Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

cannot get "vfs objects = full_audit" to work

Featured Replies

Hello, 

 

i try to bring with Unraid 7.0 the vfs objects full_audit to work. But didn’t have any success. May be some of you have experiance with this and could help me.

 

My Samba extra settings which I try to bring to work: 

 

[global]
   log level = 1 auth_audit:3 full_audit:5
   vfs objects = full_audit
   full_audit:prefix = %u|%I|%S|%P|%f
   full_audit:priority = NOTICE
   full_audit:success = openat mkdirat renameat unlinkat pwrite
   full_audit:failure = openat

 

 

In the logfile I get:

[2025/02/21 08:59:35.181325,  1] ../../lib/param/loadparm.c:1912(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
[2025/02/21 08:59:35.181340,  1] ../../lib/param/loadparm.c:1912(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
[2025/02/21 08:59:35.247047,  0] ../../source3/modules/vfs_full_audit.c:560(init_bitmap)
  init_bitmap: Could not find opname mkdir
[2025/02/21 08:59:35.247069,  0] ../../source3/modules/vfs_full_audit.c:749(smb_full_audit_connect)
  smb_full_audit_connect: Invalid success operations list. Failing connect

 

My guess is that the hook for the extraparameter is at the wrong space. In my case it should be afterwards.

        # hook for user-defined samba config
        include = /boot/config/smb-extra.conf

[global]
        # hook for unassigned devices shares
        include = /etc/samba/smb-unassigned.conf

        # auto-configured shares
        include = /etc/samba/smb-shares.conf

 

 

I guess the global is correct, but the local setting is overriting it:

root@XXXXXXXXXX:/etc/samba# testparm -s | grep -i vfs
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

        vfs objects = full_audit
        vfs objects = recycle extd_audit
        vfs objects = recycle extd_audit
        vfs objects = recycle extd_audit
        vfs objects = recycle extd_audit
        vfs objects = recycle extd_audit
        vfs objects = recycle extd_audit
        vfs objects = recycle extd_audit

 

is there a way to overrite the auto-generated share settings?

 

mfg

I don't know what you are trying to do, but putting settings in the global section is not a good idea and will override any share settings.

9 minutes ago, blackchii said:

is there a way to overrite the auto-generated share settings?

No.

  • Author

Hello, 

 

other way of bring this to work?  vfs objects = full_audit

  • Author

I need to trace which user delete which file.

 

 

 

Update from me:

 

i figured out that it is really the order:

if i add after the share a second smb-extra.config

        # hook for user-defined samba config
        include = /boot/config/smb-extra.conf

[global]
        # hook for unassigned devices shares
        include = /etc/samba/smb-unassigned.conf

        # auto-configured shares
        include = /etc/samba/smb-shares.conf

        # hook for user-defined samba config
        include = /boot/config/smb-extra.conf

 

 

and change the local vfs objects to full audit

[Global]
     vfs objects = recycle full_audit
     full_audit:prefix = %U|%d|%u|%R|%I|%S
     full_audit:success = openat mkdirat renameat unlinkat pwrite
     full_audit:failure = openat
     full_audit:priority = DEBUG
     
     
[Software]
        path = /mnt/user/Software
        comment = Software
        browseable = yes
        writeable = no
        read list = 
        case sensitive = auto
        preserve case = yes
        short preserve case = yes
        vfs objects = recycle full_audit

 

after this

restart samba

 

 

 

I get the full_audit in the syslog (not my prevert chose, but i see that the full_audit is working)

 

 

 

are there better ways?

to prevent that the vfs object is local defined.

56 minutes ago, blackchii said:

are there better ways?

to prevent that the vfs object is local defined.

Yes.  Install the recycle bin plugin and set the the "Recycle Bin Parameters" for what you want to show for a deleted file.  Click on the 'Help' icon in the upper right corner of the recycle bin page to see some options.

 

Currently the logging is not working reliably because of some samba changes, but I will have that fixed soon.

  • Author

Hello, 

 

the recycle bin plugin is already installed. I need something silimar to synology that you can trace which person open which file or which person delete this file. Is there a way to help you with the fix?

 

i ended up a script which modify the smb-shares.conf to the value what i want and the restart samba. 

 

Will your version send the full_audit to a seperate file?

There are two plugins that will partially do what you want.  You will want to use the plugins and not modify files on your own.  The two plugins are the Recycle Bin and File Activity plugins.  The recycle Bin plugin can delete files and organize the files in the .Recycle.Bin by user using the %u parameter.  The File Activity plugin will trach file activity, but does not track smb file activity separately by user.

 

On 2/22/2025 at 2:10 AM, blackchii said:

i ended up a script which modify the smb-shares.conf to the value what i want and the restart samba.

This is a really bad idea.  There are several routines that manage the config file, and anything you do will interfere with smb and cause you problems.

  • Author

Hello,

 

partially yes.

 

File Activity plugins would be the nearest. But i need the user and the option to save the log to a folder.

does the tool automatical update?

 

I see you host this project, can you add this?

1 hour ago, blackchii said:

Hello,

 

partially yes.

 

File Activity plugins would be the nearest. But i need the user and the option to save the log to a folder.

does the tool automatical update?

 

I see you host this project, can you add this?

There is nothing I can do to add user tracking to the file activity.  The user is not known to inotify.

  • Author

Hello,

 

can you tell me where the plugin save the logfiles?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.