Am 17.06.24 um 16:06 schrieb Rowland Penny via samba:>> The user is member of "domain admins", isn't that enough? > > No, because they would be classed as 'others'. > >> >> Or does "SYNC_ACL" not yet work OK, because we miss the steps in >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> which is what I assume (I have to wait for their admin to walk him >> through these steps) > > Oh yes, once done correctly, you will be able to give Domain Admins the > required permissions (provided you are not using the 'ad' idmap > backend).thanks so far I am a bit lost right now. I currently prepare the migration from old to new server I rsync the data from old server "main" to new server "main2": /usr/bin/rsync -avXx main:/mnt/daten/ /mnt/pool1/samba/daten --exclude=".snapshots" --delete additional fact: old server fs: ext4 new server fs: btrfs The ACLs ("getfacl" ?) aren't synced over ... Unfortunately we have a bit more complex ACLs than in the Samba-Howto, and we would like to have that synced/copied over if possible. How can I achieve that?
Il 19/06/2024 11:35, Stefan G. Weichinger via samba ha scritto:> Am 17.06.24 um 16:06 schrieb Rowland Penny via samba: > >>> The user is member of "domain admins", isn't that enough? >> >> No, because they would be classed as 'others'. >> >>> >>> Or does "SYNC_ACL" not yet work OK, because we miss the steps in >>> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >>> >>> which is what I assume (I have to wait for their admin to walk him >>> through these steps) >> >> Oh yes, once done correctly, you will be able to give Domain Admins the >> required permissions (provided you are not using the 'ad' idmap >> backend). > > thanks so far > > I am a bit lost right now. > > I currently prepare the migration from old to new server > > I rsync the data from old server "main" to new server "main2": > > /usr/bin/rsync -avXx main:/mnt/daten/ /mnt/pool1/samba/daten > --exclude=".snapshots"? --delete > > additional fact: > > old server fs: ext4 > > new server fs: btrfs > > The ACLs ("getfacl" ?) aren't synced over ... > > Unfortunately we have a bit more complex ACLs than in the Samba-Howto, > and we would like to have that synced/copied over if possible. > > How can I achieve that? > >In past I had issue with fileserver migration and acl so to workaround it I saved the acls to a file on the source server and then restored them after synchronization (with rsync) on the destination server. I did the same in subsequent transfers, the only unforeseen events that could occur during the restore are if files or users are deleted between the 2 operations or if there are local users in the acls that are missing in the new server, which would cause the restore to fail, in which case further manual operations are necessary. getfacl -R folder_to_transfert/ > /path/permissions.acl (before rsync, on the source server) setfacl --restore=/path/permissions.acl (after the rsync, on the destination server and inside the folder transferred) I hope this can help if you don't find a better way. If someone know a better way I would be grateful if would let know. -- Questa email ? stata esaminata alla ricerca di virus dal software antivirus Avast. www.avast.com
Am 19.06.24 um 11:35 schrieb Stefan G. Weichinger via samba:> Am 17.06.24 um 16:06 schrieb Rowland Penny via samba: > >>> The user is member of "domain admins", isn't that enough? >> >> No, because they would be classed as 'others'. >> >>> >>> Or does "SYNC_ACL" not yet work OK, because we miss the steps in >>> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >>> >>> which is what I assume (I have to wait for their admin to walk him >>> through these steps) >> >> Oh yes, once done correctly, you will be able to give Domain Admins the >> required permissions (provided you are not using the 'ad' idmap >> backend). > > thanks so far > > I am a bit lost right now. > > I currently prepare the migration from old to new server > > I rsync the data from old server "main" to new server "main2": > > /usr/bin/rsync -avXx main:/mnt/daten/ /mnt/pool1/samba/daten > --exclude=".snapshots"? --delete > > additional fact: > > old server fs: ext4 > > new server fs: btrfs > > The ACLs ("getfacl" ?) aren't synced over ... > > Unfortunately we have a bit more complex ACLs than in the Samba-Howto, > and we would like to have that synced/copied over if possible. > > How can I achieve that?Addition: the user sees snapshots, but no files in them. on the fs itself: # ls -la .snapshots/189 total 8 drwxr-xr-x 1 root root 32 Jun 19 11:00 . drwxr-x--x+ 1 root root 208 Jun 19 11:00 .. -rw------- 1 root root 187 Jun 19 11:00 info.xml drwxrwx--- 1 nobody domain users 478 Apr 15 08:01 snapshot so a member should be allowed to traverse in snapper ALLOW_USERS="user1 sgw" ALLOW_GROUPS="domain\ admins" SYNC_ACL="yes" but this seems not to be applied to the snapshots, right? I currently don't see on which layer I should act at first. Does "previous versions" in Windows access as the actual AD user or as somebody else?