listing open files from shared foldersDouble Click to open Office docs is slow, File -> Open is fastInstruct Linux to cache files in swapfileCount open Office Word Filesfreenas windows acls folder permissionsFile Lock on Windows ServerEnforce permissions on copying files within samba shareDisk space monitoring with Zabbix while file descriptor/handle still openFolder redirection to Samba fails, though mapping drives works [SOLVED]Cannot save Office files on shared network drive without delete permissionDifferentiating Between Office 365 E3 From E1 Devices

Can ADFS connect to other SSO services?

STM Microcontroller burns every time

How to reply to small talk/random facts in a non-offensive way?

How precise do models need to be for 3d printing?

Alternatives to Versioning?

Is there vegetarian astronaut?

Links to webpages in books

How to extract the storage of a smart contract?

Does squid ink pasta bleed?

Why do some games show lights shine through walls?

No IMPLICIT_CONVERSION warning in this query plan

An external consultant working on an internal project tried recruiting me. Should I tell my manager?

Is it damaging to turn off a small fridge for two days every week?

What are the penalties for overstaying in USA?

Fedora boot screen shows both Fedora logo and Lenovo logo. Why and How?

Why is the Turkish president's surname spelt in Russian as Эрдоган, with г?

How to split an equation over two lines?

Abel-Jacobi map on symmetric product of genus 4 curve

What do you call a weak person's act of taking on bigger opponents?

Animation advice please

When is it ok to add filler to a story?

Going to get married soon, should I do it on Dec 31 or Jan 1?

Archery in modern conflicts

How come I was asked by a CBP officer why I was in the US?



listing open files from shared folders


Double Click to open Office docs is slow, File -> Open is fastInstruct Linux to cache files in swapfileCount open Office Word Filesfreenas windows acls folder permissionsFile Lock on Windows ServerEnforce permissions on copying files within samba shareDisk space monitoring with Zabbix while file descriptor/handle still openFolder redirection to Samba fails, though mapping drives works [SOLVED]Cannot save Office files on shared network drive without delete permissionDifferentiating Between Office 365 E3 From E1 Devices






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I have a Filer Server running Debian Jessie 8.7 on my network, with Samba 4.2.14.



Until now, I just have one shared folder configured for the entire network and I would like to watch if there are open files on this share.




  • When running smbstatus -L, it doesn't point any information about any open files or locked files.



    $ smbstatus -L
    Registered MSG_REQ_POOL_USAGE
    Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
    No locked files



  • Using lsof, it only gives me the information about what process is using the shared on folder, on the local filesytem of the server.



    $ lsof | grep backup
    smbd 1432 root cwd DIR 8,9 4096 2 /backup/local



  • Also using fuser, it doesn't give any information about open files or locked files. It just show the sPID which is using the shared folder on the local filesytem of the server.



    $ fuser /backup/local
    /backup/local: 1432c


There are some other options to track open files like:



  • With a Shellscript, list all files with extensions like .doc,.docx,.xls,.xlsx, and so on, and make a if [ -f ".~lock.new_document.docx#" ] ; then in order to define if a Microsoft Office file is opened or not, but this of workaround, is not what I'm looking for.


  • Using VFS Modules for auditing operations for any file inside the shared folder could be a source for a Shellscript, but that its not practical.


Is there anyone that could possibly know any tools that could list open/locked files from Samba shared folders, since that smbstatus -L doesn't seem to be an option for this problem?






samba4 microsoft-office vfs







share|improve this question






























    1















    I have a Filer Server running Debian Jessie 8.7 on my network, with Samba 4.2.14.



    Until now, I just have one shared folder configured for the entire network and I would like to watch if there are open files on this share.




    • When running smbstatus -L, it doesn't point any information about any open files or locked files.



      $ smbstatus -L
      Registered MSG_REQ_POOL_USAGE
      Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
      No locked files



    • Using lsof, it only gives me the information about what process is using the shared on folder, on the local filesytem of the server.



      $ lsof | grep backup
      smbd 1432 root cwd DIR 8,9 4096 2 /backup/local



    • Also using fuser, it doesn't give any information about open files or locked files. It just show the sPID which is using the shared folder on the local filesytem of the server.



      $ fuser /backup/local
      /backup/local: 1432c


    There are some other options to track open files like:



    • With a Shellscript, list all files with extensions like .doc,.docx,.xls,.xlsx, and so on, and make a if [ -f ".~lock.new_document.docx#" ] ; then in order to define if a Microsoft Office file is opened or not, but this of workaround, is not what I'm looking for.


