From 9cc195eb0e273802c3577c9ec5372db1ebba7cdc Mon Sep 17 00:00:00 2001
From: Ludwig Lehnert <ludwig@lehnert.dev>
Date: Wed, 18 Feb 2026 18:02:40 +0100
Subject: [PATCH] introduced logging

---
 README.md               |  2 ++
 app/reconcile_shares.py |  5 +++++
 etc/samba/smb.conf      | 11 +++++++++++
 3 files changed, 18 insertions(+)

diff --git a/README.md b/README.md
index c4d5557..6e4fe83 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,7 @@ This repository provides a production-oriented Samba file server container that
 - NetBIOS name defaults to `ADSAMBAFSRV` and is clamped to 15 characters (`NETBIOS_NAME` override supported).
 - Setup prompts for well-known authorization groups by SID (`DOMAIN_USERS_SID`, `DOMAIN_ADMINS_SID`) to avoid localized group names.
 - Startup resolves those SIDs to NSS group names via winbind, then uses those resolved groups in Samba `valid users` rules.
+- Share operations are audited with Samba `full_audit` (connect, list, read, write, create, delete, rename) and written to Samba log files.
 - Reconciliation is executed:
   - once on startup
   - every 5 minutes via cron
@@ -157,6 +158,7 @@ docker compose logs -f samba
 docker compose exec samba python3 /app/reconcile_shares.py
 docker compose exec samba sqlite3 /state/shares.db 'SELECT * FROM shares;'
 docker compose exec samba testparm -s
+docker compose exec samba sh -lc 'tail -n 200 /var/log/samba/log.*'
 ```
 
 ## Troubleshooting
diff --git a/app/reconcile_shares.py b/app/reconcile_shares.py
index 608f860..d51447a 100755
--- a/app/reconcile_shares.py
+++ b/app/reconcile_shares.py
@@ -329,6 +329,11 @@ def render_dynamic_shares(conn: sqlite3.Connection) -> None:
                 "read only = no",
                 "browseable = yes",
                 "guest ok = no",
+                "vfs objects = acl_xattr full_audit",
+                "full_audit:prefix = %T|%u|%I|%m|%S",
+                "full_audit:success = connect disconnect opendir readdir mkdir rmdir open close read pread write pwrite unlink rename",
+                "full_audit:failure = connect opendir readdir mkdir rmdir open read pread write pwrite unlink rename",
+                "full_audit:syslog = false",
                 f"valid users = {valid_users}",
                 "create mask = 0660",
                 "directory mask = 2770",
diff --git a/etc/samba/smb.conf b/etc/samba/smb.conf
index f1e4f94..b8b68f0 100644
--- a/etc/samba/smb.conf
+++ b/etc/samba/smb.conf
@@ -34,6 +34,7 @@
    log file = /var/log/samba/log.%m
    max log size = 10000
    logging = file
+   log level = 1 auth:5 passdb:5 winbind:3
 
    include = /etc/samba/generated/shares.conf
 
@@ -42,6 +43,11 @@
    read only = no
    browseable = yes
    guest ok = no
+   vfs objects = acl_xattr full_audit
+   full_audit:prefix = %T|%u|%I|%m|%S
+   full_audit:success = connect disconnect opendir readdir mkdir rmdir open close read pread write pwrite unlink rename
+   full_audit:failure = connect opendir readdir mkdir rmdir open read pread write pwrite unlink rename
+   full_audit:syslog = false
    valid users = +"${DOMAIN_USERS_GROUP}"
    admin users = +"${DOMAIN_ADMINS_GROUP}"
    hide unreadable = yes
@@ -53,6 +59,11 @@
    read only = no
    browseable = yes
    guest ok = no
+   vfs objects = acl_xattr full_audit
+   full_audit:prefix = %T|%u|%I|%m|%S
+   full_audit:success = connect disconnect opendir readdir mkdir rmdir open close read pread write pwrite unlink rename
+   full_audit:failure = connect opendir readdir mkdir rmdir open read pread write pwrite unlink rename
+   full_audit:syslog = false
    valid users = +"${PUBLIC_GROUP}"
    force group = "${PUBLIC_GROUP}"
    create mask = 0660