[Samba] Permissions required for Snapshots/Previous Versions
Nick Couchman
nick.e.couchman at gmail.com
Wed Jun 16 12:47:54 UTC 2021
>>>>>
>>>>> My question is, is there any other way to make this Previous Versions
>>>>> functionality available to either other groups of users or,
>> potentially,
>>>>> all users, without adding them to "admin users" or mapping them ot
>> local
>>>>> Administrators?
>>>>>
>>>>> Thanks!
>>>>> -Nick
>>
>> Okay, try this smb.conf:
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.LOCAL
>> security = ads
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 10000-2000000
>> template homedir = /home/%U@%D
>> template shell = /bin/bash
>> winbind refresh tickets = yes
>> winbind offline logon = yes
>>
>> username map = /etc/samba/user.map
>>
>> printing = cups
>> printcap name = cups
>> load printers = yes
>> cups options = raw
>> vfs objects = acl_xattr recycle shadow_copy2
>> map acl inherit = Yes
>>
>> [department]
>> path = /groups/depart
>> comment = Department Share
>> msdfs root = yes
>> admin users = @DOMAIN\File_Server_Admins
>> valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
>> read only = no
>> recycle:repository = /groups/recycle
>> recycle:keeptree = yes
>> recycle:versions = yes
>> shadow:snapdir = .zfs/snapshot
>> shadow:sort = desc
>> shadow:format = -%Y-%m-%d-%H%M
>> shadow:snapprefix =
>>
>> ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
>> shadow:delimiter = -20
>>
>>
>> Create /etc/samba/user.map containing this:
>>
>> !root = DOMAIN\Administrator
>>
Rowland,
Thanks for the response - really appreciate it. What is it about the
above smb.conf that would resolve the issue I'm seeing? As far as I
can tell, all this does is map DOMAIN\Administrator to the root
account, correct? Is there some other change I missed, or some reason
that would allow non-Administrator users to see the snapshots/Previous
Version? As I mentioned before, anybody with Administrator privileges
can already see the Previous Versions correctly - it's the non-Admin
users that I'd like to correct. Is there some reason that doing a user
mapping like this for Administrator would fix that?
>> You are using 'admin users' and 'valid users', a better way would be to
>> set the permissions from Windows, see here:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> That way will make it easier to set the required permissions on the data.
>>
I actually use both - and I have legitimate reasons for doing both. In
general I do use ACLs - that's why the acl_xattr VFS module is loaded
- but there's a specific reason/use-case I have that I need to
actually limit access to the share itself regardless of what ACLs are
present. Has to do with selling/splitting off part of your company and
all the fun times that come with that.
>> Rowland
>>
>
>
> vfs objects = acl_xattr recycle shadow_copy2
>
> Order of VFS objects is significant. You'll want to throw shadow_copy2 at
> front of list IIRC. In those versions of samba, the shadow copy module will
> convert the `@GMT` prefixed path name to one relative to the ZFS dataset
> snapdir ".zfs/snapshot". You need this translation to happen before samba
> gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).
>
Thanks, Andrew - I'll swap the order around and give that a try. Now
that you mention it, I recall running into that issue in a completely
separate situation (don't recall what it is at the moment) and it
seems like the order mattered. I'll see if that helps at all.
-Nick
More information about the samba
mailing list