    • Using VFS Modules for auditing operations for any file inside the shared folder could be a source for a Shellscript, but that its not practical.


    Is there anyone that could possibly know any tools that could list open/locked files from Samba shared folders, since that smbstatus -L doesn't seem to be an option for this problem?






    samba4 microsoft-office vfs







    share|improve this question


























      1












      1








      1








      I have a Filer Server running Debian Jessie 8.7 on my network, with Samba 4.2.14.



      Until now, I just have one shared folder configured for the entire network and I would like to watch if there are open files on this share.




      • When running smbstatus -L, it doesn't point any information about any open files or locked files.



        $ smbstatus -L
        Registered MSG_REQ_POOL_USAGE
        Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
        No locked files



      • Using lsof, it only gives me the information about what process is using the shared on folder, on the local filesytem of the server.



        $ lsof | grep backup
        smbd 1432 root cwd DIR 8,9 4096 2 /backup/local



      • Also using fuser, it doesn't give any information about open files or locked files. It just show the sPID which is using the shared folder on the local filesytem of the server.



        $ fuser /backup/local
        /backup/local: 1432c


      There are some other options to track open files like:



      • With a Shellscript, list all files with extensions like .doc,.docx,.xls,.xlsx, and so on, and make a if [ -f ".~lock.new_document.docx#" ] ; then in order to define if a Microsoft Office file is opened or not, but this of workaround, is not what I'm looking for.


      • Using VFS Modules for auditing operations for any file inside the shared folder could be a source for a Shellscript, but that its not practical.


      Is there anyone that could possibly know any tools that could list open/locked files from Samba shared folders, since that smbstatus -L doesn't seem to be an option for this problem?






      samba4 microsoft-office vfs







      share|improve this question
















      I have a Filer Server running Debian Jessie 8.7 on my network, with Samba 4.2.14.



      Until now, I just have one shared folder configured for the entire network and I would like to watch if there are open files on this share.




      • When running smbstatus -L, it doesn't point any information about any open files or locked files.



        $ smbstatus -L
        Registered MSG_REQ_POOL_USAGE
        Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
        No locked files



      • Using lsof, it only gives me the information about what process is using the shared on folder, on the local filesytem of the server.



        $ lsof | grep backup
        smbd 1432 root cwd DIR 8,9 4096 2 /backup/local



      • Also using fuser, it doesn't give any information about open files or locked files. It just show the sPID which is using the shared folder on the local filesytem of the server.



        $ fuser /backup/local
        /backup/local: 1432c


      There are some other options to track open files like:



      • With a Shellscript, list all files with extensions like .doc,.docx,.xls,.xlsx, and so on, and make a if [ -f ".~lock.new_document.docx#" ] ; then in order to define if a Microsoft Office file is opened or not, but this of workaround, is not what I'm looking for.


      • Using VFS Modules for auditing operations for any file inside the shared folder could be a source for a Shellscript, but that its not practical.


      Is there anyone that could possibly know any tools that could list open/locked files from Samba shared folders, since that smbstatus -L doesn't seem to be an option for this problem?






      samba4 microsoft-office vfs




      samba4 microsoft-office vfs






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 30 '17 at 19:50







      ivanleoncz

















      asked May 30 '17 at 15:59









      ivanleonczivanleoncz

      5062 gold badges7 silver badges28 bronze badges




      5062 gold badges7 silver badges28 bronze badges




















          1 Answer
          1






          active

          oldest

          votes


















          0














          According to my findings, thanks to VFS Modules, Samba does not keep File Descriptors for the files which are being shared and used, no matter what kind of normal file it is, with just one exception.



          The only situation which I found that open files are visible via lsof or smbstatus -L, is when you have open files from Microsoft Office 2010 onward. 



          $ lsof | grep bkp
          bash 1272 root cwd DIR 8,9 4096 651521 /bkp/local/John
          smbd 2492 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 35r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 36r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 37r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 38r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 41r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 42r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 44uR REG 8,9 0 651529 /bkp/local/John/word_john.docx
          lsof 6345 root cwd DIR 8,9 4096 651521 /bkp/local/John
          grep 6346 root cwd DIR 8,9 4096 651521 /bkp/local/John
          lsof 6347 root cwd DIR 8,9 4096 651521 /bkp/local/John





          $ smbstatus -L
          Registered MSG_REQ_POOL_USAGE
          Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
          Locked files:

          Pid Uid DenyMode Access R/W Oplock SharePath Name Time

          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_WRITE 0x12019f RDWR LEVEL_II /respaldo/segeco_local Susana/word_susana.docx Tue May 30 14:10:38 
          2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017


          The same does not happen when you have, for example, a .docx file opened via Microsoft Office 2007 or LibreOffice 4.



