[Samba] vfs_snapper

[Rowland Penny]

On Mon, 17 Jun 2024 15:40:42 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
> I don't fully understand.
> 
> man-page says
> 
> "This directory must permit traversal for any users wishing to access 
> snapshots via the Windows Explorer previous versions dialog. By
> default, traversal is forbidden for all non-root users. Additionally,
> users must be granted permission to list snapshots managed by
> snapper, via snapper's ALLOW_USERS or ALLOW_GROUPS options. Snapper
> can grant these users and groups .snapshots traversal access
> automatically via the SYNC_ACL option."
> 
> how do I allow traversal?

By setting the 'x' on 'rwx'.
'r' = read
'w' = write
'x' = enter or traverse on a directory, execute on a file.

> 
> I have set ALLOW_GROUPS and SYNC_ACL, and the admin there tells me he 
> only sees the top level directories in the snapshots but nothing
> below.
> 
> These look like this in linux:
> 
> /mnt/pool1/samba/data/.snapshots# ls -l
> total 156
> drwxr-xr-x 1 root root 32 Jun 11 17:06 1
> drwxr-xr-x 1 root root 32 Jun 16 00:00 105
> drwxr-xr-x 1 root root 32 Jun 16 08:00 113
> drwxr-xr-x 1 root root 32 Jun 16 09:00 114

From those permissions, 'root' has full permissions, members of the
'root' group have read and traverse on the directory, 'others' also
have read and traverse on the directory.

> 
> so I assume the windows user browsing the "previous versions" has to
> be mapped to be member of the group "root", right?

Not necessarily.
 
> 
> The user is member of "domain admins", isn't that enough?

No, because they would be classed as 'others'.

> 
> Or does "SYNC_ACL" not yet work OK, because we miss the steps in
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> which is what I assume (I have to wait for their admin to walk him 
> through these steps)

Oh yes, once done correctly, you will be able to give Domain Admins the
required permissions (provided you are not using the 'ad' idmap
backend).

Rowland