Samba Logging for Audit Trails

Audit trails are a network security requirement for both Northrop Grumman and its customers. A small modification to Samba enabled the company's sysadmins to create the needed audit trails.

Users can be added to the domain by running the command smbpasswd -a username as root and setting the user password. The passwords are stored in the /etc/samba/private/smbpasswd file. Users also can be disabled with the command smbpasswd -d and enabled by running smbpasswd -e.

For more details on configuring Samba for Windows 2000 clients and understanding SMB protocols, O'Reilly's Using Samba, Second Edition, by Jay Ts, Robert Eckstein and David Collier-Brown, is an excellent reference.

Modifying Samba Source Code for Audit Trails

Once the network was configured and working properly, the next step was to record the required information for the audit trails in the log.smbd file. Initially, this was attempted by setting various logging levels in the smb.conf file, restarting the Samba dæmons by executing /etc/init.d/samba restart and then analyzing the output from the log files while performing various tasks on a Windows 2000 client. Unfortunately, regardless of the log level, none of the required information was being logged. At this point, it became obvious that modifications to the source code were necessary to generate the log entries.

The Samba source code is in the samba-2.2.8a/source directory and is the root directory for the filename in the log messages. The first entry in Listing 1 shows the file as smbd/server.c:main(791). By examining line 791 in the samba-2.2.8a/source/smbd/server.c file, you can see the DEBUG macro is used to generate the log message. The syntax for the DEBUG macro is:

DEBUG(log_level, "string", arguments);

The format for the second and third arguments is similar to the printf function. Examples of custom DEBUG statements are shown in Listings 2 through 4.