          What usually happens (forgetting the situation above about the files from Microsoft Office 2010 onward: once a Client Machine, opens a file from a shared folder maintained by Samba, this file is cached on the file system of the Client Machine, an closed on the file system of Server.



          Below, I described some observations which I have noticed during my experiments with VFS Modules for Samba.



          The configuration for this functionality which allows to audit operations performed on every shared folder, is described at the end of my answer.



          For Text Documents, Images, PDFs, Media Files, the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • when saving modifications, Samba creates a temporary file on the Server

          • when closing the file, Samba removes the original file and renames the tmp file to the name of the original file.

          opening file on Client



          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Expedientes.txt
          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Expedientes.txt


          saving file



          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/Expedientes.txt
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|rename|ok|John/~gvfPvwn.tmp|John/Expedientes.txt


          closing files




          Samba does not record operations for files that are closed on the Client Machines.




          For Microsoft Office files (.docx, .doc, .xls, .xlsx, etc.), the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • opens a tmp/lock file (.~lock.my_word_document.docx#) and closes it

          • every byte inserted on the Client Machine, generates open/close ops on the original file

          • when saving the file, the Client Machine writes the modifications into the file

          • when closing the file, Samba removes the tmp/lock file

          opening file on Client



          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#


          writing data into the file (every written byte, generates OPEN/CLOSE ops)



          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx


          saving file



          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx


          closing file



          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/.~lock.Desktop Word John.docx#


          If you are planning to implement the VFS Modules for Samba, here are some links which can guide you through the setup (don't forget to install the package samba-vfs-modules):



          • https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

          • https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

          Here is an excerpt from smb.conf, showing the setup of the feature for an specific shared folder:



          ...
          [fileserver]
          path = /bkp/local
          valid users = john, jane, martin, carl
          force group = sambashare
          create mode = 0660
          directory mode = 0770
          available = yes
          read only = no
          writable = yes
          browsable = yes
          hide files = /lost+found/ 
          vfs objects = full_audit
          full_audit:prefix = %u|%I|%m|%S
          full_audit:success = mkdir rename rmdir pwrite write unlink open close
          full_audit:failure = mkdir rename rmdir pwrite write unlink open close
          full_audit:facility = local7
          full_audit:priority = warning
          ...


          Don't forget to add an statement on rsyslog in order to generate data from the shared folder into a log file:



          $ grep local7 /etc/rsyslog.conf 
          local7.* /var/log/samba/audit.log





          share|improve this answer




















          • 1





            What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

            – shodanshok
            May 30 '17 at 18:56












          • Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

            – ivanleoncz
            May 30 '17 at 19:02







          • 1





            I suggest you to monitor your filesystem activity using inotifywait

            – shodanshok
            May 30 '17 at 19:05











          • Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

            – ivanleoncz
            May 30 '17 at 19:16













          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f853056%2flisting-open-files-from-shared-folders%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          According to my findings, thanks to VFS Modules, Samba does not keep File Descriptors for the files which are being shared and used, no matter what kind of normal file it is, with just one exception.



          The only situation which I found that open files are visible via lsof or smbstatus -L, is when you have open files from Microsoft Office 2010 onward. 



          $ lsof | grep bkp
          bash 1272 root cwd DIR 8,9 4096 651521 /bkp/local/John
          smbd 2492 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 35r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 36r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 37r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 38r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 41r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 42r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 44uR REG 8,9 0 651529 /bkp/local/John/word_john.docx
          lsof 6345 root cwd DIR 8,9 4096 651521 /bkp/local/John
          grep 6346 root cwd DIR 8,9 4096 651521 /bkp/local/John
          lsof 6347 root cwd DIR 8,9 4096 651521 /bkp/local/John





          $ smbstatus -L
          Registered MSG_REQ_POOL_USAGE
          Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
          Locked files:

          Pid Uid DenyMode Access R/W Oplock SharePath Name Time

          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_WRITE 0x12019f RDWR LEVEL_II /respaldo/segeco_local Susana/word_susana.docx Tue May 30 14:10:38 
          2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017


          The same does not happen when you have, for example, a .docx file opened via Microsoft Office 2007 or LibreOffice 4.



