[Samba] Permissions required for Snapshots/Previous Versions

[Andrew Walker]

On Tue, Jun 15, 2021 at 10:44 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 15/06/2021 15:13, Nick Couchman wrote:
> >> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
> >>
> >> On 14/06/2021 15:07, Nick Couchman via samba wrote:
> >>> Hello, everyone,
> >>> I've run into another challenge with Samba rights/permissions. The
> >>> community responded so quickly to my last question that I'm hoping
> this one
> >>> is as simple :-).
> >>>
> >>> I'm using ZFS with Samba, and have enabled the ZFS snapshot integration
> >>> using the shadow2 VFS module. I have automatic snapshots set up for
> ZFS,
> >>> and I'm able to see the "Previous Versions" tab in Windows and access
> the
> >>> snapshots. This works great with one exception - the only users that
> can
> >>> see them are users listed in the "admin users" section for the share or
> >>> users mapped to the local Administrators group.
> >>>
> >>> My question is, is there any other way to make this Previous Versions
> >>> functionality available to either other groups of users or,
> potentially,
> >>> all users, without adding them to "admin users" or mapping them ot
> local
> >>> Administrators?
> >>>
> >>> Thanks!
> >>> -Nick
>
> Okay, try this smb.conf:
>
> [global]
>          workgroup = DOMAIN
>          realm = DOMAIN.LOCAL
>          security = ads
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config DOMAIN : backend = rid
>          idmap config DOMAIN : range = 10000-2000000
>          template homedir = /home/%U@%D
>          template shell = /bin/bash
>          winbind refresh tickets = yes
>          winbind offline logon = yes
>
>          username map = /etc/samba/user.map
>
>          printing = cups
>          printcap name = cups
>          load printers = yes
>          cups options = raw
>          vfs objects = acl_xattr recycle shadow_copy2
>          map acl inherit = Yes
>
> [department]
>          path = /groups/depart
>          comment = Department Share
>          msdfs root = yes
>          admin users = @DOMAIN\File_Server_Admins
>          valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
>          read only = no
>          recycle:repository = /groups/recycle
>          recycle:keeptree = yes
>          recycle:versions = yes
>          shadow:snapdir = .zfs/snapshot
>          shadow:sort = desc
>          shadow:format = -%Y-%m-%d-%H%M
>          shadow:snapprefix =
>
> ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
>          shadow:delimiter = -20
>
>
> Create /etc/samba/user.map containing this:
>
> !root = DOMAIN\Administrator
>
> You are using 'admin users' and 'valid users', a better way would be to
> set the permissions from Windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> That way will make it easier to set the required permissions on the data.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


         vfs objects = acl_xattr recycle shadow_copy2

Order of VFS objects is significant. You'll want to throw shadow_copy2 at
front of list IIRC. In those versions of samba, the shadow copy module will
convert the `@GMT` prefixed path name to one relative to the ZFS dataset
snapdir ".zfs/snapshot". You need this translation to happen before samba
gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).