I configured a Solaris 10u10 machine on a VM Ware host with BSM auditing, which worked fine and produced the correct messages in the correspondig files. After configuring smb, winbind etc. and joining our domain only the login/logoff events are recorded, even if I've instructed BSM to audit even ex events. /etc/security/audit_control dir:/var/audit flags:lo,ex minfree:10 naflags:lo,ex plugin: name=audit_syslog.so; p_flags=all /etc/security/audit_user root:lo,ex:no /etc/samba/smb.conf [global] log level = 1 socket options = IPTOS_LOWDELAY TCP_NODELAY netbios name = server server string = %h - Solaris 10u10 x86-64 (Samba %v) unix extensions = yes workgroup = DOMAIN printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = yes idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 idmap backend = idmap_rid:DOMAIN=16777216-33554431 kerberos method = system keytab realm = DOMAIN.DE security = ADS local master = No domain master = No encrypt passwords = yes username level = 5 password server = * name resolve order = host wins bcast template homedir = /export/home/%U template shell = /usr/bin/bash winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind cache time = 60 winbind offline logon = yes # ACL Support funktioniert nur bei UFS / ZFS / NFSv4 ! nt acl support = yes inherit acls = yes map acl inherit = yes map archive = yes map hidden = yes map read only = yes map system = yes store dos attributes = yes inherit permissions = yes create mask = 755 directory mask = 755 [homes] comment = Home Directories browseable = no writable = yes /etc/pam.conf login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth sufficient pam_winbind.so try_first_pass cached_login other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account sufficient pam_unix_account.so.1 other account required pam_winbind.so try_first_pass cached_login other session sufficient pam_winbind.so mkhomedir other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 /etc/nsswitch.conf passwd: files winbind group: files winbind hosts: files dns ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: files tnrhdb: files If I reverd these settings and reboot, the auditing works as expected.
I can't see where samba does something wrong here.