samba - Dec 2024 - shadow_copy2

Hello,

I'm lost :-(

I got a share:
------------------------
[global]
         workgroup = example
         netbios name = cluster
         security = ads
         realm = EXAMPLE.NET
         idmap config *:range = 10000-19999
         idmap config example:backend = rid
         idmap config example:range = 1000000-1999999
         map acl inherit = yes
         winbind use default domain = yes
         winbind refresh tickets = yes
         winbind expand groups = 1
         template shell = /bin/bash

[admin-share]
         path = /glusterfs/admin-share
         vfs objects = acl_xattr glusterfs_fuse
         comment = admin share auf dem Cluster
         guest ok = no
         read only = no
         browseable = yes

[daten1]
         comment = Mit glusterfs_fuse
         guest ok = no
         read only = no
         vfs objects = acl_xattr shadow_copy2 glusterfs_fuse
         path = /glusterfs/admin-share/daten1
         shadow:snapdir = /glusterfs/admin-share/daten1/.snaps
         shadow:basedir = /glusterfs/admin-share/daten1
         shadow:sort = desc
         shadow:snapprefix = ^s[A-Za-z0-9]*p1$
         shadow:format = _GMT-%Y.%m.%d-%H.%M.%S

------------------------

The daten1-share is configured with shadow_copy2. I'm using Samba 4.21.2 
  on Debian 12 the and the backports as repository for samba. The System 
is running a CTDB-Cluster with three nodes. I can write, set permission 
everything is working fine.

I got a gluster-cluster with Gluster 10
-----------------------
root at cluster01:~# gluster v info

Volume Name: gv1
Type: Replicate
Volume ID: 050280a3-1c52-4bcd-bd3a-746f741ebf2a
Status: Started
Snapshot Count: 2
Number of Bricks: 1 x 3 = 3
Transport-type: tcp
Bricks:
Brick1: c01:/gluster/brick
Brick2: c02:/gluster/brick
Brick3: c03:/gluster/brick
Options Reconfigured:
features.barrier: disable
features.show-snapshot-directory: on
features.uss: enable
cluster.granular-entry-heal: on
storage.fips-mode-rchecksum: on
transport.address-family: inet
nfs.disable: on
performance.client-io-threads: off
performance.read-ahead: on
performance.write-behind-window-size: 4MB
performance.cache-max-file-size: 10
cluster.force-migration: on
cluster.entry-self-heal: on
cluster.metadata-self-heal: on
cluster.data-self-heal: on
cluster.self-heal-daemon: enable
features.cache-invalidation: on
features.cache-invalidation-timeout: 600
performance.cache-samba-metadata: on
performance.stat-prefetch: on
performance.md-cache-timeout: 600
network.inode-lru-limit: 200000
performance.nl-cache: on
performance.nl-cache-timeout: 600
performance.readdir-ahead: on
performance.parallel-readdir: on
client.event-threads: 4
server.event-threads: 4
performance.cache-invalidation: on
performance.write-behind: off
network.ping-timeout: 10
performance.cache-size: 512MB

-----------------------
As you can see, the two options:
features.uss: enable
features.show-snapshot-directory: on
are set, along with the needed Samba-Options

The snapshot is activ
------------
root at cluster01:~# gluster snapshot info snap1_GMT-2024.12.18-09.31.59
Snapshot                  : snap1_GMT-2024.12.18-09.31.59
Snap UUID                 : 6b3c2315-a42e-4cef-92f5-99ae9253c7df
Created                   : 2024-12-18 09:31:59 +0000
Snap Volumes:

         Snap Volume Name          : 8bb07e4a757b4ce1b14d304da9372061
         Origin Volume name        : gv1
         Snaps taken for gv1      : 2
         Snaps available for gv1  : 254
         Status                    : Started
  ------------

