[Samba] Permissions required for Snapshots/Previous Versions
Rowland penny
rpenny at samba.org
Tue Jun 15 14:44:04 UTC 2021
On 15/06/2021 15:13, Nick Couchman wrote:
>> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
>>
>> On 14/06/2021 15:07, Nick Couchman via samba wrote:
>>> Hello, everyone,
>>> I've run into another challenge with Samba rights/permissions. The
>>> community responded so quickly to my last question that I'm hoping this one
>>> is as simple :-).
>>>
>>> I'm using ZFS with Samba, and have enabled the ZFS snapshot integration
>>> using the shadow2 VFS module. I have automatic snapshots set up for ZFS,
>>> and I'm able to see the "Previous Versions" tab in Windows and access the
>>> snapshots. This works great with one exception - the only users that can
>>> see them are users listed in the "admin users" section for the share or
>>> users mapped to the local Administrators group.
>>>
>>> My question is, is there any other way to make this Previous Versions
>>> functionality available to either other groups of users or, potentially,
>>> all users, without adding them to "admin users" or mapping them ot local
>>> Administrators?
>>>
>>> Thanks!
>>> -Nick
Okay, try this smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ads
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-2000000
template homedir = /home/%U@%D
template shell = /bin/bash
winbind refresh tickets = yes
winbind offline logon = yes
username map = /etc/samba/user.map
printing = cups
printcap name = cups
load printers = yes
cups options = raw
vfs objects = acl_xattr recycle shadow_copy2
map acl inherit = Yes
[department]
path = /groups/depart
comment = Department Share
msdfs root = yes
admin users = @DOMAIN\File_Server_Admins
valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
read only = no
recycle:repository = /groups/recycle
recycle:keeptree = yes
recycle:versions = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = -%Y-%m-%d-%H%M
shadow:snapprefix =
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow:delimiter = -20
Create /etc/samba/user.map containing this:
!root = DOMAIN\Administrator
You are using 'admin users' and 'valid users', a better way would be to
set the permissions from Windows, see here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
That way will make it easier to set the required permissions on the data.
Rowland
More information about the samba
mailing list