Permissions and snapshots

[tannebil]

I'm struggling a bit with the process of recovering old versions of files from snapshots with SMB shares. As I understand it, I should set "Snapshot Settings" to "Visible" in the dataset setting and then snapshots should be visible in the client as "versions" for a file in Windows or under a hidden directory with macOS. However, I don't see versions in Windows and, while I can make the hidden directory visible in Finder, it's empty.

I was able to see a specific snapshot if I cloned it, changed the security settings on the clone to give my user account access, and created a share pointing to the clone. Which makes me wonder if my underlying problem is that the snapshots are not inheriting the ACL settings when they get created.

Is there a setting somewhere that I need to change so that the snapshots inherit ACLs? Is there a way to change the security on snapshots directly so that I can browse them without cloning them? I'm running 23.10.0.1. Thanks!

 

[ABain]

Is there a way to change the security on snapshots directly so that I can browse them without cloning them?

You should be able to access the snapshots on your windows client, they are stored in the root of the dataset in the .zfs folder, you must ensure the folder option is set to show hidden folders.

Managing Snapshots

Provides instructions on managing ZFS snapshots in TrueNAS Scale.

www.truenas.com

Note that permissions or ACLs set on files within that snapshot might limit access to the files. Snapshots are read-only, so users do not have permission to modify a snapshot or its files, even if they had write permissions when creating the snapshot.

 

[ABain]

Is there a setting somewhere that I need to change so that the snapshots inherit ACLs

Are you talking about share ACL or the filesystem ACL?

 

[tannebil]

Are you talking about share ACL or the filesystem ACL?

The file system ACL. I have not done anything with the share ACL as the default works fine as long as the user has an ACL un the underlying dataset.

The clone created from the snapshot looks to have a system default ACL on it and, after creating a share to it, I couldn't access it until I changed the ACL on the file system.

 

[tannebil]

You should be able to access the snapshots on your windows client, they are stored in the root of the dataset in the .zfs folder, you must ensure the folder option is set to show hidden folders.

Managing Snapshots

Provides instructions on managing ZFS snapshots in TrueNAS Scale.

www.truenas.com

Note that permissions or ACLs set on files within that snapshot might limit access to the files. Snapshots are read-only, so users do not have permission to modify a snapshot or its files, even if they had write permissions when creating the snapshot.
View attachment 73217

I can see the .zfs folder in Windows Explorer but Windows returns an error if I try to open it. I can CD into it in a command prompt but a DIR returns "file not found".

 

[Johnny Fartpants]

From your windows client right click a folder on your network share and select properties then previous versions. If snapshots are present and the share configured correctly they should appear there.

 

[ABain]

I can see the .zfs folder in Windows Explorer but Windows returns an error if I try to open it. I can CD into it in a command prompt but a DIR returns "file not found".

As the zfs folder is on the root dataset, I assume you have the smb share set on this dataset? If so have you checked the permissions on the share ACL to allow access?

 

[tannebil]

As the zfs folder is on the root dataset, I assume you have the smb share set on this dataset? If so have you checked the permissions on the share ACL to allow access?

I've never needed to change the default share ACL to browse the dataset but I added an ACL for my user id granting me explicit access to the share but it didn't change anything.

Is there a way to share anything other than the dataset? The dataset is not at the root of the pool. It's at data-1/backups/<my-data-set>.

Could encryption have any bearing on the issue? The dataset is inheriting encryption from the pool. Encryption has been a bit of a PITA but mostly with Truenas replication to a different server and not being able to create unencrypted datasets in an encrypted pool.

I never got it working under Cobia either. I'd made a couple of SMB auxiliary parameter changes per the documentation under the prior version of Scale so I suppose it's possible I'd screwed them up and they followed me forward into Cobia.

I'll spin up a virgin Truenas VM and see if I get the same behavior. It doesn't sound like I've missed anything obvious.

 

[ABain]

It's possible, if you remain unable to access I would suggest raising a bug report from the above, you will be provided a link to a private upload for a debug, this will help us understand you configuration better to investigate.

 

[winnielinnie]

I can see the .zfs folder in Windows Explorer but Windows returns an error if I try to open it.

Ignoring that, what happens if you manually type in Z:\.zfs\snapshot in the File Explorer address bar?

* Not just Z:\.zfs