[Samba] Permissions required for Snapshots/Previous Versions

Nick Couchman nick.e.couchman at gmail.com
Thu Jun 17 12:47:17 UTC 2021

On Wed, Jun 16, 2021 at 8:47 AM Nick Couchman <nick.e.couchman at gmail.com>

> >>>>>
> >>>>> My question is, is there any other way to make this Previous Versions
> >>>>> functionality available to either other groups of users or,
> >> potentially,
> >>>>> all users, without adding them to "admin users" or mapping them ot
> >> local
> >>>>> Administrators?
> >>>>>
> >>>>> Thanks!
> >>>>> -Nick
> >>
> >> Okay, try this smb.conf:
> >> Rowland
> >>
> >
> >
> >         vfs objects = acl_xattr recycle shadow_copy2
> >
> > Order of VFS objects is significant. You'll want to throw shadow_copy2 at
> > front of list IIRC. In those versions of samba, the shadow copy module
> will
> > convert the `@GMT` prefixed path name to one relative to the ZFS dataset
> > snapdir ".zfs/snapshot". You need this translation to happen before samba
> > gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).
> >
> Thanks, Andrew - I'll swap the order around and give that a try. Now
> that you mention it, I recall running into that issue in a completely
> separate situation (don't recall what it is at the moment) and it
> seems like the order mattered. I'll see if that helps at all.
> -Nick

Well, after trying both of these things - removing admin/valid users and
relying solely on ACLs, and re-arranging the VFS modules - the issue
persists. I'm not sure how much debugging the shadow_copy2 VFS module has
built in, but I'm trying to get some better log messages that might
indicate where things are falling down. I've verified at the Linux level,
if I "su" to any of the non-Admin accounts, that I can see the
".zfs/snapshot" directory and the snapshots under that directory, so it
isn't an issue with access to the files.

if anyone has any other ideas, I'm open to them.


More information about the samba mailing list