listing open files from shared folders

Question

I have a Filer Server running Debian Jessie 8.7 on my network, with Samba 4.2.14.

Until now, I just have one shared folder configured for the entire network and I would like to watch if there are open files on this share.

When running smbstatus -L, it doesn't point any information about any open files or locked files.

$  smbstatus -L
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
No locked files

Using lsof, it only gives me the information about what process is using the shared on folder, on the local filesytem of the server.
```
$ lsof | grep backup
smbd      1432      root  cwd    DIR     8,9     4096       2 /backup/local
```
Also using fuser, it doesn't give any information about open files or locked files. It just show the sPID which is using the shared folder on the local filesytem of the server.
```
$ fuser /backup/local
/backup/local:  1432c
```

There are some other options to track open files like:

With a Shellscript, list all files with extensions like .doc,.docx,.xls,.xlsx, and so on, and make a if [ -f ".~lock.new_document.docx#" ] ; then in order to define if a Microsoft Office file is opened or not, but this of workaround, is not what I'm looking for.
Using VFS Modules for auditing operations for any file inside the shared folder could be a source for a Shellscript, but that its not practical.

Is there anyone that could possibly know any tools that could list open/locked files from Samba shared folders, since that smbstatus -L doesn't seem to be an option for this problem?

ivanleoncz · Accepted Answer · 2017-05-30T19:39:31.440

According to my findings, thanks to VFS Modules, Samba does not keep File Descriptors for the files which are being shared and used, no matter what kind of normal file it is, with just one exception.

The only situation which I found that open files are visible via lsof or smbstatus -L, is when you have open files from Microsoft Office 2010 onward.

$ lsof | grep bkp
bash      1272      root  cwd       DIR      8,9         4096     651521 /bkp/local/John
smbd      2492      root  cwd       DIR      8,9         4096          2 /bkp/local
smbd      6127      root  cwd       DIR      8,9         4096          2 /bkp/local
smbd      6127      root   35r      DIR      8,9         4096     651521 /bkp/local/John
smbd      6127      root   36r      DIR      8,9         4096          2 /bkp/local
smbd      6127      root   37r      DIR      8,9         4096          2 /bkp/local
smbd      6127      root   38r      DIR      8,9         4096          2 /bkp/local
smbd      6127      root   41r      DIR      8,9         4096          2 /bkp/local
smbd      6127      root   42r      DIR      8,9         4096     651521 /bkp/local/John
smbd      6127      root   44uR     REG      8,9            0     651529 /bkp/local/John/word_john.docx
lsof      6345      root  cwd       DIR      8,9         4096     651521 /bkp/local/John
grep      6346      root  cwd       DIR      8,9         4096     651521 /bkp/local/John
lsof      6347      root  cwd       DIR      8,9         4096     651521 /bkp/local/John

$ smbstatus -L
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Locked files:

Pid    Uid    DenyMode  Access      R/W      Oplock     SharePath     Name                     Time

6127         1001       DENY_NONE  0x100081    RDONLY     NONE        /respaldo/segeco_local   .   Tue May 30 14:10:14 2017
6127         1001       DENY_NONE  0x100081    RDONLY     NONE        /respaldo/segeco_local   .   Tue May 30 14:10:14 2017
6127         1001       DENY_NONE  0x100081    RDONLY     NONE        /respaldo/segeco_local   .   Tue May 30 14:10:14 2017
6127         1001       DENY_WRITE 0x12019f    RDWR       LEVEL_II    /respaldo/segeco_local   Susana/word_susana.docx   Tue May 30 14:10:38 
2017
6127         1001       DENY_NONE  0x100081    RDONLY     NONE        /respaldo/segeco_local   Susana   Tue May 30 14:14:25 2017
6127         1001       DENY_NONE  0x100081    RDONLY     NONE        /respaldo/segeco_local   Susana   Tue May 30 14:14:25 2017

The same does not happen when you have, for example, a .docx file opened via Microsoft Office 2007 or LibreOffice 4.

