You can set up Samba logging to make your life easier. Here's part of the global section for a production smb.conf file:
# Logging: # %I = separate log for each IP address # # log level is an integer from 0 to 10, defaulting to 0. # Higher value = more detail. At level 0, only critical errors # and serious warnings will be logged. Level 1 is good for # day-to-day operations; it generates a small amount of information # about operations carried out. log file = /var/log/samba/%I log level = 2 log nt token command = max log size = 0
I have /var/log/samba set up as a symlink that's rotated at 12:01 am every night, because Samba logs can be disk-hogs. Here's the code -- group "mis" is for the sysadmin folks only:
symlink='/var/log/samba'
logdir=/lots/of/room
test -d "$logdir" ||
mkdir -p $logdir && chmod 2770 $logdir && chgrp mis $logdir
newlog=$(date "+$logdir/%Y/%m%d")
mkdir -p $newlog
if test -d "$newlog"; then
test -L $symlink && rm $symlink
ln -s $newlog $symlink || echo "ln -s failed" >& 2
test -L $symlink || echo "$symlink not a link" >& 2
else
echo "cannot mkdir $newlog" >& 2
fi
The Samba server has to be restarted for this to work. Let's assume user "edward" on 10.0.0.1 keeps his correspondence under the "twilight" share. His logfile (/lots/of/room/2012/0719/10.0.0.1) might look like:
[2012/07/19 04:02:19, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [edward] -> [edward] -> [edward] succeeded [2012/07/19 04:02:19, 2] lib/access.c:406(check_access) Allowed connection from 10.0.0.1 (10.0.0.1) [2012/07/19 04:02:19, 1] smbd/service.c:1070(make_connection_snum) deadguy (10.0.0.1) signed connect to service twilight initially as user edward (uid=20001, gid=20001) (pid 10506) [2012/07/19 04:02:20, 2] smbd/open.c:631(open_file) edward opened file love-bella.pst read=Yes write=Yes (numopen=1) [2012/07/19 04:02:20, 2] smbd/open.c:631(open_file) edward opened file ~love-bella.pst.tmp read=Yes write=Yes (numopen=2) [2012/07/19 04:03:20, 2] smbd/close.c:656(close_normal_file) edward closed file ~love-bella.pst.tmp (numopen=1) NT_STATUS_OK
The "authentication for user" line tells you who tried to authenticate and whether they succeeded. The "signed connect to service" line tells you what share they tried to access, and "read=Yes write=Yes" shows what files they're trying to modify instead of just read.
Make the twilight share writable by group "twilight", and make edward a member of that group if he has any business messing with those files. Here's the smb.conf stanza for share access:
[twilight]
comment = Vamp drive
path = /path/to/twilight
read list = +wolves
write list = +twilight,+mis
invalid users = +volturi
force group = twilight
read only = No
writable = yes
public = no
force create mode = 0660
force directory mode = 0775
acl group control = Yes
inherit owner = Yes
# Fix stupid readonly file problem
nt acl support = No
posix locking = No
map readonly = Permissions
blocking locks = No
User "jacob" in group "wolves" can only read the files. User "jane" in group "volturi" won't be allowed to connect at all. A few days' worth of logfiles will show you who's doing what.
Feel free to send comments.
Generated from article.t2t by
txt2tags
$Revision: 1.1 $
$UUID: 94ea12d9-519a-32ce-8152-fe8e773fb9a6 $