debuglevel The value of the parameter (a string) allows the debug level (logging level) to be specified in the smb.conf file. This parameter has been extended since the 2.2.x series, now it allows one to specify the debug level for multiple debug classes and distinct logfiles for debug classes. This is to give greater flexibility in the configuration of the system. The following debug classes are currently implemented: all tdb printdrivers lanman smb rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap quota acls locking msdfs dmapi registry scavenger dns ldb tevent auth_audit auth_json_audit kerberos drs_repl smb2 smb2_credits dsdb_audit dsdb_json_audit dsdb_password_audit dsdb_password_json_audit dsdb_transaction_audit dsdb_transaction_json_audit dsdb_group_audit dsdb_group_json_audit Various modules register dynamic debug classes at first usage: catia dfs_samba4 extd_audit fileid fruit full_audit media_harmony preopen recycle shadow_copy shadow_copy unityed_media virusfilter To configure the logging for specific classes to go into a different file then , you can append @PATH to the class, eg log level = 1 full_audit:1@/var/log/audit.log. Authentication and authorization audit information is logged under the auth_audit, and if Samba was not compiled with --without-json, a JSON representation is logged under auth_json_audit. Support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, as well as the implicit authentication in password changes. In the file server, NTLM authentication, SMB and RPC authorization is covered. Log levels for auth_audit and auth_audit_json are: 2: Authentication Failure 3: Authentication Success 4: Authorization Success 5: Anonymous Authentication and Authorization Success Changes to the AD DC sam.ldb database are logged under the dsdb_audit and a JSON representation is logged under dsdb_json_audit. Group membership changes to the AD DC sam.ldb database are logged under the dsdb_group_audit and a JSON representation is logged under dsdb_group_json_audit. Log levels for dsdb_audit, dsdb_json_audit, dsdb_group_audit, dsdb_group_json_audit and dsdb_json_audit are: 5: Database modifications 5: Replicated updates from another DC Password changes and Password resets in the AD DC are logged under dsdb_password_audit and a JSON representation is logged under the dsdb_password_json_audit. Password changes will also appears as authentication events via auth_audit and auth_audit_json. Log levels for dsdb_password_audit and dsdb_password_json_audit are: 5: Successful password changes and resets Transaction rollbacks and prepare commit failures are logged under the dsdb_transaction_audit and a JSON representation is logged under the dsdb_transaction_json_audit. Log levels for dsdb_transaction_audit and dsdb_transaction_json are: 5: Transaction failure (rollback) 10: Transaction success (commit) Transaction roll-backs are possible in Samba, and whilst they rarely reflect anything more than the failure of an individual operation (say due to the add of a conflicting record), they are possible. Audit logs are already generated and sent to the system logs before the transaction is complete. Logging the transaction details allows the identification of password and sam.ldb operations that have been rolled back, and so have not actually persisted. Changes to sam.ldb made locally by the root user with direct access to the database are not logged to the system logs, but to the administrator's own console. While less than ideal, any user able to make such modifications could disable the audit logging in any case. 0 3 passdb:5 auth:10 winbind:2 1 full_audit:1@/var/log/audit.log winbind:2