SOLVED SMB permission on .zfs folder

ifko · Oct 22, 2018

Hi, this is my first post here.
I have a FreeNAS 11.1-U6 and I use an ActiveDirectory for managing users and groups.
I can manage pretty easily the right on the differents folders but it's more complicated for .zfs. On my SMB share I have enable the option "zfsacl:expose_snapdir = true"
So I can see and read trough the .zfs folder. I can do this action because I'm the owner of the share but how can I choose who can see and browse it and who can't ?
In our company we don't use shadow copies, because we don't want users to restore files by themselves. Only admin could and we want to do it with .zfs/snapshot.

It's impossible to change permission on .zfs folder because root/wheel is still owner of this directory.

I hope you understand, I'm french and my english isn't perfect

ifko · Oct 23, 2018

Does anyone have a solution ? Because I'm out of ideas...

artlessknave · Oct 23, 2018

what purpose requires smb access to .zfs? that sounds like a great way to break your pool.
shadow copies on freenas is just your snapshots.
why do you not just ....make a new smb share that only your admins can access and give it a snapshot schedule to display as shadow copies?
what is the purpose of micromanaging your users so they can't restore their own files? seems needlessly draconion

ifko · Oct 23, 2018

At the moment they work with a NetAPP solution and they access snapshot with a /snapshot folder. They want the same behavior with FreeNAS.
There is around 1500 employees, most of users are not comfortable with IT so this is why we want only admins to be able to restore data.

I thought of create a SMB share that only admins can access but I want to be as close as their current backup solution(NetAPP).

anodos · Oct 23, 2018

artlessknave said:
what purpose requires smb access to .zfs? that sounds like a great way to break your pool.
shadow copies on freenas is just your snapshots.
why do you not just ....make a new smb share that only your admins can access and give it a snapshot schedule to display as shadow copies?
what is the purpose of micromanaging your users so they can't restore their own files? seems needlessly draconion

Accessing .zfs over smb won't break the pool.

anodos · Oct 23, 2018

The permissions on files inside of .zfs are determined by the ACL of the file at time time the snapshot was taken. Users will have no more or no less permissions than they had at that point in time. You can turn off snapdir visibility, which somewhat restricts access to them (you have to know the path).

ifko · Oct 23, 2018

Anodos, Being able to control the visibility of the snapdir is exactly what I want. But if i do "zfs set snapdir=hidden" nobody will be able to see the snapdir. I think what I want is possible without touching the ACL.

EDIT : I went to NetAPP website and found this :
https://kb.netapp.com/app/answers/a...ow-to-control-access-to-a-snapshot-directory-
And they show how to do :"Snapshots should be controlled by access rights and should be hidden and inaccessible to users. Only the admin can restore files." But they use ONTAP, so the commands only belongs to NetAPP

anodos · Oct 23, 2018

ifko said:
Anodos, Being able to control the visibility of the snapdir is exactly what I want. But if i do "zfs set snapdir=hidden" nobody will be able to see the snapdir. I think what I want is possible without touching the ACL.

EDIT : I went to NetAPP website and found this :
https://kb.netapp.com/app/answers/a...ow-to-control-access-to-a-snapshot-directory-
And they show how to do :"Snapshots should be controlled by access rights and should be hidden and inaccessible to users. Only the admin can restore files." But they use ONTAP, so the commands only belongs to NetAPP

If you zfs set snapdir=hidden <pool>/<dataset>, which is the default, then the snapdir will be hidden but accessible by navigating directly to the snapshot directory in File Explorer. i.e. \\server\share\.zfs\snapshot, but ".zfs" will not appear in the directory listing for \\server\share

ifko · Oct 23, 2018

Yes indeed, but in this case everybody can access the .zfs folder

anodos · Oct 23, 2018

ifko said:
Yes indeed, but in this case everybody can access the .zfs folder

Yes, but once again, they have no access other than what they would have via normal FS operations at the time that the snapshot was taken or that they would have via shadow_copy2.

I could possibly rewrite this feature, but you should make a feature request first and realize it may be a while before I get to it.

kdragon75 · Oct 23, 2018

@ifko, just remind them it may be slightly different but they're saving $20,000. If they complain, tell the you can fix it for $20,000. If their IT cant change from a hidden snap folder to a separate share, they should all be fired for gross incompetence.

ifko · Oct 24, 2018

Yesterday, I was talking with my chief and I show him all the issues it provokes. So I decided to create a share directly on the .zfs/snapshot of my dataset. But it's not possible to manage permission on windows because the owner of this folder is root/wheel. But in the smb share creation there is a line named Auxiliary Parameters. On this line I define different valid users and it worked !
It's a bit tricky but in the end it works fine so I guess we can put this thread into Solved

Important Announcement for The TrueNAS Community.

SOLVED SMB permission on .zfs folder

ifko

Cadet

Attachments

ifko

Cadet

artlessknave

Wizard

ifko

Cadet

anodos

Sambassador

anodos

Sambassador

ifko

Cadet

anodos

Sambassador

ifko

Cadet

anodos

Sambassador

kdragon75

Wizard

ifko

Cadet

Similar threads