[Samba] Permissions required for Snapshots/Previous Versions

Tue Jun 15 14:44:04 UTC 2021

On 15/06/2021 15:13, Nick Couchman wrote:
>> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
>>
>> On 14/06/2021 15:07, Nick Couchman via samba wrote:
>>> Hello, everyone,
>>> I've run into another challenge with Samba rights/permissions. The
>>> community responded so quickly to my last question that I'm hoping this one
>>> is as simple :-).
>>>
>>> I'm using ZFS with Samba, and have enabled the ZFS snapshot integration
>>> using the shadow2 VFS module. I have automatic snapshots set up for ZFS,
>>> and I'm able to see the "Previous Versions" tab in Windows and access the
>>> snapshots. This works great with one exception - the only users that can
>>> see them are users listed in the "admin users" section for the share or
>>> users mapped to the local Administrators group.
>>>
>>> My question is, is there any other way to make this Previous Versions
>>> functionality available to either other groups of users or, potentially,
>>> all users, without adding them to "admin users" or mapping them ot local
>>> Administrators?
>>>
>>> Thanks!
>>> -Nick

Okay, try this smb.conf:

[global]
         workgroup = DOMAIN
         realm = DOMAIN.LOCAL
         security = ads

         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config DOMAIN : backend = rid
         idmap config DOMAIN : range = 10000-2000000
         template homedir = /home/%U@%D
         template shell = /bin/bash
         winbind refresh tickets = yes
         winbind offline logon = yes

         username map = /etc/samba/user.map

         printing = cups
         printcap name = cups
         load printers = yes
         cups options = raw
         vfs objects = acl_xattr recycle shadow_copy2
         map acl inherit = Yes

[department]
         path = /groups/depart
         comment = Department Share
         msdfs root = yes
         admin users = @DOMAIN\File_Server_Admins
         valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
         read only = no
         recycle:repository = /groups/recycle
         recycle:keeptree = yes
         recycle:versions = yes
         shadow:snapdir = .zfs/snapshot
         shadow:sort = desc
         shadow:format = -%Y-%m-%d-%H%M
         shadow:snapprefix = 
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
         shadow:delimiter = -20

Create /etc/samba/user.map containing this:

!root = DOMAIN\Administrator

You are using 'admin users' and 'valid users', a better way would be to 
set the permissions from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

That way will make it easier to set the required permissions on the data.

Rowland