[Samba] Permissions required for Snapshots/Previous Versions
Nick Couchman
nick.e.couchman at gmail.com
Tue Jun 15 14:13:22 UTC 2021
> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
>
> On 14/06/2021 15:07, Nick Couchman via samba wrote:
>> Hello, everyone,
>> I've run into another challenge with Samba rights/permissions. The
>> community responded so quickly to my last question that I'm hoping this one
>> is as simple :-).
>>
>> I'm using ZFS with Samba, and have enabled the ZFS snapshot integration
>> using the shadow2 VFS module. I have automatic snapshots set up for ZFS,
>> and I'm able to see the "Previous Versions" tab in Windows and access the
>> snapshots. This works great with one exception - the only users that can
>> see them are users listed in the "admin users" section for the share or
>> users mapped to the local Administrators group.
>>
>> My question is, is there any other way to make this Previous Versions
>> functionality available to either other groups of users or, potentially,
>> all users, without adding them to "admin users" or mapping them ot local
>> Administrators?
>>
>> Thanks!
>> -Nick
>
>
> What OS ?
I currently run on CentOS 7, CentOS 8, and AWS Linux 2. Samba versions
are 4.10.16 (AWS Linux 2 and CentOS 7) and 4.12.3 (CentOS 8)
>
> How are you running Samba ?
Not entirely sure what you mean, but:
* I'm using distribution-provide Samba packages - nothing extra or
special beyond those.
* Samba is set up in an Active Directory forest as a member server (not a DC).
>
> Please post your smb.conf
Here's a sanitized version of it:
==smb.conf==
[global]
workgroup = DOMAIN
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
kerberos method = system keytab
template homedir = /home/%U@%D
password server = ad1.domain.local ad2.domain.local
template shell = /bin/bash
realm = DOMAIN.LOCAL
idmap backend = tdb
idmap gid = 10000-2000000
idmap uid = 10000-2000000
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
[department]
path = /groups/depart
comment = Department Share
msdfs root = yes
admin users = @DOMAIN\File_Server_Admins
valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
read only = no
vfs objects = acl_xattr recycle shadow_copy2
recycle:repository = /groups/recycle
recycle:keeptree = yes
recycle:versions = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = -%Y-%m-%d-%H%M
shadow:snapprefix =
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow:delimiter = -20
==end smb.conf==
In the above config, on the "department" share, users who are members
of the DOMAIN\File_Server_Admins group can see the snapshots in the
"Previous Versions" tab and can access those versions. Users not in
that group cannot see or access the Previous Versions. In fact, the
"Previous Versions" tab doesn't even show up. However, if I go to the
share and then manually put in the ".zfs\snapshot" directory, I can
see all of the snapshots.
>
> When you say 'ZFS', do you mean ZFS on something like Freebsd or openZFS on Linux ?
openZFS on Linux (zfsonlinux.org), currently in the 0.8 release series
(0.8.5, 0.8.6).
-Nick
More information about the samba
mailing list