Am 17.06.24 um 14:21 schrieb Stefan G. Weichinger via samba:> > is this module still maintained and working? > > https://www.samba.org/samba/docs/current/man-html/vfs_snapper.8.html > > starting to set up the pieces, I have snapshots in btrfs with snapper > itself but so far nothing visible on the windows explorer side. > > As always I rtfm all over ;-) > > I assume I have to do some extra magic to allow the winbind users/groups > in ... > > in the related snapper-config I already have: > > ALLOW_GROUPS="domain\ admins" > SYNC_ACL="yes" > > Maybe we miss the correct setup for Windows ACLs, I have to wait for > their admin to check that also > > thanks for any real world examples or so > > greetings, Stefan >I don't fully understand. man-page says "This directory must permit traversal for any users wishing to access snapshots via the Windows Explorer previous versions dialog. By default, traversal is forbidden for all non-root users. Additionally, users must be granted permission to list snapshots managed by snapper, via snapper's ALLOW_USERS or ALLOW_GROUPS options. Snapper can grant these users and groups .snapshots traversal access automatically via the SYNC_ACL option." how do I allow traversal? I have set ALLOW_GROUPS and SYNC_ACL, and the admin there tells me he only sees the top level directories in the snapshots but nothing below. These look like this in linux: /mnt/pool1/samba/data/.snapshots# ls -l total 156 drwxr-xr-x 1 root root 32 Jun 11 17:06 1 drwxr-xr-x 1 root root 32 Jun 16 00:00 105 drwxr-xr-x 1 root root 32 Jun 16 08:00 113 drwxr-xr-x 1 root root 32 Jun 16 09:00 114 so I assume the windows user browsing the "previous versions" has to be mapped to be member of the group "root", right? The user is member of "domain admins", isn't that enough? Or does "SYNC_ACL" not yet work OK, because we miss the steps in https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs which is what I assume (I have to wait for their admin to walk him through these steps)
On Mon, 17 Jun 2024 15:40:42 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > I don't fully understand. > > man-page says > > "This directory must permit traversal for any users wishing to access > snapshots via the Windows Explorer previous versions dialog. By > default, traversal is forbidden for all non-root users. Additionally, > users must be granted permission to list snapshots managed by > snapper, via snapper's ALLOW_USERS or ALLOW_GROUPS options. Snapper > can grant these users and groups .snapshots traversal access > automatically via the SYNC_ACL option." > > how do I allow traversal?By setting the 'x' on 'rwx'. 'r' = read 'w' = write 'x' = enter or traverse on a directory, execute on a file.> > I have set ALLOW_GROUPS and SYNC_ACL, and the admin there tells me he > only sees the top level directories in the snapshots but nothing > below. > > These look like this in linux: > > /mnt/pool1/samba/data/.snapshots# ls -l > total 156 > drwxr-xr-x 1 root root 32 Jun 11 17:06 1 > drwxr-xr-x 1 root root 32 Jun 16 00:00 105 > drwxr-xr-x 1 root root 32 Jun 16 08:00 113 > drwxr-xr-x 1 root root 32 Jun 16 09:00 114From those permissions, 'root' has full permissions, members of the 'root' group have read and traverse on the directory, 'others' also have read and traverse on the directory.> > so I assume the windows user browsing the "previous versions" has to > be mapped to be member of the group "root", right?Not necessarily.> > The user is member of "domain admins", isn't that enough?No, because they would be classed as 'others'.> > Or does "SYNC_ACL" not yet work OK, because we miss the steps in > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > which is what I assume (I have to wait for their admin to walk him > through these steps)Oh yes, once done correctly, you will be able to give Domain Admins the required permissions (provided you are not using the 'ad' idmap backend). Rowland