[Samba] Permissions required for Snapshots/Previous Versions

Nick Couchman nick.e.couchman at gmail.com
Tue Jun 15 14:13:22 UTC 2021 

> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
>
> On 14/06/2021 15:07, Nick Couchman via samba wrote:
>> Hello, everyone,
>> I've run into another challenge with Samba rights/permissions. The
>> community responded so quickly to my last question that I'm hoping this one
>> is as simple :-).
>>
>> I'm using ZFS with Samba, and have enabled the ZFS snapshot integration
>> using the shadow2 VFS module. I have automatic snapshots set up for ZFS,
>> and I'm able to see the "Previous Versions" tab in Windows and access the
>> snapshots. This works great with one exception - the only users that can
>> see them are users listed in the "admin users" section for the share or
>> users mapped to the local Administrators group.
>>
>> My question is, is there any other way to make this Previous Versions
>> functionality available to either other groups of users or, potentially,
>> all users, without adding them to "admin users" or mapping them ot local
>> Administrators?
>>
>> Thanks!
>> -Nick
>
>
> What OS ?

I currently run on CentOS 7, CentOS 8, and AWS Linux 2. Samba versions
are 4.10.16 (AWS Linux 2 and CentOS 7) and 4.12.3 (CentOS 8)

>
> How are you running Samba ?

Not entirely sure what you mean, but:
* I'm using distribution-provide Samba packages - nothing extra or
special beyond those.
* Samba is set up in an Active Directory forest as a member server (not a DC).

>
> Please post your smb.conf

Here's a sanitized version of it:

==smb.conf==
[global]
        workgroup = DOMAIN
        security = ads
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        kerberos method = system keytab
        template homedir = /home/%U@%D
        password server = ad1.domain.local ad2.domain.local
        template shell = /bin/bash
        realm = DOMAIN.LOCAL
        idmap backend = tdb
        idmap gid = 10000-2000000
        idmap uid = 10000-2000000
        winbind use default domain = no
        winbind refresh tickets = yes
        winbind offline logon = yes
        winbind enum groups = no
        winbind enum users = no

[department]
        path = /groups/depart
        comment = Department Share
        msdfs root = yes
        admin users = @DOMAIN\File_Server_Admins
        valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
        read only = no
        vfs objects = acl_xattr recycle shadow_copy2
        recycle:repository = /groups/recycle
        recycle:keeptree = yes
        recycle:versions = yes
        shadow:snapdir = .zfs/snapshot
        shadow:sort = desc
        shadow:format = -%Y-%m-%d-%H%M
        shadow:snapprefix =
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
        shadow:delimiter = -20
==end smb.conf==

In the above config, on the "department" share, users who are members
of the DOMAIN\File_Server_Admins group can see the snapshots in the
"Previous Versions" tab and can access those versions. Users not in
that group cannot see or access the Previous Versions. In fact, the
"Previous Versions" tab doesn't even show up. However, if I go to the
share and then manually put in the ".zfs\snapshot" directory, I can
see all of the snapshots.

>
> When you say 'ZFS', do you mean ZFS on something like Freebsd or openZFS on Linux ?

openZFS on Linux (zfsonlinux.org), currently in the 0.8 release series
(0.8.5, 0.8.6).

-Nick

More information about the samba mailing list