          What usually happens (forgetting the situation above about the files from Microsoft Office 2010 onward: once a Client Machine, opens a file from a shared folder maintained by Samba, this file is cached on the file system of the Client Machine, an closed on the file system of Server.



          Below, I described some observations which I have noticed during my experiments with VFS Modules for Samba.



          The configuration for this functionality which allows to audit operations performed on every shared folder, is described at the end of my answer.



          For Text Documents, Images, PDFs, Media Files, the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • when saving modifications, Samba creates a temporary file on the Server

          • when closing the file, Samba removes the original file and renames the tmp file to the name of the original file.

          opening file on Client



          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Expedientes.txt
          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Expedientes.txt


          saving file



          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/Expedientes.txt
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|rename|ok|John/~gvfPvwn.tmp|John/Expedientes.txt


          closing files




          Samba does not record operations for files that are closed on the Client Machines.




          For Microsoft Office files (.docx, .doc, .xls, .xlsx, etc.), the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • opens a tmp/lock file (.~lock.my_word_document.docx#) and closes it

          • every byte inserted on the Client Machine, generates open/close ops on the original file

          • when saving the file, the Client Machine writes the modifications into the file

          • when closing the file, Samba removes the tmp/lock file

          opening file on Client



          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#


          writing data into the file (every written byte, generates OPEN/CLOSE ops)



          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx


          saving file



          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx


          closing file



          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/.~lock.Desktop Word John.docx#


          If you are planning to implement the VFS Modules for Samba, here are some links which can guide you through the setup (don't forget to install the package samba-vfs-modules):



          • https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

          • https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

          Here is an excerpt from smb.conf, showing the setup of the feature for an specific shared folder:



          ...
          [fileserver]
          path = /bkp/local
          valid users = john, jane, martin, carl
          force group = sambashare
          create mode = 0660
          directory mode = 0770
          available = yes
          read only = no
          writable = yes
          browsable = yes
          hide files = /lost+found/ 
          vfs objects = full_audit
          full_audit:prefix = %u|%I|%m|%S
          full_audit:success = mkdir rename rmdir pwrite write unlink open close
          full_audit:failure = mkdir rename rmdir pwrite write unlink open close
          full_audit:facility = local7
          full_audit:priority = warning
          ...


          Don't forget to add an statement on rsyslog in order to generate data from the shared folder into a log file:



          $ grep local7 /etc/rsyslog.conf 
          local7.* /var/log/samba/audit.log





          share|improve this answer




















          • 1





            What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

            – shodanshok
            May 30 '17 at 18:56












          • Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

            – ivanleoncz
            May 30 '17 at 19:02







          • 1





            I suggest you to monitor your filesystem activity using inotifywait

            – shodanshok
            May 30 '17 at 19:05











          • Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

            – ivanleoncz
            May 30 '17 at 19:16















          0














          According to my findings, thanks to VFS Modules, Samba does not keep File Descriptors for the files which are being shared and used, no matter what kind of normal file it is, with just one exception.



          The only situation which I found that open files are visible via lsof or smbstatus -L, is when you have open files from Microsoft Office 2010 onward. 



          $ lsof | grep bkp
          bash 1272 root cwd DIR 8,9 4096 651521 /bkp/local/John
          smbd 2492 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 35r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 36r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 37r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 38r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 41r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 42r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 44uR REG 8,9 0 651529 /bkp/local/John/word_john.docx
          lsof 6345 root cwd DIR 8,9 4096 651521 /bkp/local/John
          grep 6346 root cwd DIR 8,9 4096 651521 /bkp/local/John
          lsof 6347 root cwd DIR 8,9 4096 651521 /bkp/local/John





          $ smbstatus -L
          Registered MSG_REQ_POOL_USAGE
          Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
          Locked files:

          Pid Uid DenyMode Access R/W Oplock SharePath Name Time

          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_WRITE 0x12019f RDWR LEVEL_II /respaldo/segeco_local Susana/word_susana.docx Tue May 30 14:10:38 
          2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017


          The same does not happen when you have, for example, a .docx file opened via Microsoft Office 2007 or LibreOffice 4.



          What usually happens (forgetting the situation above about the files from Microsoft Office 2010 onward: once a Client Machine, opens a file from a shared folder maintained by Samba, this file is cached on the file system of the Client Machine, an closed on the file system of Server.



