FSRVP samba configuration problems

David Disseldorp ddiss at suse.de
Fri Mar 8 04:31:43 MST 2013

Hi Dennis,

On Fri, 8 Mar 2013 17:59:36 +0800
Teng-Feng Yang <shinrairis at gmail.com> wrote:

> Hi,
> I watched the video of a nice talk given by David Disseldorp about the
> remote snapshot(FSRVP) implementation on samba recently, and I want to
> give this new feature a whirl.
> I checkout the heads "async_rpc_copy_chunk_fsrvp_snapper_demo_wip"
> from gitweb.samba.org/ddiss/samba.git and successfully compiled and
> installed it on my ubuntu system.

Thanks for your interest. As implied by the branch name, this code is
currently work-in-progress and should not be used on production systems.

> I make a btrfs volume and mount it under my own home directory and
> create the root account with smbpasswd.
> Then I type "rpcclient -U root" to connect to the rpc_server locally.
> However, when I try to take a snapshot with "fss_create_expose backup
> ro {share_name}", it returns NT_STATUS_UNSUCCESSFUL with error code
> 0x80070005 (ACCESS DENIED).
> It looks like my root account does not have the right to perform
> backup operations.

There are a number of permissions barriers when handling FSRVP
operations. Some are Samba's responsibility, others are Snapper's.

The Samba FSRVP server attempts to follow MS-FSRVP section 3.1.4, in
- Whether the authenticated user is a member of the Administrators
  built-in group.
- Whether the authenticated user is a member of the Backup Operators
  built-in group.
- Whether the user has been granted SeBackupPrivilege.
FSRVP requests are handled if any of the above checks are confirmed.

SeBackupPrivilege can be granted to local users using the
"net rpc rights grant" command.

Samba issues requests to Snapper as the authenticated user, using the
dbus interface provided in recent Snapper releases. Currently the base
share path must directly correspond to a snapper configuration.

Snapper only handles snapshot creation and manipulation requests issued
by the root user, or users permitted via ALLOW_USERS / ALLOW_GROUPS
entries in /etc/snapper/configs/$config_name.

Finally, for users to access snapshot data they must be permitted to
traverse (execute) through the $share_path/.snapshots/ directory.

> Should I use domain-level authentication to get it done?

Domain-level authentication is not required.

Cheers, David

More information about the samba-technical mailing list