On Wed, 19 Jun 2024 11:59:41 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 19.06.24 um 11:35 schrieb Stefan G. Weichinger via samba:
> > Am 17.06.24 um 16:06 schrieb Rowland Penny via samba:
> >
> >>> The user is member of "domain admins", isn't
that enough?
> >>
> >> No, because they would be classed as 'others'.
> >>
> >>>
> >>> Or does "SYNC_ACL" not yet work OK, because we miss
the steps in
> >>>
> >>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>>
> >>> which is what I assume (I have to wait for their admin to walk
him
> >>> through these steps)
> >>
> >> Oh yes, once done correctly, you will be able to give Domain
> >> Admins the required permissions (provided you are not using the
> >> 'ad' idmap backend).
> >
> > thanks so far
> >
> > I am a bit lost right now.
> >
> > I currently prepare the migration from old to new server
> >
> > I rsync the data from old server "main" to new server
"main2":
> >
> > /usr/bin/rsync -avXx main:/mnt/daten/ /mnt/pool1/samba/daten
> > --exclude=".snapshots"? --delete
> >
> > additional fact:
> >
> > old server fs: ext4
> >
> > new server fs: btrfs
> >
> > The ACLs ("getfacl" ?) aren't synced over ...
> >
> > Unfortunately we have a bit more complex ACLs than in the
> > Samba-Howto, and we would like to have that synced/copied over if
> > possible.
> >
> > How can I achieve that?
>
> Addition:
>
> the user sees snapshots, but no files in them.
>
> on the fs itself:
>
> # ls -la .snapshots/189
> total 8
> drwxr-xr-x 1 root root 32 Jun 19 11:00 .
> drwxr-x--x+ 1 root root 208 Jun 19 11:00 ..
> -rw------- 1 root root 187 Jun 19 11:00 info.xml
> drwxrwx--- 1 nobody domain users 478 Apr 15 08:01 snapshot
>
> so a member should be allowed to traverse
>
> in snapper
>
> ALLOW_USERS="user1 sgw"
> ALLOW_GROUPS="domain\ admins"
^^^^^^^^^^^^^^^^
Where are you getting this from ?
If I run this in a terminal:
ALLOW_GROUPS="domain\ admins" ; echo "$ALLOW_GROUPS"
I get this:
domain\ admins
Note that the '\' has become part of the group name.
Now this may be correct, I do not use vfs_snapper, but a quick glance
at snappers documentation shows this:
ALLOW_GROUPS=groups
The group-names must be separated by spaces. Spaces in group-names can
be escaped with a "\".
To myself, this reads as you should be using:
ALLOW_GROUPS=domain\ admins
Rowland