[Samba] Permissions required for Snapshots/Previous Versions

[Nick Couchman]

On Wed, Jun 16, 2021 at 8:47 AM Nick Couchman <nick.e.couchman at gmail.com>
wrote:

> >>>>>
> >>>>> My question is, is there any other way to make this Previous Versions
> >>>>> functionality available to either other groups of users or,
> >> potentially,
> >>>>> all users, without adding them to "admin users" or mapping them ot
> >> local
> >>>>> Administrators?
> >>>>>
> >>>>> Thanks!
> >>>>> -Nick
> >>
> >> Okay, try this smb.conf:
> >> Rowland
> >>
> >
> >
> >         vfs objects = acl_xattr recycle shadow_copy2
> >
> > Order of VFS objects is significant. You'll want to throw shadow_copy2 at
> > front of list IIRC. In those versions of samba, the shadow copy module
> will
> > convert the `@GMT` prefixed path name to one relative to the ZFS dataset
> > snapdir ".zfs/snapshot". You need this translation to happen before samba
> > gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).
> >
>
> Thanks, Andrew - I'll swap the order around and give that a try. Now
> that you mention it, I recall running into that issue in a completely
> separate situation (don't recall what it is at the moment) and it
> seems like the order mattered. I'll see if that helps at all.
>
> -Nick
>


Well, after trying both of these things - removing admin/valid users and
relying solely on ACLs, and re-arranging the VFS modules - the issue
persists. I'm not sure how much debugging the shadow_copy2 VFS module has
built in, but I'm trying to get some better log messages that might
indicate where things are falling down. I've verified at the Linux level,
if I "su" to any of the non-Admin accounts, that I can see the
".zfs/snapshot" directory and the snapshots under that directory, so it
isn't an issue with access to the files.

if anyone has any other ideas, I'm open to them.

-Nick