          Below, I described some observations which I have noticed during my experiments with VFS Modules for Samba.



          The configuration for this functionality which allows to audit operations performed on every shared folder, is described at the end of my answer.



          For Text Documents, Images, PDFs, Media Files, the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • when saving modifications, Samba creates a temporary file on the Server

          • when closing the file, Samba removes the original file and renames the tmp file to the name of the original file.

          opening file on Client



          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Expedientes.txt
          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Expedientes.txt


          saving file



          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/Expedientes.txt
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|rename|ok|John/~gvfPvwn.tmp|John/Expedientes.txt


          closing files




          Samba does not record operations for files that are closed on the Client Machines.




          For Microsoft Office files (.docx, .doc, .xls, .xlsx, etc.), the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • opens a tmp/lock file (.~lock.my_word_document.docx#) and closes it

          • every byte inserted on the Client Machine, generates open/close ops on the original file

          • when saving the file, the Client Machine writes the modifications into the file

          • when closing the file, Samba removes the tmp/lock file

          opening file on Client



          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#


          writing data into the file (every written byte, generates OPEN/CLOSE ops)



          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx


          saving file



          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx


          closing file



          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/.~lock.Desktop Word John.docx#


          If you are planning to implement the VFS Modules for Samba, here are some links which can guide you through the setup (don't forget to install the package samba-vfs-modules):



          • https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

          • https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

          Here is an excerpt from smb.conf, showing the setup of the feature for an specific shared folder:



          ...
          [fileserver]
          path = /bkp/local
          valid users = john, jane, martin, carl
          force group = sambashare
          create mode = 0660
          directory mode = 0770
          available = yes
          read only = no
          writable = yes
          browsable = yes
          hide files = /lost+found/ 
          vfs objects = full_audit
          full_audit:prefix = %u|%I|%m|%S
          full_audit:success = mkdir rename rmdir pwrite write unlink open close
          full_audit:failure = mkdir rename rmdir pwrite write unlink open close
          full_audit:facility = local7
          full_audit:priority = warning
          ...


          Don't forget to add an statement on rsyslog in order to generate data from the shared folder into a log file:



          $ grep local7 /etc/rsyslog.conf 
          local7.* /var/log/samba/audit.log





          share|improve this answer




















          • 1





            What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

            – shodanshok
            May 30 '17 at 18:56












          • Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

            – ivanleoncz
            May 30 '17 at 19:02







          • 1





            I suggest you to monitor your filesystem activity using inotifywait

            – shodanshok
            May 30 '17 at 19:05











          • Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

            – ivanleoncz
            May 30 '17 at 19:16













          0












          0








          0







          According to my findings, thanks to VFS Modules, Samba does not keep File Descriptors for the files which are being shared and used, no matter what kind of normal file it is, with just one exception.



          The only situation which I found that open files are visible via lsof or smbstatus -L, is when you have open files from Microsoft Office 2010 onward. 



          $ lsof | grep bkp
          bash 1272 root cwd DIR 8,9 4096 651521 /bkp/local/John
          smbd 2492 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 35r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 36r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 37r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 38r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 41r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 42r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 44uR REG 8,9 0 651529 /bkp/local/John/word_john.docx
          lsof 6345 root cwd DIR 8,9 4096 651521 /bkp/local/John
          grep 6346 root cwd DIR 8,9 4096 651521 /bkp/local/John
          lsof 6347 root cwd DIR 8,9 4096 651521 /bkp/local/John





          $ smbstatus -L
          Registered MSG_REQ_POOL_USAGE
          Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
          Locked files:

          Pid Uid DenyMode Access R/W Oplock SharePath Name Time

          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_WRITE 0x12019f RDWR LEVEL_II /respaldo/segeco_local Susana/word_susana.docx Tue May 30 14:10:38 
          2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017


          The same does not happen when you have, for example, a .docx file opened via Microsoft Office 2007 or LibreOffice 4.



          What usually happens (forgetting the situation above about the files from Microsoft Office 2010 onward: once a Client Machine, opens a file from a shared folder maintained by Samba, this file is cached on the file system of the Client Machine, an closed on the file system of Server.



          Below, I described some observations which I have noticed during my experiments with VFS Modules for Samba.



          The configuration for this functionality which allows to audit operations performed on every shared folder, is described at the end of my answer.



