[Samba] Permissions required for Snapshots/Previous Versions
Andrew Walker
walker.aj325 at gmail.com
Tue Jun 15 14:51:57 UTC 2021
On Tue, Jun 15, 2021 at 10:44 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 15/06/2021 15:13, Nick Couchman wrote:
> >> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
> >>
> >> On 14/06/2021 15:07, Nick Couchman via samba wrote:
> >>> Hello, everyone,
> >>> I've run into another challenge with Samba rights/permissions. The
> >>> community responded so quickly to my last question that I'm hoping
> this one
> >>> is as simple :-).
> >>>
> >>> I'm using ZFS with Samba, and have enabled the ZFS snapshot integration
> >>> using the shadow2 VFS module. I have automatic snapshots set up for
> ZFS,
> >>> and I'm able to see the "Previous Versions" tab in Windows and access
> the
> >>> snapshots. This works great with one exception - the only users that
> can
> >>> see them are users listed in the "admin users" section for the share or
> >>> users mapped to the local Administrators group.
> >>>
> >>> My question is, is there any other way to make this Previous Versions
> >>> functionality available to either other groups of users or,
> potentially,
> >>> all users, without adding them to "admin users" or mapping them ot
> local
> >>> Administrators?
> >>>
> >>> Thanks!
> >>> -Nick
>
> Okay, try this smb.conf:
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> security = ads
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 10000-2000000
> template homedir = /home/%U@%D
> template shell = /bin/bash
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> username map = /etc/samba/user.map
>
> printing = cups
> printcap name = cups
> load printers = yes
> cups options = raw
> vfs objects = acl_xattr recycle shadow_copy2
> map acl inherit = Yes
>
> [department]
> path = /groups/depart
> comment = Department Share
> msdfs root = yes
> admin users = @DOMAIN\File_Server_Admins
> valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
> read only = no
> recycle:repository = /groups/recycle
> recycle:keeptree = yes
> recycle:versions = yes
> shadow:snapdir = .zfs/snapshot
> shadow:sort = desc
> shadow:format = -%Y-%m-%d-%H%M
> shadow:snapprefix =
>
> ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
> shadow:delimiter = -20
>
>
> Create /etc/samba/user.map containing this:
>
> !root = DOMAIN\Administrator
>
> You are using 'admin users' and 'valid users', a better way would be to
> set the permissions from Windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> That way will make it easier to set the required permissions on the data.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
vfs objects = acl_xattr recycle shadow_copy2
Order of VFS objects is significant. You'll want to throw shadow_copy2 at
front of list IIRC. In those versions of samba, the shadow copy module will
convert the `@GMT` prefixed path name to one relative to the ZFS dataset
snapdir ".zfs/snapshot". You need this translation to happen before samba
gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).
More information about the samba
mailing list