What usually happens (forgetting the situation above about the files from Microsoft Office 2010 onward: once a Client Machine, opens a file from a shared folder maintained by Samba, this file is cached on the file system of the Client Machine, an closed on the file system of Server.

Below, I described some observations which I have noticed during my experiments with VFS Modules for Samba.

The configuration for this functionality which allows to audit operations performed on every shared folder, is described at the end of my answer.

For Text Documents, Images, PDFs, Media Files, the Client Machine:

opens the file
caches the data
closes the file on the local file system of the Server
when saving modifications, Samba creates a temporary file on the Server
when closing the file, Samba removes the original file and renames the tmp file to the name of the original file.

opening file on Client

May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Expedientes.txt
May 30 11:13:02 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Expedientes.txt

saving file

May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|~gvfPvwn.tmp
May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/~gvfPvwn.tmp
May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/~gvfPvwn.tmp
May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/Expedientes.txt
May 30 11:16:52 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|rename|ok|John/~gvfPvwn.tmp|John/Expedientes.txt

closing files

Samba does not record operations for files that are closed on the Client Machines.

For Microsoft Office files (.docx, .doc, .xls, .xlsx, etc.), the Client Machine:

opens the file
caches the data
closes the file on the local file system of the Server
opens a tmp/lock file (.~lock.my_word_document.docx#) and closes it
every byte inserted on the Client Machine, generates open/close ops on the original file
when saving the file, the Client Machine writes the modifications into the file
when closing the file, Samba removes the tmp/lock file

opening file on Client

May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx
May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
May 30 11:22:14 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#

writing data into the file (every written byte, generates OPEN/CLOSE ops)

May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
May 30 11:22:44 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
May 30 11:22:45 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx

saving file

May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|.~lock.Desktop Word John.docx#
May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|pwrite|ok|John/.~lock.Desktop Word John.docx#
May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|Desktop Word John.docx
May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/Desktop Word John.docx
May 30 11:26:33 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|w|Desktop Word John.docx

closing file

May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|open|ok|r|.~lock.Desktop Word John.docx#
May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|close|ok|John/.~lock.Desktop Word John.docx#
May 30 11:37:39 server001 smbd_audit: normal.user|192.168.1.67|win7pc|serversharedfolder|unlink|ok|John/.~lock.Desktop Word John.docx#

If you are planning to implement the VFS Modules for Samba, here are some links which can guide you through the setup (don't forget to install the package samba-vfs-modules):

Here is an excerpt from smb.conf, showing the setup of the feature for an specific shared folder:

...
[fileserver]
path = /bkp/local
valid users = john, jane, martin, carl
force group = sambashare
create mode = 0660
directory mode = 0770
available = yes
read only = no
writable = yes
browsable = yes
hide files = /lost+found/ 
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename rmdir pwrite write unlink open close
full_audit:failure = mkdir rename rmdir pwrite write unlink open close
full_audit:facility = local7
full_audit:priority = warning
...

Don't forget to add an statement on rsyslog in order to generate data from the shared folder into a log file:

$ grep local7 /etc/rsyslog.conf 
local7.*            /var/log/samba/audit.log

What Office suite do you use? On Office2010 and Office2013 and Samba 3.6 (from a CentOS 6 x86-64), I see a very different behavior: the client keeps the file open, as clearly shown by `lsof`. Moreover, saving the edited file will *not* overwrite the original file, rather the new one is saved with a temp name and renamed. — shodanshok, May 30 '17 at 18:56
Good one! I'm using Microsoft Office 2007 and I also tried with LibreOffice. I'll verify with another Office suite. Sounds interesting. Thank you! — ivanleoncz, May 30 '17 at 19:02
I suggest you to monitor your filesystem activity using `inotifywait` — shodanshok, May 30 '17 at 19:05
Yeap. I know the tool and it's very useful. I'll make an update on my answer. Thanks @shodanshok! — ivanleoncz, May 30 '17 at 19:16

listing open files from shared folders

1 Answers1