one of my shares vfs full_audit module. It was
> > working with Samba 3.0.x without any problems.
> >
> > After migration to Samba 3.4.3 this function doesn't work anymore - when
> > it's enabled then share isn't accessible from users (it's visible but
> > getting error when trying to connect to it).
> > Audit and extd_audit vfs's are working fine, but they doesn't meet my
> > requirements.
> >
> > I've tried full_audit on shares with and without extended attributes
> > (ext3 with xattr), getting same results.
>
> Well it broke everything for me too when I enabled it. I did not try
> it before though so I have no idea that it used to work. I had to turn
> it off right away. It sure seems like tha full_audit is totally broken
> at this time (well it logs lots of stuff, it just prevents users from
> doing anything too).

With a freshly compiled v3-4-test (not very far away from
3.4.3, I'm not aware of significant VFS changes), I set up a
share tmp:

[tmp]
path = /tmp
read only = No
available = yes
vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = mkdir rename rmdir write open
full_audit:failure = none

I could connect just fine and do things. What is your exact
problem? Do you have logfiles, or an a bit more exact
description how to reproduce your failure?

Thanks,

Volker
From: Lennart Sorensen on
On Wed, Dec 09, 2009 at 11:33:46PM +0100, Volker Lendecke wrote:
> On Wed, Dec 09, 2009 at 12:29:21PM -0500, Lennart Sorensen wrote:
> > On Wed, Dec 09, 2009 at 05:47:18PM +0100, Tomasz Przewlucki wrote:
> > > I had implemented on one of my shares vfs full_audit module. It was
> > > working with Samba 3.0.x without any problems.
> > >
> > > After migration to Samba 3.4.3 this function doesn't work anymore - when
> > > it's enabled then share isn't accessible from users (it's visible but
> > > getting error when trying to connect to it).
> > > Audit and extd_audit vfs's are working fine, but they doesn't meet my
> > > requirements.
> > >
> > > I've tried full_audit on shares with and without extended attributes
> > > (ext3 with xattr), getting same results.
> >
> > Well it broke everything for me too when I enabled it. I did not try
> > it before though so I have no idea that it used to work. I had to turn
> > it off right away. It sure seems like tha full_audit is totally broken
> > at this time (well it logs lots of stuff, it just prevents users from
> > doing anything too).
>
> With a freshly compiled v3-4-test (not very far away from
> 3.4.3, I'm not aware of significant VFS changes), I set up a
> share tmp:
>
> [tmp]
> path = /tmp
> read only = No
> available = yes
> vfs objects = full_audit
> full_audit:prefix = %u|%I
> full_audit:success = mkdir rename rmdir write open
> full_audit:failure = none
>
> I could connect just fine and do things. What is your exact
> problem? Do you have logfiles, or an a bit more exact
> description how to reproduce your failure?

I use posix acl's on ext3 filesystem. I get failures in the log about
getxattr calls. The user can't read any files, but they can browse
directories just fine. The unix permissions alone prevent access,
while the posix acl's are giving access to the users in this case.

The only thing needed to break it is adding 'vfs objects = full_audit'.
Without that, it works fine. It seems at least in my case that the
full_audit breaks posix acl support at least.

What kind of logs would be useful?

--
Len Sorensen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on
On Wed, Dec 09, 2009 at 06:14:57PM -0500, Lennart Sorensen wrote:
> The error I see in the audit log is:
>
> Dec 3 16:41:50 rceng01 smbd_audit:
> <username>|<userip>|getxattr|fail (Operation not
> supported)|<QA/Test-Procedures-Work/Proc-UCP/scripts/no-static-vlan.txt|user.SAMBA_PAI

This just means that your file system does not support
xattrs. You don't have it mounted with "user_xattr".

Volker
From: Volker Lendecke on
On Wed, Dec 09, 2009 at 06:13:35PM -0500, Lennart Sorensen wrote:
> I use posix acl's on ext3 filesystem. I get failures in the log about
> getxattr calls. The user can't read any files, but they can browse
> directories just fine. The unix permissions alone prevent access,
> while the posix acl's are giving access to the users in this case.
>
> The only thing needed to break it is adding 'vfs objects = full_audit'.
> Without that, it works fine. It seems at least in my case that the
> full_audit breaks posix acl support at least.
>
> What kind of logs would be useful?

A debug level 10 log of smbd both for the success and the
failure case and your smb.conf would definitely help. I've
tried to reproduce any kind of problem with the full_audit
module for several hours now, for me it just works as
expected.

Volker