samba - Jun 2021 - Permissions required for Snapshots/Previous Versions

> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org> wrote:
>
> ?On 14/06/2021 15:07, Nick Couchman via samba wrote:
>> Hello, everyone,
>> I've run into another challenge with Samba rights/permissions. The
>> community responded so quickly to my last question that I'm hoping
this one
>> is as simple :-).
>>
>> I'm using ZFS with Samba, and have enabled the ZFS snapshot
integration
>> using the shadow2 VFS module. I have automatic snapshots set up for
ZFS,
>> and I'm able to see the "Previous Versions" tab in
Windows and access the
>> snapshots. This works great with one exception - the only users that
can
>> see them are users listed in the "admin users" section for
the share or
>> users mapped to the local Administrators group.
>>
>> My question is, is there any other way to make this Previous Versions
>> functionality available to either other groups of users or,
potentially,
>> all users, without adding them to "admin users" or mapping
them ot local
>> Administrators?
>>
>> Thanks!
>> -Nick
>
>
> What OS ?
I currently run on CentOS 7, CentOS 8, and AWS Linux 2. Samba versions
are 4.10.16 (AWS Linux 2 and CentOS 7) and 4.12.3 (CentOS 8)
>
> How are you running Samba ?
Not entirely sure what you mean, but:
* I'm using distribution-provide Samba packages - nothing extra or
special beyond those.
* Samba is set up in an Active Directory forest as a member server (not a DC).
>
> Please post your smb.conf
Here's a sanitized version of it:

==smb.conf=[global]
        workgroup = DOMAIN
        security = ads
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        kerberos method = system keytab
        template homedir = /home/%U@%D
        password server = ad1.domain.local ad2.domain.local
        template shell = /bin/bash
        realm = DOMAIN.LOCAL
        idmap backend = tdb
        idmap gid = 10000-2000000
        idmap uid = 10000-2000000
        winbind use default domain = no
        winbind refresh tickets = yes
        winbind offline logon = yes
        winbind enum groups = no
        winbind enum users = no

[department]
        path = /groups/depart
        comment = Department Share
        msdfs root = yes
        admin users = @DOMAIN\File_Server_Admins
        valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
        read only = no
        vfs objects = acl_xattr recycle shadow_copy2
        recycle:repository = /groups/recycle
        recycle:keeptree = yes
        recycle:versions = yes
        shadow:snapdir = .zfs/snapshot
        shadow:sort = desc
        shadow:format = -%Y-%m-%d-%H%M
        shadow:snapprefix
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
        shadow:delimiter = -20
==end smb.conf=
In the above config, on the "department" share, users who are members
of the DOMAIN\File_Server_Admins group can see the snapshots in the
"Previous Versions" tab and can access those versions. Users not in
that group cannot see or access the Previous Versions. In fact, the
"Previous Versions" tab doesn't even show up. However, if I go to
the
share and then manually put in the ".zfs\snapshot" directory, I can
see all of the snapshots.
>
> When you say 'ZFS', do you mean ZFS on something like Freebsd or
openZFS on Linux ?
openZFS on Linux (zfsonlinux.org), currently in the 0.8 release series
(0.8.5, 0.8.6).

-Nick

On 15/06/2021 15:13, Nick Couchman wrote:
>> On Jun 14, 2021, at 11:47, Rowland penny <rpenny at samba.org>
wrote:
>>
>> ?On 14/06/2021 15:07, Nick Couchman via samba wrote:
>>> Hello, everyone,
>>> I've run into another challenge with Samba rights/permissions.
The
>>> community responded so quickly to my last question that I'm
hoping this one
>>> is as simple :-).
>>>
>>> I'm using ZFS with Samba, and have enabled the ZFS snapshot
integration
>>> using the shadow2 VFS module. I have automatic snapshots set up for
ZFS,
>>> and I'm able to see the "Previous Versions" tab in
Windows and access the
>>> snapshots. This works great with one exception - the only users
that can
>>> see them are users listed in the "admin users" section
for the share or
>>> users mapped to the local Administrators group.
>>>
>>> My question is, is there any other way to make this Previous
Versions
>>> functionality available to either other groups of users or,
potentially,
>>> all users, without adding them to "admin users" or
mapping them ot local
>>> Administrators?
>>>
>>> Thanks!
>>> -Nick
Okay, try this smb.conf:

[global]
 ??????? workgroup = DOMAIN
 ??????? realm = DOMAIN.LOCAL
 ??????? security = ads

 ??????? dedicated keytab file = /etc/krb5.keytab
 ??????? kerberos method = secrets and keytab

 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 3000-7999
 ??????? idmap config DOMAIN : backend = rid
 ??????? idmap config DOMAIN : range = 10000-2000000
 ??????? template homedir = /home/%U@%D
 ??????? template shell = /bin/bash
 ??????? winbind refresh tickets = yes
 ??????? winbind offline logon = yes

 ??????? username map = /etc/samba/user.map

 ??????? printing = cups
 ??????? printcap name = cups
 ??????? load printers = yes
 ??????? cups options = raw
 ??????? vfs objects = acl_xattr recycle shadow_copy2
 ??????? map acl inherit = Yes

[department]
 ??????? path = /groups/depart
 ??????? comment = Department Share
 ??????? msdfs root = yes
 ??????? admin users = @DOMAIN\File_Server_Admins
 ??????? valid users = @DOMAIN\File_Server_Admins @DOMAIN\File_Server_Users
 ??????? read only = no
 ??????? recycle:repository = /groups/recycle
 ??????? recycle:keeptree = yes
 ??????? recycle:versions = yes
 ??????? shadow:snapdir = .zfs/snapshot
 ??????? shadow:sort = desc
 ??????? shadow:format = -%Y-%m-%d-%H%M
 ??????? shadow:snapprefix = 
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
 ??????? shadow:delimiter = -20


Create /etc/samba/user.map containing this:

!root = DOMAIN\Administrator

You are using 'admin users' and 'valid users', a better way
would be to
set the permissions from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

That way will make it easier to set the required permissions on the data.

Rowland