samba - Jul 2020 - vfs_shadow_copy2: permission denied - SMB_VFS_NEXT_OPENDIR() failed for '/snapshots'

Hello. I am trying to get the windows "previous versions" / shadow
copies
to work with our setup (samba+winbind over objectivefs).

I have setup a test where I manually mounted two objectivefs snapshots in
the /snapshots/ directory. Objectivefs filesystem is mounted on /ofs. When
I try and look at the "previous version" in windows I get the error
"there
are no previous versions available"

information:

--------------------------------------------

smb --version
Version 4.11.2

/etc/*-release
NAME="Red Hat Enterprise Linux"
VERSION="8.2 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.2"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.2 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.2:GA"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.2"
Red Hat Enterprise Linux release 8.2 (Ootpa)
Red Hat Enterprise Linux release 8.2 (Ootpa)

/etc/samba/smb.conf
[global]
netbios name = SMB-OFS-TMOLI42
realm = SAMDOM.LOCAL
workgroup = SAMDOM

security = ads

log level = 5

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

map acl inherit = yes

# uncomment for debugging purposes only; should not be used in production
# winbind enum users = yes
# winbind enum groups = yes
winbind refresh tickets = yes

# disables printing:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

#============================ Share Definitions
=============================[ofs]
path = /ofs
writeable = yes
browsable = yes
fileid:algorithm = fsname
vfs objects = fileid acl_xattr shadow_copy2
acl_xattr:ignore system acls = yes
shadow:snapdir = /snapshots
shadow:format = "%Y-%m-%dT%H:%M:%S"

/var/log/samba/log.smbd
...
[2020/07/23 21:33:47.672671,  2] ../../source3/smbd/open.c:1456(open_file)
  SAMDOM\user.name opened file foo.txt read=Yes write=No (numopen=6)
[2020/07/23 21:33:47.672697,  5]
../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for
/var/lib/samba/lock/locking.tdb
[2020/07/23 21:33:47.672773,  5]
../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for
/var/lib/samba/lock/locking.tdb
[2020/07/23 21:33:47.672845,  5]
../../source3/smbd/dosmode.c:72(dos_mode_debug_print)
  dos_mode_debug_print: parse_dos_attribute_blob returning (0x20): "a"
[2020/07/23 21:33:47.672872,  5]
../../source3/smbd/dosmode.c:72(dos_mode_debug_print)
  dos_mode_debug_print: dos_mode returning (0x20): "a"
[2020/07/23 21:33:47.672887,  4]
../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(11117, 10513) : sec_ctx_stack_ndx = 1
[2020/07/23 21:33:47.672910,  4] ../../source3/smbd/uid.c:576(push_conn_ctx)
  push_conn_ctx(3015844062) : conn_ctx_stack_ndx = 0
[2020/07/23 21:33:47.672928,  4]
../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/07/23 21:33:47.672943,  5]
../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/07/23 21:33:47.672956,  5]
../../source3/auth/token_util.c:874(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/07/23 21:33:47.673030,  4]
../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (11117, 10513) - sec_ctx_stack_ndx = 0
[2020/07/23 21:33:47.673070,  5]
../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for
/var/lib/samba/lock/smbXsrv_open_global.tdb
[2020/07/23 21:33:47.673096,  5]
../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for
/var/lib/samba/lock/smbXsrv_open_global.tdb
[2020/07/23 21:33:47.673777,  5]
../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/07/23 21:33:47.673825,  5]
../../source3/smbd/uid.c:300(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(11117,11117),
gid=(0,10513), cwd=[/ofs]
[2020/07/23 21:33:47.673858,  4]
../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(11117, 10513) : sec_ctx_stack_ndx = 1
[2020/07/23 21:33:47.673878,  4] ../../source3/smbd/uid.c:576(push_conn_ctx)
  push_conn_ctx(3015844062) : conn_ctx_stack_ndx = 0
[2020/07/23 21:33:47.673889,  4]
../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/07/23 21:33:47.673898,  5]
../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/07/23 21:33:47.673907,  5]
../../source3/auth/token_util.c:874(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/07/23 21:33:47.673943,  4]
../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (11117, 10513) - sec_ctx_stack_ndx = 0
[2020/07/23 21:33:47.673987,  2]
../../source3/modules/vfs_shadow_copy2.c:2178(shadow_copy2_get_shadow_copy_data)
  shadow_copy2: SMB_VFS_NEXT_OPENDIR() failed for '/snapshots' -
Permission
denied
[2020/07/23 21:33:47.674018,  5]
../../source3/modules/vfs_default.c:1284(vfswrap_fsctl)
  FSCTL_GET_SHADOW_COPY_DATA: connectpath /ofs, failed -
NT_STATUS_NOT_SUPPORTED.
[2020/07/23 21:33:47.674034,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_INVALID_DEVICE_REQUEST] || at
../../source3/smbd/smb2_ioctl.c:312
[2020/07/23 21:33:58.271434,  5]
../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/07/23 21:33:58.380559,  5]
../../source3/smbd/uid.c:300(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(11117,11117),
gid=(0,10513), cwd=[/ofs]
[2020/07/23 21:33:58.380606,  5]
../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for
/var/lib/samba/lock/locking.tdb
[2020/07/23 21:33:58.380674,  5]
../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for
/var/lib/samba/lock/locking.tdb
[2020/07/23 21:33:58.380723,  2]
../../source3/smbd/close.c:813(close_normal_file)
  SAMDOM\user.name closed file foo.txt (numopen=5) NT_STATUS_OK
...


wbinfo --gid-info 10513
SAMDOM\domain users:x:10513:

wbinfo --uid-info 11117
SAMDOM\user.name:*:11117:10513::/home/SOMDEV/user.name:/bin/false

stat /snapshots/
  File: /snapshots/
  Size: 60              Blocks: 0          IO Block: 4096   directory
Device: ca02h/51714d    Inode: 25249202    Links: 4
Access: (0777/drwxrwxrwx)  Uid: (11117/SAMDOM\user.name)   Gid:
(10513/SOMDEV\domain users)
Context: unconfined_u:object_r:default_t:s0
Access: 2020-07-23 21:28:52.423473925 +0000
Modify: 2020-07-23 17:30:42.754694526 +0000
Change: 2020-07-23 21:33:26.326257000 +0000
 Birth: -

-------------------------------------------------------

let me know if there is any other information you might need.

Thanks,
 - isaac stone

On Thu, Jul 23, 2020 at 7:01 PM Isaac Stone via samba <samba at
lists.samba.org>
wrote:
>
> vfs objects = fileid acl_xattr shadow_copy2
>
> Try putting shadow_copy2 before acl_xattr in the list.

No luck, still have the same error

On Thu, Jul 23, 2020 at 6:14 PM Andrew Walker <walker.aj325 at gmail.com>
wrote:
>
>
> On Thu, Jul 23, 2020 at 7:01 PM Isaac Stone via samba <
> samba at lists.samba.org> wrote:
>
>>
>> vfs objects = fileid acl_xattr shadow_copy2
>>
>> Try putting shadow_copy2 before acl_xattr in the list.
>