Linux

無法使用 Linux ACL 探索 Samba 共享中的子目錄

  • November 23, 2017

基本問題是我有一個域連接的 QNAP 並希望通過 Samba 發布 RSnapshot 快照,以便使用者可以從備份中恢復他們自己的文件。(根據原始的 RSnapshot HowTo:http ://rsnapshot.org/rsnapshot/docs/docbook/rest.html#restoreing-backups )

但是,除非我設置新快照將繼承的預設 ACL (setfacl -mg:MYDOM\Domain\Users:rx),否則我根本無法瀏覽共享快照的內容。

RSnapshot 概述

它創建每小時/每天/每週/每月快照,並正確保留標準和擴展 Linux ACL。快照儲存在以下目錄中:

/share/CACHEDEV1_DATA/Local Backups

為防止發生權限更改,我已清除該目錄的預設 ACL 並簡單地設置預設權限。權限是:

# ls -al
drwxrwxrwx    4 admin    administ      4096 Nov 22 17:00 Local Backups/

# getfacl Local\ Backups/
# file: Local Backups/
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:guest:---
group::rwx
group:MYDOM\domain\040users:r-x
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

這意味著快照子目錄(hourly.0、hourly.1 等)的預設權限如下所示:

# cd hourly.0

# ls -al
drwxrwxrwx    3 admin    administ      4096 Nov 22 16:02 ./

# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

此時,RSnapshot 已經過全面測試並按預期工作。(如果 FS 權限或 Samba 是問題,則權限非常寬鬆。)

桑巴概述

我通過名為 LocalBackups 的 WebGUI 創建了一個共享,並查看了 smb.conf 文件,我希望它無需修改即可工作。雖然我可以正常訪問 LocalBackups 目錄,但每次我嘗試訪問備份時,即 hour.0、hourly.1 等,我都會收到錯誤消息“您無權訪問 \192.168.1.20\LocalBackups\每小時.0。

從 smb.conf 中,

$$ global $$部分是:

[global]
# Add this, apparently Windows 7 Bug.
# acl allow execute always = yes
log level = 3
passdb backend = smbpasswd
workgroup = MYDOM
security = ADS
server string =
encrypt passwords = Yes
username level = 0
#map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/.@__qini/.Qsync/.@upload_cache/.qsync/.qsync_sn/.@qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
#force unknown acl user = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = yes
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = yes
conn log = no
kernel oplocks = no
max protocol = SMB2_10
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
aio read size = 1
aio write size = 0
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
winbind expand groups = 1
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
realm = mydom.local
ldap timeout = 5
password server = mydc001.mydom.local
pam password change = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind cache time = 3600
idmap config * : backend = tdb
idmap config * : range = 400001-500000
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000001-20000000
host msdfs = yes
vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea streams_depot aio_pthread

$$ LocalBackups $$部分是:

[LocalBackups]
comment =
path = /share/CACHEDEV1_DATA/Local Backups
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = no
recycle bin administrators only = no
qbox = no
public = yes
#invalid users = "guest"
#read list = @"MYDOM\Domain Users"
#write list = "admin"
#valid users = "root","admin",@"MYDOM\Domain Users"
guest ok = yes
read only = yes
inherit permissions = no
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/LocalBackups/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Local Backups
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes
admin users =
admin only = "admin"
#nt acl support = no

使用此配置,我可以進入 LocalBackupds 目錄,但無法進入任何快照子目錄,即 hourly.0、hourly.1 等。

註釋掉的行是我試圖查看它是否有所作為的東西,但是行為與註釋掉的行一致或沒有。

如果我將其中一個快照目錄(即 hourly.0)上的 ACL 更改為包含 MYDOM\Domain 使用者,我就可以通過 Samba 進入該目錄(即 hourly.0)。那麼目錄的權限是:

# cd hourly.0

# ls -al
drwxrwxrwx    3 admin    administ      4096 Nov 22 18:00 ./

# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
group::rwx
group:MYDOM\domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

在這一點上,我無法弄清楚如何在 QNAP 上啟用正確的日誌記錄。從基本的 WebUI 日誌資訊中,我可以看到 SMB 連接請求與我的使用者名等一起傳遞。我傾向於 Samba 配置比 FS 權限更嚴格,但我猜。

在這個階段,我不確定我對 ACL、Samba 或兩者的了解是否讓我失望。有任何想法嗎?

我沒有嘗試通過 Samba 解決此問題,而是將 samba 配置重置為 QNAP 創建的預設配置。(即取消註釋已註釋掉的行。從長遠來看,這似乎也更安全,因為smb.conf如果我自己或其他管理員創建了新共享等,Web GUI 可能會覆蓋調整後的文件。)

然後,我更改文件系統權限,為MYDOM\Domain Users組添加擴展 ACL,並讀取r+x目錄:

/share
/share/CACHEDEV1_DATA
/share/CACHEDEV1_DATA/homes

這樣,當備份文件時,域使用者可以一直導航到homes目錄。但是,由於沒有從快照目錄 ( /share/CACHEDEV1_DATA/Local Backups) 繼承的預設 ACL 並且沒有更改使用者的主目錄,因此只有原始使用者可以訪問他們自己的主目錄。

R快照更改

我雖然保留了擴展的 ACL。它們不是,它只是看起來正確,因為主目錄的標準 ACL 是使用域使用者和組設置的。所以標準的 ACL 被保留了,但擴展的 ACL 沒有被保留。為了解決這個問題,我編輯了 rsnapshot 腳本並-A通過更改將標誌添加到 rsync:

my $default_rsync_short_args = '-a';

my $default_rsync_short_args = '-aA';

為了修復對快照目錄(即 hourly.0 等)的訪問權限,我還在create_backup_point_dir函式底部添加了權限更改:

system("setfacl -m g:MYDOM\\\\Domain\\ Users:rx \"$destpath\"");

它現在可以按預期工作,使用者可以從備份中恢復自己的私人文件。:)

一旦我進行了更多測試,我將嘗試將其滾動到 rsnapshot 的更新檔中。

引用自:https://unix.stackexchange.com/questions/406227