You can set up Samba logging to make your life easier. Here's part of the global section for a production smb.conf file:
# Logging: # %I = separate log for each IP address # # log level is an integer from 0 to 10, defaulting to 0. # Higher value = more detail. At level 0, only critical errors # and serious warnings will be logged. Level 1 is good for # day-to-day operations; it generates a small amount of information # about operations carried out. log file = /var/log/samba/%I log level = 2 log nt token command = max log size = 0
I have /var/log/samba set up as a symlink that's rotated at 12:01 am every night, because Samba logs can be disk-hogs. Here's the code -- group "mis" is for the sysadmin folks only:
symlink='/var/log/samba' logdir=/lots/of/room test -d "$logdir" || mkdir -p $logdir && chmod 2770 $logdir && chgrp mis $logdir newlog=$(date "+$logdir/%Y/%m%d") mkdir -p $newlog if test -d "$newlog"; then test -L $symlink && rm $symlink ln -s $newlog $symlink || echo "ln -s failed" >& 2 test -L $symlink || echo "$symlink not a link" >& 2 else echo "cannot mkdir $newlog" >& 2 fi
The Samba server has to be restarted for this to work. Let's assume user "edward" on 10.0.0.1 keeps his correspondence under the "twilight" share. His logfile (/lots/of/room/2012/0719/10.0.0.1) might look like:
[2012/07/19 04:02:19, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [edward] -> [edward] -> [edward] succeeded [2012/07/19 04:02:19, 2] lib/access.c:406(check_access) Allowed connection from 10.0.0.1 (10.0.0.1) [2012/07/19 04:02:19, 1] smbd/service.c:1070(make_connection_snum) deadguy (10.0.0.1) signed connect to service twilight initially as user edward (uid=20001, gid=20001) (pid 10506) [2012/07/19 04:02:20, 2] smbd/open.c:631(open_file) edward opened file love-bella.pst read=Yes write=Yes (numopen=1) [2012/07/19 04:02:20, 2] smbd/open.c:631(open_file) edward opened file ~love-bella.pst.tmp read=Yes write=Yes (numopen=2) [2012/07/19 04:03:20, 2] smbd/close.c:656(close_normal_file) edward closed file ~love-bella.pst.tmp (numopen=1) NT_STATUS_OK
The "authentication for user" line tells you who tried to authenticate and whether they succeeded. The "signed connect to service" line tells you what share they tried to access, and "read=Yes write=Yes" shows what files they're trying to modify instead of just read.
Make the twilight share writable by group "twilight", and make edward a member of that group if he has any business messing with those files. Here's the smb.conf stanza for share access:
[twilight] comment = Vamp drive path = /path/to/twilight read list = +wolves write list = +twilight,+mis invalid users = +volturi force group = twilight read only = No writable = yes public = no force create mode = 0660 force directory mode = 0775 acl group control = Yes inherit owner = Yes # Fix stupid readonly file problem nt acl support = No posix locking = No map readonly = Permissions blocking locks = No
User "jacob" in group "wolves" can only read the files. User "jane" in group "volturi" won't be allowed to connect at all. A few days' worth of logfiles will show you who's doing what.