On Mon, 17 Jun 2024 15:40:42 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:>
> I don't fully understand.
>
> man-page says
>
> "This directory must permit traversal for any users wishing to access
> snapshots via the Windows Explorer previous versions dialog. By
> default, traversal is forbidden for all non-root users. Additionally,
> users must be granted permission to list snapshots managed by
> snapper, via snapper's ALLOW_USERS or ALLOW_GROUPS options. Snapper
> can grant these users and groups .snapshots traversal access
> automatically via the SYNC_ACL option."
>
> how do I allow traversal?
By setting the 'x' on 'rwx'.
'r' = read
'w' = write
'x' = enter or traverse on a directory, execute on a file.
>
> I have set ALLOW_GROUPS and SYNC_ACL, and the admin there tells me he
> only sees the top level directories in the snapshots but nothing
> below.
>
> These look like this in linux:
>
> /mnt/pool1/samba/data/.snapshots# ls -l
> total 156
> drwxr-xr-x 1 root root 32 Jun 11 17:06 1
> drwxr-xr-x 1 root root 32 Jun 16 00:00 105
> drwxr-xr-x 1 root root 32 Jun 16 08:00 113
> drwxr-xr-x 1 root root 32 Jun 16 09:00 114
From those permissions, 'root' has full permissions, members of the
'root' group have read and traverse on the directory, 'others'
also
have read and traverse on the directory.
>
> so I assume the windows user browsing the "previous versions" has
to
> be mapped to be member of the group "root", right?
Not necessarily.
>
> The user is member of "domain admins", isn't that enough?
No, because they would be classed as 'others'.
>
> Or does "SYNC_ACL" not yet work OK, because we miss the steps in
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> which is what I assume (I have to wait for their admin to walk him
> through these steps)
Oh yes, once done correctly, you will be able to give Domain Admins the
required permissions (provided you are not using the 'ad' idmap
backend).
Rowland