無法使用 Linux ACL 探索 Samba 共享中的子目錄
基本問題是我有一個域連接的 QNAP 並希望通過 Samba 發布 RSnapshot 快照,以便使用者可以從備份中恢復他們自己的文件。(根據原始的 RSnapshot HowTo:http ://rsnapshot.org/rsnapshot/docs/docbook/rest.html#restoreing-backups )
但是,除非我設置新快照將繼承的預設 ACL (setfacl -mg:MYDOM\Domain\Users:rx),否則我根本無法瀏覽共享快照的內容。
RSnapshot 概述
它創建每小時/每天/每週/每月快照,並正確保留標準和擴展 Linux ACL。快照儲存在以下目錄中:
/share/CACHEDEV1_DATA/Local Backups
為防止發生權限更改,我已清除該目錄的預設 ACL 並簡單地設置預設權限。權限是:
# ls -al drwxrwxrwx 4 admin administ 4096 Nov 22 17:00 Local Backups/ # getfacl Local\ Backups/ # file: Local Backups/ # owner: admin # group: administrators user::rwx user:admin:rwx user:guest:--- group::rwx group:MYDOM\domain\040users:r-x mask::rwx other::rwx default:user::rwx default:group::rwx default:mask::rwx default:other::rwx
這意味著快照子目錄(hourly.0、hourly.1 等)的預設權限如下所示:
# cd hourly.0 # ls -al drwxrwxrwx 3 admin administ 4096 Nov 22 16:02 ./ # getfacl . # file: . # owner: admin # group: administrators user::rwx group::rwx mask::rwx other::rwx default:user::rwx default:group::rwx default:mask::rwx default:other::rwx
此時,RSnapshot 已經過全面測試並按預期工作。(如果 FS 權限或 Samba 是問題,則權限非常寬鬆。)
桑巴概述
我通過名為 LocalBackups 的 WebGUI 創建了一個共享,並查看了 smb.conf 文件,我希望它無需修改即可工作。雖然我可以正常訪問 LocalBackups 目錄,但每次我嘗試訪問備份時,即 hour.0、hourly.1 等,我都會收到錯誤消息“您無權訪問 \192.168.1.20\LocalBackups\每小時.0。
從 smb.conf 中,
$$ global $$部分是:
[global] # Add this, apparently Windows 7 Bug. # acl allow execute always = yes log level = 3 passdb backend = smbpasswd workgroup = MYDOM security = ADS server string = encrypt passwords = Yes username level = 0 #map to guest = Bad User null passwords = yes max log size = 10 socket options = TCP_NODELAY SO_KEEPALIVE os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = no load printers = yes veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/.@__qini/.Qsync/.@upload_cache/.qsync/.qsync_sn/.@qsys/.streams/.digest/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 server role = auto use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no wide links = yes #force unknown acl user = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U inherit acls = yes domain logons = no min receivefile size = 256 case sensitive = auto domain master = auto local master = no enhance acl v1 = yes remove everyone = yes conn log = no kernel oplocks = no max protocol = SMB2_10 smb2 leases = yes durable handles = yes kernel share modes = no posix locking = no lock directory = /share/CACHEDEV1_DATA/.samba/lock state directory = /share/CACHEDEV1_DATA/.samba/state cache directory = /share/CACHEDEV1_DATA/.samba/cache printcap cache time = 0 acl allow execute always = yes server signing = disabled aio read size = 1 aio write size = 0 streams_depot:delete_lost = yes streams_depot:check_valid = no fruit:nfs_aces = no