Looking directly on one of the CTDB-nodes, as root, I see:
------------
drwxrwx---+ 3 administrator domain users 20 18. Dez 10:29 
/glusterfs/admin-share/daten1/
root at cluster01:~# getfacl /glusterfs/admin-share/daten1/

getfacl: Entferne f?hrende '/' von absoluten Pfadnamen
# file: glusterfs/admin-share/daten1/
# owner: administrator
# group: domain\040users
user::rwx
user:administrator:rwx
user:domain\040admins:rwx
user:domain\040users:rwx
group::rwx
group:domain\040admins:rwx
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:domain\040admins:rwx
default:user:domain\040users:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:rwx
default:mask::rwx
default:other::---

root at cluster01:~# ls -ld /glusterfs/admin-share/daten1/.snaps
drwxr-xr-x 2 root root 4096  1. Jan 1970 
/glusterfs/admin-share/daten1/.snaps

root at cluster01:~# ls -l /glusterfs/admin-share/daten1/.snaps
insgesamt 1
drwxrwx---+ 3 administrator domain users 20 18. Dez 10:29 
snap1_GMT-2024.12.18-09.31.59
drwxrwx---+ 3 administrator domain users 20 18. Dez 10:29 
snap1_GMT-2024.12.18-10.20.29

root at cluster01:~# getfacl 
/glusterfs/admin-share/daten1/.snaps/snap1_GMT-2024.12.18-09.31.59/
getfacl: Entferne f?hrende '/' von absoluten Pfadnamen
# file: glusterfs/admin-share/daten1/.snaps/snap1_GMT-2024.12.18-09.31.59/
# owner: administrator
# group: domain\040users
user::rwx
user:administrator:rwx
user:domain\040admins:rwx
user:domain\040users:rwx
group::rwx
group:domain\040admins:rwx
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:domain\040admins:rwx
default:user:domain\040users:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:rwx
default:mask::rwx
default:other::---
------------------------
As you can see, the snapshot is mounted and 'domain user' having 
permission to read

root at cluster01:~# ls -l 
/glusterfs/admin-share/daten1/.snaps/snap1_GMT-2024.12.18-09.31.59/
insgesamt 1
drwxrwx---+ 2 skania domain users 38 18. Dez 10:30 skania

root at cluster01:~# ls -l 
/glusterfs/admin-share/daten1/.snaps/snap1_GMT-2024.12.18-09.31.59/skania/
insgesamt 1
-rwxrwx---+ 1 skania domain users  5 18. Dez 10:30 dat1.txt
-rwxrwx---+ 1 skania domain users 22 18. Dez 10:30 dat2.txt

The user skania has permission to the files he created

BUT I only can see the directories and files if I work as root If I do 
the same as user stkania I'm getting:
  ------------------------
skania at cluster01:~$ ls -ld /glusterfs/admin-share/daten1/.snaps
drwxr-xr-x 2 root root 4096  1. Jan 1970 
/glusterfs/admin-share/daten1/.snaps

skania at cluster01:~$ cd /glusterfs/admin-share/daten1/.snaps
-bash: cd: /glusterfs/admin-share/daten1/.snaps: Permission denied

-------------------------
But others has r-x as permission

Because of the missing permission the snapshots can't be used on my 
Windows-systems. But I don't know what I'm missing :-(

Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241218/8b531c03/OpenPGP_signature.sig>

Hi Stefan

On 12/18/24 5:40 PM, Stefan Kania via samba wrote:
> skania at cluster01:~$ ls -ld /glusterfs/admin-share/daten1/.snaps
> drwxr-xr-x 2 root root 4096? 1. Jan 1970 /glusterfs/admin-share/ 
> daten1/.snaps
what are the permissions of *each* path component

# ls -ld /
# ls -ld /glusterfs
# ls -ld /glusterfs/admin-share/
# ls -ld /glusterfs/admin-share/daten1/

-- 
SerNet Samba Team Lead https://sernet.de/
Samba Team Member      https://samba.org/
SAMBA+ packages       https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241218/12429a2f/OpenPGP_signature.sig>