[Samba] vfs_snapper

Rowland Penny rpenny at samba.org
Mon Jun 17 14:06:54 UTC 2024

On Mon, 17 Jun 2024 15:40:42 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> I don't fully understand.
> man-page says
> "This directory must permit traversal for any users wishing to access 
> snapshots via the Windows Explorer previous versions dialog. By
> default, traversal is forbidden for all non-root users. Additionally,
> users must be granted permission to list snapshots managed by
> snapper, via snapper's ALLOW_USERS or ALLOW_GROUPS options. Snapper
> can grant these users and groups .snapshots traversal access
> automatically via the SYNC_ACL option."
> how do I allow traversal?

By setting the 'x' on 'rwx'.
'r' = read
'w' = write
'x' = enter or traverse on a directory, execute on a file.

> I have set ALLOW_GROUPS and SYNC_ACL, and the admin there tells me he 
> only sees the top level directories in the snapshots but nothing
> below.
> These look like this in linux:
> /mnt/pool1/samba/data/.snapshots# ls -l
> total 156
> drwxr-xr-x 1 root root 32 Jun 11 17:06 1
> drwxr-xr-x 1 root root 32 Jun 16 00:00 105
> drwxr-xr-x 1 root root 32 Jun 16 08:00 113
> drwxr-xr-x 1 root root 32 Jun 16 09:00 114

From those permissions, 'root' has full permissions, members of the
'root' group have read and traverse on the directory, 'others' also
have read and traverse on the directory.

> so I assume the windows user browsing the "previous versions" has to
> be mapped to be member of the group "root", right?

Not necessarily.
> The user is member of "domain admins", isn't that enough?

No, because they would be classed as 'others'.

> Or does "SYNC_ACL" not yet work OK, because we miss the steps in
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> which is what I assume (I have to wait for their admin to walk him 
> through these steps)

Oh yes, once done correctly, you will be able to give Domain Admins the
required permissions (provided you are not using the 'ad' idmap


More information about the samba mailing list