fruit:veto_appledouble = no winbind expand groups = 1 pid directory = /var/lock printcap name = /etc/printcap printing = cups show add printer wizard = no realm = mydom.local ldap timeout = 5 password server = mydc001.mydom.local pam password change = yes winbind enum users = Yes winbind enum groups = Yes winbind cache time = 3600 idmap config * : backend = tdb idmap config * : range = 400001-500000 idmap config MYDOM : backend = rid idmap config MYDOM : range = 10000001-20000000 host msdfs = yes vfs objects = shadow_copy2 acl_xattr catia fruit qnap_macea streams_depot aio_pthread
這
$$ LocalBackups $$部分是:
[LocalBackups] comment = path = /share/CACHEDEV1_DATA/Local Backups browsable = yes oplocks = yes ftp write only = no recycle bin = no recycle bin administrators only = no qbox = no public = yes #invalid users = "guest" #read list = @"MYDOM\Domain Users" #write list = "admin" #valid users = "root","admin",@"MYDOM\Domain Users" guest ok = yes read only = yes inherit permissions = no shadow:snapdir = /share/CACHEDEV1_DATA/_.share/LocalBackups/.snapshot shadow:basedir = /share/CACHEDEV1_DATA/Local Backups shadow:sort = desc shadow:format = @GMT-%Y.%m.%d-%H:%M:%S smb encrypt = disabled strict allocate = yes streams_depot:check_valid = yes mangled names = yes admin users = admin only = "admin" #nt acl support = no
使用此配置,我可以進入 LocalBackupds 目錄,但無法進入任何快照子目錄,即 hourly.0、hourly.1 等。
註釋掉的行是我試圖查看它是否有所作為的東西,但是行為與註釋掉的行一致或沒有。
如果我將其中一個快照目錄(即 hourly.0)上的 ACL 更改為包含 MYDOM\Domain 使用者,我就可以通過 Samba 進入該目錄(即 hourly.0)。那麼目錄的權限是:
# cd hourly.0 # ls -al drwxrwxrwx 3 admin administ 4096 Nov 22 18:00 ./ # getfacl . # file: . # owner: admin # group: administrators user::rwx group::rwx group:MYDOM\domain\040users:rwx mask::rwx other::rwx default:user::rwx default:group::rwx default:mask::rwx default:other::rwx
在這一點上,我無法弄清楚如何在 QNAP 上啟用正確的日誌記錄。從基本的 WebUI 日誌資訊中,我可以看到 SMB 連接請求與我的使用者名等一起傳遞。我傾向於 Samba 配置比 FS 權限更嚴格,但我猜。
在這個階段,我不確定我對 ACL、Samba 或兩者的了解是否讓我失望。有任何想法嗎?
我沒有嘗試通過 Samba 解決此問題,而是將 samba 配置重置為 QNAP 創建的預設配置。(即取消註釋已註釋掉的行。從長遠來看,這似乎也更安全,因為
smb.conf
如果我自己或其他管理員創建了新共享等,Web GUI 可能會覆蓋調整後的文件。)然後,我更改文件系統權限,為
MYDOM\Domain Users
組添加擴展 ACL,並讀取r+x
目錄:/share /share/CACHEDEV1_DATA /share/CACHEDEV1_DATA/homes
這樣,當備份文件時,域使用者可以一直導航到
homes
目錄。但是,由於沒有從快照目錄 (/share/CACHEDEV1_DATA/Local Backups
) 繼承的預設 ACL 並且沒有更改使用者的主目錄,因此只有原始使用者可以訪問他們自己的主目錄。R快照更改
我雖然保留了擴展的 ACL。它們不是,它只是看起來正確,因為主目錄的標準 ACL 是使用域使用者和組設置的。所以標準的 ACL 被保留了,但擴展的 ACL 沒有被保留。為了解決這個問題,我編輯了 rsnapshot 腳本並
-A
通過更改將標誌添加到 rsync:my $default_rsync_short_args = '-a';
到
my $default_rsync_short_args = '-aA';
為了修復對快照目錄(即 hourly.0 等)的訪問權限,我還在
create_backup_point_dir
函式底部添加了權限更改:system("setfacl -m g:MYDOM\\\\Domain\\ Users:rx \"$destpath\"");
它現在可以按預期工作,使用者可以從備份中恢復自己的私人文件。:)
一旦我進行了更多測試,我將嘗試將其滾動到 rsnapshot 的更新檔中。