[Samba] vfs_snapper

Rowland Penny rpenny at samba.org
Wed Jun 19 10:36:31 UTC 2024 

On Wed, 19 Jun 2024 11:59:41 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 19.06.24 um 11:35 schrieb Stefan G. Weichinger via samba:
> > Am 17.06.24 um 16:06 schrieb Rowland Penny via samba:
> > 
> >>> The user is member of "domain admins", isn't that enough?
> >>
> >> No, because they would be classed as 'others'.
> >>
> >>>
> >>> Or does "SYNC_ACL" not yet work OK, because we miss the steps in
> >>>
> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>>
> >>> which is what I assume (I have to wait for their admin to walk him
> >>> through these steps)
> >>
> >> Oh yes, once done correctly, you will be able to give Domain
> >> Admins the required permissions (provided you are not using the
> >> 'ad' idmap backend).
> > 
> > thanks so far
> > 
> > I am a bit lost right now.
> > 
> > I currently prepare the migration from old to new server
> > 
> > I rsync the data from old server "main" to new server "main2":
> > 
> > /usr/bin/rsync -avXx main:/mnt/daten/ /mnt/pool1/samba/daten 
> > --exclude=".snapshots"  --delete
> > 
> > additional fact:
> > 
> > old server fs: ext4
> > 
> > new server fs: btrfs
> > 
> > The ACLs ("getfacl" ?) aren't synced over ...
> > 
> > Unfortunately we have a bit more complex ACLs than in the
> > Samba-Howto, and we would like to have that synced/copied over if
> > possible.
> > 
> > How can I achieve that?
> 
> Addition:
> 
> the user sees snapshots, but no files in them.
> 
> on the fs itself:
> 
> # ls -la .snapshots/189
> total 8
> drwxr-xr-x  1 root   root          32 Jun 19 11:00 .
> drwxr-x--x+ 1 root   root         208 Jun 19 11:00 ..
> -rw-------  1 root   root         187 Jun 19 11:00 info.xml
> drwxrwx---  1 nobody domain users 478 Apr 15 08:01 snapshot
> 
> so a member should be allowed to traverse
> 
> in snapper
> 
> ALLOW_USERS="user1 sgw"
> ALLOW_GROUPS="domain\ admins"
               ^^^^^^^^^^^^^^^^
               Where are you getting this from ?

If I run this in a terminal:

ALLOW_GROUPS="domain\ admins" ; echo "$ALLOW_GROUPS"

I get this:

domain\ admins

Note that the '\' has become part of the group name.

Now this may be correct, I do not use vfs_snapper, but a quick glance
at snappers documentation shows this:

ALLOW_GROUPS=groups
The group-names must be separated by spaces. Spaces in group-names can
be escaped with a "\".

To myself, this reads as you should be using:
ALLOW_GROUPS=domain\ admins

Rowland

More information about the samba mailing list