lehnert.cloud/ad-ds-simple-file-server
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

introduced logging

Browse Source
This commit is contained in:
Ludwig Lehnert
2026-02-18 18:02:40 +01:00
parent 231fb8da8f
commit 9cc195eb0e
3 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -17,6 +17,7 @@ This repository provides a production-oriented Samba file server container that
- NetBIOS name defaults to `ADSAMBAFSRV` and is clamped to 15 characters (`NETBIOS_NAME` override supported). - NetBIOS name defaults to `ADSAMBAFSRV` and is clamped to 15 characters (`NETBIOS_NAME` override supported).
- Setup prompts for well-known authorization groups by SID (`DOMAIN_USERS_SID`, `DOMAIN_ADMINS_SID`) to avoid localized group names. - Setup prompts for well-known authorization groups by SID (`DOMAIN_USERS_SID`, `DOMAIN_ADMINS_SID`) to avoid localized group names.
- Startup resolves those SIDs to NSS group names via winbind, then uses those resolved groups in Samba `valid users` rules. - Startup resolves those SIDs to NSS group names via winbind, then uses those resolved groups in Samba `valid users` rules.
- Share operations are audited with Samba `full_audit` (connect, list, read, write, create, delete, rename) and written to Samba log files.
- Reconciliation is executed: - Reconciliation is executed:
- once on startup - once on startup
- every 5 minutes via cron - every 5 minutes via cron
@@ -157,6 +158,7 @@ docker compose logs -f samba
docker compose exec samba python3 /app/reconcile_shares.py docker compose exec samba python3 /app/reconcile_shares.py
docker compose exec samba sqlite3 /state/shares.db 'SELECT * FROM shares;' docker compose exec samba sqlite3 /state/shares.db 'SELECT * FROM shares;'
docker compose exec samba testparm -s docker compose exec samba testparm -s
docker compose exec samba sh -lc 'tail -n 200 /var/log/samba/log.*'
``` ```
## Troubleshooting ## Troubleshooting

5
app/reconcile_shares.py
View File

@@ -329,6 +329,11 @@ def render_dynamic_shares(conn: sqlite3.Connection) -> None:
"read only = no", "read only = no",
"browseable = yes", "browseable = yes",
"guest ok = no", "guest ok = no",
"vfs objects = acl_xattr full_audit",
"full_audit:prefix = %T|%u|%I|%m|%S",
"full_audit:success = connect disconnect opendir readdir mkdir rmdir open close read pread write pwrite unlink rename",
"full_audit:failure = connect opendir readdir mkdir rmdir open read pread write pwrite unlink rename",
"full_audit:syslog = false",
f"valid users = {valid_users}", f"valid users = {valid_users}",
"create mask = 0660", "create mask = 0660",
"directory mask = 2770", "directory mask = 2770",

11
etc/samba/smb.conf
View File

@@ -34,6 +34,7 @@
log file = /var/log/samba/log.%m log file = /var/log/samba/log.%m
max log size = 10000 max log size = 10000
logging = file logging = file
log level = 1 auth:5 passdb:5 winbind:3
include = /etc/samba/generated/shares.conf include = /etc/samba/generated/shares.conf
@@ -42,6 +43,11 @@
read only = no read only = no
browseable = yes browseable = yes
guest ok = no guest ok = no
vfs objects = acl_xattr full_audit
full_audit:prefix = %T|%u|%I|%m|%S
full_audit:success = connect disconnect opendir readdir mkdir rmdir open close read pread write pwrite unlink rename
full_audit:failure = connect opendir readdir mkdir rmdir open read pread write pwrite unlink rename
full_audit:syslog = false
valid users = +"${DOMAIN_USERS_GROUP}" valid users = +"${DOMAIN_USERS_GROUP}"
admin users = +"${DOMAIN_ADMINS_GROUP}" admin users = +"${DOMAIN_ADMINS_GROUP}"
hide unreadable = yes hide unreadable = yes
@@ -53,6 +59,11 @@
read only = no read only = no
browseable = yes browseable = yes
guest ok = no guest ok = no
vfs objects = acl_xattr full_audit
full_audit:prefix = %T|%u|%I|%m|%S
full_audit:success = connect disconnect opendir readdir mkdir rmdir open close read pread write pwrite unlink rename
full_audit:failure = connect opendir readdir mkdir rmdir open read pread write pwrite unlink rename
full_audit:syslog = false
valid users = +"${PUBLIC_GROUP}" valid users = +"${PUBLIC_GROUP}"
force group = "${PUBLIC_GROUP}" force group = "${PUBLIC_GROUP}"
create mask = 0660 create mask = 0660