samba - Jun 2021 - Permissions required for Snapshots/Previous Versions

>>>>>
>>>>> My question is, is there any other way to make this
Previous Versions
>>>>> functionality available to either other groups of users or,
>> potentially,
>>>>> all users, without adding them to "admin users"
or mapping them ot
>> local
>>>>> Administrators?
>>>>>
>>>>> Thanks!
>>>>> -Nick
>>
>> Okay, try this smb.conf:
>>
>> [global]
>>         workgroup = DOMAIN
>>         realm = DOMAIN.LOCAL
>>         security = ads
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999
>>         idmap config DOMAIN : backend = rid
>>         idmap config DOMAIN : range = 10000-2000000
>>         template homedir = /home/%U@%D
>>         template shell = /bin/bash
>>         winbind refresh tickets = yes
>>         winbind offline logon = yes
>>
>>         username map = /etc/samba/user.map
>>
>>         printing = cups
>>         printcap name = cups
>>         load printers = yes
>>         cups options = raw
>>         vfs objects = acl_xattr recycle shadow_copy2
>>         map acl inherit = Yes
>>
>> [department]
>>         path = /groups/depart
>>         comment = Department Share
>>         msdfs root = yes
>>         admin users = @DOMAIN\File_Server_Admins
>>         valid users = @DOMAIN\File_Server_Admins
@DOMAIN\File_Server_Users
>>         read only = no
>>         recycle:repository = /groups/recycle
>>         recycle:keeptree = yes
>>         recycle:versions = yes
>>         shadow:snapdir = .zfs/snapshot
>>         shadow:sort = desc
>>         shadow:format = -%Y-%m-%d-%H%M
>>         shadow:snapprefix >>
>>
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
>>         shadow:delimiter = -20
>>
>>
>> Create /etc/samba/user.map containing this:
>>
>> !root = DOMAIN\Administrator
>>
Rowland,
Thanks for the response - really appreciate it. What is it about the
above smb.conf that would resolve the issue I'm seeing? As far as I
can tell, all this does is map DOMAIN\Administrator to the root
account, correct? Is there some other change I missed, or some reason
that would allow non-Administrator users to see the snapshots/Previous
Version? As I mentioned before, anybody with Administrator privileges
can already see the Previous Versions correctly - it's the non-Admin
users that I'd like to correct. Is there some reason that doing a user
mapping like this for Administrator would fix that?
>> You are using 'admin users' and 'valid users', a better
way would be to
>> set the permissions from Windows, see here:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> That way will make it easier to set the required permissions on the
data.
>>
I actually use both - and I have legitimate reasons for doing both. In
general I do use ACLs - that's why the acl_xattr VFS module is loaded
- but there's a specific reason/use-case I have that I need to
actually limit access to the share itself regardless of what ACLs are
present. Has to do with selling/splitting off part of your company and
all the fun times that come with that.
>> Rowland
>>
>
>
>         vfs objects = acl_xattr recycle shadow_copy2
>
> Order of VFS objects is significant. You'll want to throw shadow_copy2
at
> front of list IIRC. In those versions of samba, the shadow copy module will
> convert the `@GMT` prefixed path name to one relative to the ZFS dataset
> snapdir ".zfs/snapshot". You need this translation to happen
before samba
> gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).
>
Thanks, Andrew - I'll swap the order around and give that a try. Now
that you mention it, I recall running into that issue in a completely
separate situation (don't recall what it is at the moment) and it
seems like the order mattered. I'll see if that helps at all.

