Good point.

One further, since we are on the discussion.

Whatever, mischief you say happened, requires for something to have been changed on the samba server if you have the audit trail turned on for your shares.

If you haven't done that already, I suggest you turn on the share auditing features.

But a login doesn't constitute much in the area of evidence other than circumstantial.

Furthermore, if the SAMBA server was used as a authentication point only, and the mischief took place on the local workstation, you won't see that obviously on any samba log.

Obvious perhaps to many here, but stated nonetheless, you should engage audits for your shares too.

For example:

[SG2TB]
        comment = SG2TB
        path = /mnt/sdcard
        read only = no
;       browseable = yes
        valid users = gcarter
        full_audit:failure = none
        full_audit:success = mkdir rename unlink rmdir open pwrite
        full_audit:prefix = %u|%I|%m|%S

-gc

On 03/07/2013 06:01 PM, Gregory Sloop wrote:
Pardon me for butting in, and probably you've already considered this,
but what the heck.

Do you even know that the user actually logged in during the time in
question? I suppose the logs will at least let you know *if* anyone
did login, but if the trouble-maker used an already logged in station
you get nada in the logs.

-Greg


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to