CIFS Snapshots available as Previous Versions to group but not user

[adx442]

At least, I think that's what's going on.

We're using FreeNAS 9.3 (updated to the Sept. 2 patch level), and I give each user a personal folder share using CIFS. They are the owner of the folder, with full permissions. The user list and credentials are provided by Active Directory. Each user folder has a snapshot taken once per hour during business hours, and I'd like for them to be able to "self-service" on any recovery they'd like for their own folder.

However, I, as a member of the AD admins group, can see their folder snapshots through Previous Versions without any issues. The user that actually owns the folder can't see any available. Is there something simple I've missed, or something I can add to the SAMBA config to change this behavior?

Thanks for your time!

 

[dlavigne]

Did you make any headway with this?

 

[adx442]

None. It's been this way since April, at least, that's when I noticed it for the users. My system is stock, and I haven't made any changes to the Samba configuration or any services.

 

[dlavigne]

Please post your smb4.conf using Insert -> Code.

 

[adx442]

Code:

[root@freenas] /usr/local/etc# cat smb4.conf
[global]
    server max protocol = SMB3
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 469910
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = yes
    idmap config *: backend = tdb
    idmap config *: range = 10000-100000000
    server role = member server
    netbios name = FREENAS
    workgroup = OURDOMAIN
    realm = AD.OURDOMAIN.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config OURDOMAIN: backend = rid
    idmap config OURDOMAIN: range = 10000-1000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1


[Backups]
    path = /mnt/tank/backups
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[Production Folders]
    path = /mnt/tank/ProductionFolders
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[iqms]
    path = /mnt/tank/iqms
    comment = IQMS libraries
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = no
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[users]
    path = /mnt/tank/usershares
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-6m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
[root@freenas] /usr/local/etc#

Thanks for any help or hints you can provide! The users section is the share that's causing me issues.

 

[anodos]

Post output of "getfacl /mnt/tank/usershares" and "getfacl /mnt/tank/usershares/<some random subfolder>"

 

[adx442]

[root@freenas] ~# getfacl /mnt/tank/usershares
# file: /mnt/tank/usershares
# owner: OurDomain\administrator
# group: OurDomain\admins
group@:rwxpDdaARWcCo-:fd----:allow
group:OurDomain\administrator:rwxpDdaARWcCo-:fd----:allow
group:90000006:r-x---a-R-c---:fd----:allow


[root@freenas] ~# getfacl /mnt/tank/usershares/some.user
# file: /mnt/tank/usershares/some.user
# owner: OurDomain\some.user
# group: OurDomain\admins
group:OurDomain\some.user:rwxpDdaARWcCo-:fd----:allow
group@:rwxpDdaARWcCo-:fd----:allow
group:OurDomain\administrator:rwxpDdaARWcCo-:fd----:allow

 

[anodos]

What access does "some.user" have to /mnt/tank/usershares? Read-write? Read-only? None?

 

[adx442]

None (not expressly denied, just not included in the ACL) ... I was trying to keep them segregated from being able to read each other's folder contents. Do they need higher level folder permissions for the snapshots to work on their lower level folder?

Edit: Tried giving some.user read/list/execute access to the usershares top level folder, and it made no difference. Also, some.user can read snapshots from a completely different dataset (Production Folders) that they have access to, and the permissions appear to be identical.

 

[anodos]

None (not expressly denied, just not included in the ACL) ... I was trying to keep them segregated from being able to read each other's folder contents. Do they need higher level folder permissions for the snapshots to work on their lower level folder?

Edit: Tried giving some.user read/list/execute access to the usershares top level folder, and it made no difference.

Try giving a test user "modify" privileges. (just to exclude this possibility - normally 'previous versions' only requires read privileges)


It may be related to some peculiarity of how nfsv4:mode = special works. Perhaps create a test dataset \ share and do the following (for instance /mnt/tank/test):

• Set ownership (in webgui volume manager) as follows:

owner -user : root
owner -group : domain\admins​

• Create a test usershare (for instance /mnt/tank/test/some.user)
• Set permissions for /mnt/tank/test as follows:

root - full control
domain\admins - full control
everyone - read-only (this folder only)​

• Remove "everyone" ace from /mnt/tank/test/some.user
• From CLI, chown some.user /mnt/tank/test/some.user
• Perform manual snapshot on test dataset

See if some.user can access the snapshot.

 

[adx442]

An update for posterity. I never did find a solution to this, but it is working now. Once I nuked all the snapshots for that share, created a new periodic snapshot, added the association to the CIFS share, and restarted the CIFS service, it behaved normally and as expected for the end users (Windows shows their individual folder snapshots in Previous Versions, allowing them to self-service for their own backups). I say it wasn't a solution because I had to blow away 5 months worth of snapshots to get it working, but moving forward, it's in good shape.

I still have no idea what caused the issue in the problem, or why recreating everything made any difference, but it's working now.

Thanks for everyone's time on this one.