Short description samba: chdir auditing does not record transitions into subdirectories Steps to reproduce Create a share, inside it create a folder called test_dir. Mount the share (for example, to /mnt/share/testshare/), then navigate to /mnt/share/testshare/test_dir. Expected result May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4 May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4/test_dir Actual result May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4 May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4 smb.conf: [global] workgroup = WORKGROUP server string = %h server (Samba, Debian) security = user map to guest = Bad User server role = standalone server logging = syslog@1 file log level = 10 log level vfs:10 [testshare] path = /srv/samba/testshare comment = testshare read only = no printable = no browseable = yes create mask = 0777 guest ok = no guest only = no valid users = user1 vfs objects = full_audit write list = @everybody full_audit:prefix = %u|%I full_audit:success = chdir #close flistxattr connectpath fstat openat full_audit:failure = chdir full_audit:facility = USER full_audit:priority = INFO full_audit:syslog = true full_audit:log_secdesc = false During the refactoring and optimization of samba_vfs, certain operations disappeared. In newer versions, directory traversal is done by different mechanisms. Precisely because chdir is no longer called directly, we do not see directory transitions in the log. Avoiding frequent calls to chdir (the function to change the current directory) helps reduce overhead on updating the process’s current working directory, which is especially important when handling a large number of simultaneous client connections. Here are the commits related to chdir call optimizations from version 4.13.13 to 4.17.10 (the interval in which logging disappeared): https://gitlab.com/samba-team/samba/-/commit/84020efb1fed7561259504a3bb36989c58d9996e https://gitlab.com/samba-team/samba/-/commit/6e6ced4b8cbddd9a04e69cb1865fa75ba7b4f8b7 https://gitlab.com/samba-team/samba/-/commit/688604a423bb4dbb36ea6bc86e629d6ab0c4082d https://gitlab.com/samba-team/samba/-/commit/5ae2d4e4d0fa3403bd571dbbbbf01cf84ddfa8f2 Please bring back logging of subdirectory changes, thank you!
(In reply to Aleksandr from comment #0) I want to add to the previous message: Expected result (verified on Samba 4.13.13, 4.12.5) May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4 May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4/test_dir Actual result (verified on Samba 4.19.6, 4.17.12) May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4 May 25 14:56:03 sudcm smbd_audit: user|10.0.2.0|chdir|ok|chdir|/srv/samba/share4 Effectively, there has been a degradation in audit logging. The “chdir” parameter still exists, but it no longer logs as intended—essentially, it no longer works.
If you don't see subdirectory changes, there are simply no subdirectory changes taking place. You can verify this with strace. Newer Samba version use openat2() with RESOLVE_BENEATH hence avoiding chdir() calls.
I think the bug is that we in fact don't do the chdir-calls anymore. I don't know if I am willing to put them back in response to this bug report though, this would be a pretty fundamental change.
(In reply to Volker Lendecke from comment #3) We should just document that chdir no longer logs an audit message and move on. Or just close this one as "WONTFIX". chdir was only used when we didn't have modern open semantics and I'm *really* glad to see the end of it :-).
(In reply to Jeremy Allison from comment #4) Yes, I understand that during optimization and the change in semantics, chdir calls simply stopped being invoked. But how then can we track transitions to internal directories? Aside from indirect methods like the create_file parameter. Samba 4.19.6
I think I can take something from Samba 4.21 and bring it into 4.19... if it can log transitions into nested directories in the audit. I just need to know what exactly =)
What is your real requirement?
I want the transitions into subdirectories of the mounted folder to be recorded in the audit. I showed an example of how it should look earlier. It doesn't necessarily have to be chdir.
(In reply to Aleksandr from comment #8) That's still the case. So if you don't see any corresponding audit messages, there are just no such transitions. See my earlier post for an explanation of this.
(In reply to Aleksandr from comment #0) Also note that changing into a subdirectory on the *client* doesn't translate into a chdir on the server.
(In reply to Ralph Böhme from comment #10) I understand how it works and that chdir calls are not being made, which is why there are no logs. I don't need to call chdir; I need complete logs in the audit. =)
(In reply to Aleksandr from comment #11) You have all events in the audit log.
If what you need to audit is a client-side chdir, then as Ralph said in comment 10: You won't get it. There is no "Current Working Directory" concept in SMB, and the client is free to do it in any number of ways.
(In reply to Volker Lendecke from comment #13) This is what I wanted to hear. Then the issue is finally resolved, thank you