FSRVP samba configuration problems

[Teng-Feng Yang]

Hi David,

Thanks for your quick reply.
I try to grant my user SeBackupPrivilege as you recommend, and
everything works like a charm. :)
Since I have a server running Windows Server 2012 at hand, I also try
to use the diskshadow utility to take a remote snapshot with FSRVP
server on linux.
I create mirror accounts and passwords on both windows client and FSRVP server.
When I enter "add volume \\<IP Address of FSRVP Server>\<share name>",
it keeps telling me that this share does not support shadow copy.
I check the full debug log of samba and fssd, turns out the fssd has
never received any request.
Should I put both the client and the server in the same AD domain to
make this works?

Also, is there any time schedule for this great feature to be
officially released?
Thanks for your patience.

Any help would be grateful.

Best Regards,

Dennis

2013/3/8 David Disseldorp <ddiss at suse.de>:
> Hi Dennis,
>
> On Fri, 8 Mar 2013 17:59:36 +0800
> Teng-Feng Yang <shinrairis at gmail.com> wrote:
>
>> Hi,
>>
>> I watched the video of a nice talk given by David Disseldorp about the
>> remote snapshot(FSRVP) implementation on samba recently, and I want to
>> give this new feature a whirl.
>> I checkout the heads "async_rpc_copy_chunk_fsrvp_snapper_demo_wip"
>> from gitweb.samba.org/ddiss/samba.git and successfully compiled and
>> installed it on my ubuntu system.
>
> Thanks for your interest. As implied by the branch name, this code is
> currently work-in-progress and should not be used on production systems.
>
>> I make a btrfs volume and mount it under my own home directory and
>> create the root account with smbpasswd.
>> Then I type "rpcclient -U root 127.0.0.1" to connect to the rpc_server locally.
>> However, when I try to take a snapshot with "fss_create_expose backup
>> ro {share_name}", it returns NT_STATUS_UNSUCCESSFUL with error code
>> 0x80070005 (ACCESS DENIED).
>> It looks like my root account does not have the right to perform
>> backup operations.
>
> There are a number of permissions barriers when handling FSRVP
> operations. Some are Samba's responsibility, others are Snapper's.
>
> The Samba FSRVP server attempts to follow MS-FSRVP section 3.1.4, in
> checking:
> - Whether the authenticated user is a member of the Administrators
>   built-in group.
> - Whether the authenticated user is a member of the Backup Operators
>   built-in group.
> - Whether the user has been granted SeBackupPrivilege.
> FSRVP requests are handled if any of the above checks are confirmed.
>
> SeBackupPrivilege can be granted to local users using the
> "net rpc rights grant" command.
>
> Samba issues requests to Snapper as the authenticated user, using the
> dbus interface provided in recent Snapper releases. Currently the base
> share path must directly correspond to a snapper configuration.
>
> Snapper only handles snapshot creation and manipulation requests issued
> by the root user, or users permitted via ALLOW_USERS / ALLOW_GROUPS
> entries in /etc/snapper/configs/$config_name.
>
> Finally, for users to access snapshot data they must be permitted to
> traverse (execute) through the $share_path/.snapshots/ directory.
>
>> Should I use domain-level authentication to get it done?
>
> Domain-level authentication is not required.
>
> Cheers, David



-- 
Teng Feng Yang
Research Assistant of Director. P.C. Yew
Parallel Processing Laboratory
Institute of Information Science
Academia Sinica, Taiwan
Tel: 886-2-27883799#1676
E-mail:shinrairis at iis.sinica.edu.tw