Trying to test vfs_full_audit modules, i've tried to use 'auth' as facility, but does not works, samba complain about invalid configuration file: [2018/05/08 17:34:42.388486, 0] ../source3/param/loadparm.c:1179(lp_enum) lp_enum(LOG_AUTH,enum): value is not in enum_list! (i've tried 'auth' and 'LOG_AUTH', same result). Seeking some feedback in lists, seems that onlu USER and LOCAL* facility can be used, and seems that this choice is rather arbitrary and aged (done in commit 435295f1840aa8bd4c04f20a2348c6d701c6b7dc in 2005).
According to Posix, there is no "AUTH" log facility. Where do you find the relevant values?
@volker man 3 syslog vsyslog(): Since glibc 2.19: _DEFAULT_SOURCE Glibc 2.19 and earlier: _BSD_SOURCE facility The facility argument is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differ‐ ently. LOG_AUTH security/authorization messages LOG_AUTHPRIV security/authorization messages (private) LOG_CRON clock daemon (cron and at) LOG_DAEMON system daemons without separate facility value LOG_FTP ftp daemon LOG_KERN kernel messages (these can't be generated from user processes) LOG_LOCAL0 through LOG_LOCAL7 reserved for local use LOG_LPR line printer subsystem LOG_MAIL mail subsystem LOG_NEWS USENET news subsystem LOG_SYSLOG messages generated internally by syslogd(8) LOG_USER (default) generic user-level messages LOG_UUCP UUCP subsystem
(In reply to Louis from comment #2) A workaround can be found here. http://linux-sys-adm.com/ubuntu-16.04-lts-how-to-configure-samba-full-audit/
Posix is unclear about these values. If you look at the definition of syslog.h in Posix, LOG_AUTH is listed. But LOG_AUTH is not listed as a valid argument to openlog(). So is this defined behaviour or is it not? Maybe only on GNU/Linux systems?
(In reply to Volker Lendecke from comment #1) Manpages for all 3 vfs_*audit modules state: full_audit:facility = FACILITY Log messages to the named syslog(3) facility. There is no any mentioning that the choice of facility is limited to the LOG_USER and LOG_LOCAL*. Still, in the code of all those modules we have: <pre> static const struct enum_list enum_log_facilities[] = { { LOG_USER, "USER" }, { LOG_LOCAL0, "LOCAL0" }, { LOG_LOCAL1, "LOCAL1" }, { LOG_LOCAL2, "LOCAL2" }, { LOG_LOCAL3, "LOCAL3" }, { LOG_LOCAL4, "LOCAL4" }, { LOG_LOCAL5, "LOCAL5" }, { LOG_LOCAL6, "LOCAL6" }, { LOG_LOCAL7, "LOCAL7" }, { -1, NULL} }; int facility; facility = lp_parm_enum(SNUM(handle->conn), "full_audit", "facility", enum_log_facilities, LOG_USER); </pre> I don't have access to POSIX standard, so can't say anything about it here, but syslog.h defines following facilities on FeeeBSD, but on Linux they are the same(not surprising, as syslog is a BSD invention): <pre> static const CODE facilitynames[] = { { "auth", LOG_AUTH, }, { "authpriv", LOG_AUTHPRIV, }, { "console", LOG_CONSOLE, }, { "cron", LOG_CRON, }, { "daemon", LOG_DAEMON, }, { "ftp", LOG_FTP, }, { "kern", LOG_KERN, }, { "lpr", LOG_LPR, }, { "mail", LOG_MAIL, }, { "news", LOG_NEWS, }, { "ntp", LOG_NTP, }, { "security", LOG_SECURITY, }, { "syslog", LOG_SYSLOG, }, { "user", LOG_USER, }, { "uucp", LOG_UUCP, }, { "local0", LOG_LOCAL0, }, { "local1", LOG_LOCAL1, }, { "local2", LOG_LOCAL2, }, { "local3", LOG_LOCAL3, }, { "local4", LOG_LOCAL4, }, { "local5", LOG_LOCAL5, }, { "local6", LOG_LOCAL6, }, { "local7", LOG_LOCAL7, }, { NULL, -1, } }; </pre> So, in general, it should be possibly to specify any of those facilities according to manpage. Except that you can't. I guess, there isn't much sense in the facilities like LPR, MAIL, UUCP, NEWS, NTP and FTP, as well as AUTHPRIV for audit log, but the rest do have sense and should be available for the usage. And, for the completeness the mentioned ones also may present in the config.
So then there's two fixes: Correct the manpage, or add configure checks for the other facilities. We can't protect against discrepancies between syslog(3) and syslog.h though, at least not easily from a configure script.
(In reply to Volker Lendecke from comment #6) #ifdef LOG_AUTH { LOG_AUTH, "AUTH" }, #endif In the modules code seems to be good enough workaround for quite a lot of packages, so why not to employ same approach if you have doubts? In general, as syslog(3) is coming from BSD* land in 1:1 API, I din't expect that POSIX would alter the reference implementation badly and it's safe to assume that standard BSD facilities do present if syslog(3) is there at all.
Created attachment 14266 [details] Recognize all valid syslog facilities
I've sent this patch to the Samba ML. It adds the missing syslog facilities and for the two BSD-specific ones - LOG_NTP and LOG_SECURITY - wraps options into #ifdef's.