[Samba] Permissions required for Snapshots/Previous Versions
Rowland penny
rpenny at samba.org
Wed Jun 16 13:04:21 UTC 2021
On 16/06/2021 13:47, Nick Couchman wrote:
>>>>>> My question is, is there any other way to make this Previous Versions
>>>>>> functionality available to either other groups of users or,
>>> potentially,
>>>>>> all users, without adding them to "admin users" or mapping them ot
>>> local
>>>>>> Administrators?
>>>>>>
>>>>>> Thanks!
>>>>>> -Nick
>>> Okay, try this smb.conf:
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = DOMAIN.LOCAL
>>> security = ads
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 3000-7999
>>> idmap config DOMAIN : backend = rid
>>> idmap config DOMAIN : range = 10000-2000000
>>> template homedir = /home/%U@%D
>>> template shell = /bin/bash
>>> winbind refresh tickets = yes
>>> winbind offline logon = yes
>>>
>>> username map = /etc/samba/user.map
>>>
>>> printing = cups
>>> printcap name = cups
>>> load printers = yes
>>> cups options = raw
>>> vfs objects = acl_xattr recycle shadow_copy2
>>> map acl inherit = Yes
>>>
>>> [department]
>>> path = /groups/depart
>>> comment = Department Share
>>> msdfs root = yes
>>> admin users = @DOMAIN\File_Server_Admins
>>> valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
>>> read only = no
>>> recycle:repository = /groups/recycle
>>> recycle:keeptree = yes
>>> recycle:versions = yes
>>> shadow:snapdir = .zfs/snapshot
>>> shadow:sort = desc
>>> shadow:format = -%Y-%m-%d-%H%M
>>> shadow:snapprefix =
>>>
>>> ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
>>> shadow:delimiter = -20
>>>
>>>
>>> Create /etc/samba/user.map containing this:
>>>
>>> !root = DOMAIN\Administrator
>>>
> Rowland,
> Thanks for the response - really appreciate it. What is it about the
> above smb.conf that would resolve the issue I'm seeing? As far as I
> can tell, all this does is map DOMAIN\Administrator to the root
> account, correct? Is there some other change I missed, or some reason
> that would allow non-Administrator users to see the snapshots/Previous
> Version? As I mentioned before, anybody with Administrator privileges
> can already see the Previous Versions correctly - it's the non-Admin
> users that I'd like to correct. Is there some reason that doing a user
> mapping like this for Administrator would fix that?
If you set the permissions from Windows, you will be able to set finer
permissions, for instance you will be able to deny members of Domain
Users, then allow members of another group the permissions you set.
Remember that Unix only has 'ugo' and 'rwx'
>
>>> You are using 'admin users' and 'valid users', a better way would be to
>>> set the permissions from Windows, see here:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> That way will make it easier to set the required permissions on the data.
>>>
> I actually use both -
You actually shouldn't
> and I have legitimate reasons for doing both.
Sorry, but, in my opinion, there are no legitimate reasons for using
both, use just one, preferably set them from Windows.
> In
> general I do use ACLs - that's why the acl_xattr VFS module is loaded
> - but there's a specific reason/use-case I have that I need to
> actually limit access to the share itself regardless of what ACLs are
> present. Has to do with selling/splitting off part of your company and
> all the fun times that come with that.
If you must do this, then use setfacl and not the 'valid users' etc.
Rowland
More information about the samba
mailing list