-Nick

On 16/06/2021 13:47, Nick Couchman wrote:
>>>>>> My question is, is there any other way to make this
Previous Versions
>>>>>> functionality available to either other groups of users
or,
>>> potentially,
>>>>>> all users, without adding them to "admin
users" or mapping them ot
>>> local
>>>>>> Administrators?
>>>>>>
>>>>>> Thanks!
>>>>>> -Nick
>>> Okay, try this smb.conf:
>>>
>>> [global]
>>>          workgroup = DOMAIN
>>>          realm = DOMAIN.LOCAL
>>>          security = ads
>>>
>>>          dedicated keytab file = /etc/krb5.keytab
>>>          kerberos method = secrets and keytab
>>>
>>>          idmap config * : backend = tdb
>>>          idmap config * : range = 3000-7999
>>>          idmap config DOMAIN : backend = rid
>>>          idmap config DOMAIN : range = 10000-2000000
>>>          template homedir = /home/%U@%D
>>>          template shell = /bin/bash
>>>          winbind refresh tickets = yes
>>>          winbind offline logon = yes
>>>
>>>          username map = /etc/samba/user.map
>>>
>>>          printing = cups
>>>          printcap name = cups
>>>          load printers = yes
>>>          cups options = raw
>>>          vfs objects = acl_xattr recycle shadow_copy2
>>>          map acl inherit = Yes
>>>
>>> [department]
>>>          path = /groups/depart
>>>          comment = Department Share
>>>          msdfs root = yes
>>>          admin users = @DOMAIN\File_Server_Admins
>>>          valid users = @DOMAIN\File_Server_Admins
@DOMAIN\File_Server_Users
>>>          read only = no
>>>          recycle:repository = /groups/recycle
>>>          recycle:keeptree = yes
>>>          recycle:versions = yes
>>>          shadow:snapdir = .zfs/snapshot
>>>          shadow:sort = desc
>>>          shadow:format = -%Y-%m-%d-%H%M
>>>          shadow:snapprefix >>>
>>>
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
>>>          shadow:delimiter = -20
>>>
>>>
>>> Create /etc/samba/user.map containing this:
>>>
>>> !root = DOMAIN\Administrator
>>>
> Rowland,
> Thanks for the response - really appreciate it. What is it about the
> above smb.conf that would resolve the issue I'm seeing? As far as I
> can tell, all this does is map DOMAIN\Administrator to the root
> account, correct? Is there some other change I missed, or some reason
> that would allow non-Administrator users to see the snapshots/Previous
> Version? As I mentioned before, anybody with Administrator privileges
> can already see the Previous Versions correctly - it's the non-Admin
> users that I'd like to correct. Is there some reason that doing a user
> mapping like this for Administrator would fix that?

If you set the permissions from Windows, you will be able to set finer 
permissions, for instance you will be able to deny members of Domain 
Users, then allow members of another group the permissions you set. 
Remember that Unix only has 'ugo' and 'rwx'
>
>>> You are using 'admin users' and 'valid users', a
better way would be to
>>> set the permissions from Windows, see here:
>>>
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> That way will make it easier to set the required permissions on the
data.
>>>
> I actually use both -

You actually shouldn't
>   and I have legitimate reasons for doing both.

Sorry, but, in my opinion, there are no legitimate reasons for using 
both, use just one, preferably set them from Windows.
>   In
> general I do use ACLs - that's why the acl_xattr VFS module is loaded
> - but there's a specific reason/use-case I have that I need to
> actually limit access to the share itself regardless of what ACLs are
> present. Has to do with selling/splitting off part of your company and
> all the fun times that come with that.

If you must do this, then use setfacl and not the 'valid users' etc.

Rowland

On Wed, Jun 16, 2021 at 8:47 AM Nick Couchman <nick.e.couchman at
gmail.com>
wrote:
> >>>>>
> >>>>> My question is, is there any other way to make this
Previous Versions
> >>>>> functionality available to either other groups of
users or,
> >> potentially,
> >>>>> all users, without adding them to "admin
users" or mapping them ot
> >> local
> >>>>> Administrators?
> >>>>>
> >>>>> Thanks!
> >>>>> -Nick
> >>
> >> Okay, try this smb.conf:
> >> Rowland
> >>
> >
> >
> >         vfs objects = acl_xattr recycle shadow_copy2
> >
> > Order of VFS objects is significant. You'll want to throw
shadow_copy2 at
> > front of list IIRC. In those versions of samba, the shadow copy module
> will
> > convert the `@GMT` prefixed path name to one relative to the ZFS
dataset
> > snapdir ".zfs/snapshot". You need this translation to happen
before samba
> > gets the NT ACL for the file via acl_xattr (at least for get_nt_acl).
> >
>
> Thanks, Andrew - I'll swap the order around and give that a try. Now
> that you mention it, I recall running into that issue in a completely
> separate situation (don't recall what it is at the moment) and it
> seems like the order mattered. I'll see if that helps at all.
>
> -Nick
>

Well, after trying both of these things - removing admin/valid users and
relying solely on ACLs, and re-arranging the VFS modules - the issue
persists. I'm not sure how much debugging the shadow_copy2 VFS module has
built in, but I'm trying to get some better log messages that might
indicate where things are falling down. I've verified at the Linux level,
if I "su" to any of the non-Admin accounts, that I can see the
".zfs/snapshot" directory and the snapshots under that directory, so
it
isn't an issue with access to the files.

if anyone has any other ideas, I'm open to them.

-Nick