          For Text Documents, Images, PDFs, Media Files, the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • when saving modifications, Samba creates a temporary file on the Server

          • when closing the file, Samba removes the original file and renames the tmp file to the name of the original file.

          opening file on Client



          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Expedientes.txt
          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Expedientes.txt


          saving file



          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/Expedientes.txt
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|rename|ok|John/~gvfPvwn.tmp|John/Expedientes.txt


          closing files




          Samba does not record operations for files that are closed on the Client Machines.




          For Microsoft Office files (.docx, .doc, .xls, .xlsx, etc.), the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • opens a tmp/lock file (.~lock.my_word_document.docx#) and closes it

          • every byte inserted on the Client Machine, generates open/close ops on the original file

          • when saving the file, the Client Machine writes the modifications into the file

          • when closing the file, Samba removes the tmp/lock file

          opening file on Client



          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#


          writing data into the file (every written byte, generates OPEN/CLOSE ops)



          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx


          saving file



          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx


          closing file



          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/.~lock.Desktop Word John.docx#


          If you are planning to implement the VFS Modules for Samba, here are some links which can guide you through the setup (don't forget to install the package samba-vfs-modules):



          • https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

          • https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

          Here is an excerpt from smb.conf, showing the setup of the feature for an specific shared folder:



          ...
          [fileserver]
          path = /bkp/local
          valid users = john, jane, martin, carl
          force group = sambashare
          create mode = 0660
          directory mode = 0770
          available = yes
          read only = no
          writable = yes
          browsable = yes
          hide files = /lost+found/ 
          vfs objects = full_audit
          full_audit:prefix = %u|%I|%m|%S
          full_audit:success = mkdir rename rmdir pwrite write unlink open close
          full_audit:failure = mkdir rename rmdir pwrite write unlink open close
          full_audit:facility = local7
          full_audit:priority = warning
          ...


          Don't forget to add an statement on rsyslog in order to generate data from the shared folder into a log file:



          $ grep local7 /etc/rsyslog.conf 
          local7.* /var/log/samba/audit.log





          share|improve this answer















          According to my findings, thanks to VFS Modules, Samba does not keep File Descriptors for the files which are being shared and used, no matter what kind of normal file it is, with just one exception.



          The only situation which I found that open files are visible via lsof or smbstatus -L, is when you have open files from Microsoft Office 2010 onward. 



          $ lsof | grep bkp
          bash 1272 root cwd DIR 8,9 4096 651521 /bkp/local/John
          smbd 2492 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root cwd DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 35r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 36r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 37r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 38r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 41r DIR 8,9 4096 2 /bkp/local
          smbd 6127 root 42r DIR 8,9 4096 651521 /bkp/local/John
          smbd 6127 root 44uR REG 8,9 0 651529 /bkp/local/John/word_john.docx
          lsof 6345 root cwd DIR 8,9 4096 651521 /bkp/local/John
          grep 6346 root cwd DIR 8,9 4096 651521 /bkp/local/John
          lsof 6347 root cwd DIR 8,9 4096 651521 /bkp/local/John





          $ smbstatus -L
          Registered MSG_REQ_POOL_USAGE
          Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
          Locked files:

          Pid Uid DenyMode Access R/W Oplock SharePath Name Time

          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local . Tue May 30 14:10:14 2017
          6127 1001 DENY_WRITE 0x12019f RDWR LEVEL_II /respaldo/segeco_local Susana/word_susana.docx Tue May 30 14:10:38 
          2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017
          6127 1001 DENY_NONE 0x100081 RDONLY NONE /respaldo/segeco_local Susana Tue May 30 14:14:25 2017


          The same does not happen when you have, for example, a .docx file opened via Microsoft Office 2007 or LibreOffice 4.



          What usually happens (forgetting the situation above about the files from Microsoft Office 2010 onward: once a Client Machine, opens a file from a shared folder maintained by Samba, this file is cached on the file system of the Client Machine, an closed on the file system of Server.



          Below, I described some observations which I have noticed during my experiments with VFS Modules for Samba.



          The configuration for this functionality which allows to audit operations performed on every shared folder, is described at the end of my answer.



          For Text Documents, Images, PDFs, Media Files, the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • when saving modifications, Samba creates a temporary file on the Server

          • when closing the file, Samba removes the original file and renames the tmp file to the name of the original file.

          opening file on Client



          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Expedientes.txt
          May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Expedientes.txt


          saving file



          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/~gvfPvwn.tmp
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/Expedientes.txt
          May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|rename|ok|John/~gvfPvwn.tmp|John/Expedientes.txt


          closing files




          Samba does not record operations for files that are closed on the Client Machines.




