[CentOS] tracking samba changes

Fri Mar 5 15:39:54 UTC 2021
Simon Matter <simon.matter at invoca.ch>

> Good morning everyone.  This morning when I came in my boss said that he
> doesn't have access to the R: drive, which is a samba share to a folder
> called RP.  I looked in /etc/group and his username was not in there. 
> He's had access to this group for years, since before I was at the
> company.  Yesterday I added a new employee to two other groups, saved
> the change and exited, and I took out an old username out of a few
> groups but I did not touch my boss's username at all. Is there any kind
> of trace log that shows changes to a group or to /etc/group that tracks
> / logs all individual changes that I can trace back to what might have
> happened that's turned on in the system, to show changes to /etc/group,
> or does that only get captured through an outside backup?
>
> Chris

Hi Chris,

You didn't tell us how you've managed the users/groups. Usually this is
tracked in /var/log/secure like so:

Mar  2 09:57:42 dhcp-157 groupadd[23761]: group added to /etc/group:
name=apache, GID=48
Mar  2 09:57:42 dhcp-157 groupadd[23761]: group added to /etc/gshadow:
name=apache
Mar  2 09:57:42 dhcp-157 groupadd[23761]: new group: name=apache, GID=48
Mar  2 09:57:42 dhcp-157 useradd[23769]: new user: name=apache, UID=48,
GID=48, home=/usr/share/httpd, shell=/sbin/nologin

Regards,
Simon