          For Microsoft Office files (.docx, .doc, .xls, .xlsx, etc.), the Client Machine:



          • opens the file

          • caches the data

          • closes the file on the local file system of the Server

          • opens a tmp/lock file (.~lock.my_word_document.docx#) and closes it

          • every byte inserted on the Client Machine, generates open/close ops on the original file

          • when saving the file, the Client Machine writes the modifications into the file

          • when closing the file, Samba removes the tmp/lock file

          opening file on Client



          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#


          writing data into the file (every written byte, generates OPEN/CLOSE ops)



          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx


          saving file



          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
          May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx


          closing file



          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
          May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/.~lock.Desktop Word John.docx#


          If you are planning to implement the VFS Modules for Samba, here are some links which can guide you through the setup (don't forget to install the package samba-vfs-modules):



          • https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

          • https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

          Here is an excerpt from smb.conf, showing the setup of the feature for an specific shared folder:



          ...
          [fileserver]
          path = /bkp/local
          valid users = john, jane, martin, carl
          force group = sambashare
          create mode = 0660
          directory mode = 0770
          available = yes
          read only = no
          writable = yes
          browsable = yes
          hide files = /lost+found/ 
          vfs objects = full_audit
          full_audit:prefix = %u|%I|%m|%S
          full_audit:success = mkdir rename rmdir pwrite write unlink open close
          full_audit:failure = mkdir rename rmdir pwrite write unlink open close
          full_audit:facility = local7
          full_audit:priority = warning
          ...


          Don't forget to add an statement on rsyslog in order to generate data from the shared folder into a log file:



          $ grep local7 /etc/rsyslog.conf 
          local7.* /var/log/samba/audit.log






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited May 30 '17 at 19:39

























          answered May 30 '17 at 18:52









          ivanleonczivanleoncz

          5062 gold badges7 silver badges28 bronze badges




          5062 gold badges7 silver badges28 bronze badges







          • 1





            What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

            – shodanshok
            May 30 '17 at 18:56












          • Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

            – ivanleoncz
            May 30 '17 at 19:02







          • 1





            I suggest you to monitor your filesystem activity using inotifywait

            – shodanshok
            May 30 '17 at 19:05











          • Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

            – ivanleoncz
            May 30 '17 at 19:16












          • 1





            What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

            – shodanshok
            May 30 '17 at 18:56












          • Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

            – ivanleoncz
            May 30 '17 at 19:02







          • 1





            I suggest you to monitor your filesystem activity using inotifywait

            – shodanshok
            May 30 '17 at 19:05











          • Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

            – ivanleoncz
            May 30 '17 at 19:16







          1




          1





          What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

          – shodanshok
          May 30 '17 at 18:56






          What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by lsof. Moreover, saving the edited file will not overwrite the original file, rather the new one is saved with a temp name and renamed.

          – shodanshok
          May 30 '17 at 18:56














          Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

          – ivanleoncz
          May 30 '17 at 19:02






          Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you!

          – ivanleoncz
          May 30 '17 at 19:02





          1




          1





          I suggest you to monitor your filesystem activity using inotifywait

          – shodanshok
          May 30 '17 at 19:05





          I suggest you to monitor your filesystem activity using inotifywait

          – shodanshok
          May 30 '17 at 19:05













          Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

          – ivanleoncz
          May 30 '17 at 19:16





          Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok!

          – ivanleoncz
          May 30 '17 at 19:16

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f853056%2flisting-open-files-from-shared-folders%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

          Image
          Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
          Read more

          What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

          Image
          Can a tourist shoot a gun in the USA? Will a coyote attack my dog on a leash while I'm on a hiking trail? Labeling matrices/rectangles and drawing Sigma inside rectangle How can I answer high-school writing prompts without sounding weird and fake? Is there ever any indication in the MCU as to how Spider-Man got his powers? Jumping frame contents with beamer and pgfplots Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Is it possible to create different colors in rocket exhaust? German characters on US-International keyboard layout Does gravity affect the time evolution of a QM wave function? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Why are solar panels kept tilted? Is Germany still exporting arms to countries involved in Yemen? Unexpected Netflix account registered to my Gmail address - any wa...
          Read more

          Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

          Image
          escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
          Read more