无法使用 Linux ACL 探索 Samba 共享中的子目录

无法使用 Linux ACL 探索 Samba 共享中的子目录

基本问题是我有一个域连接的 QNAP,并希望通过 Samba 发布 RSnapshot 快照,以便用户可以从备份中恢复自己的文件。 (根据原始 RSnapshot HowTo:http://rsnapshot.org/rsnapshot/docs/docbook/rest.html#restoring-backups

但是,除非我设置新快照将继承的默认 ACL (setfacl -mg:MYDOM\Domain\ Users:rx),否则我根本无法浏览共享快照的内容。

RSnapshot 概述

它创建每小时/每天/每周/每月快照,并正确保留标准和扩展 Linux ACL。快照存储在以下目录中:

/share/CACHEDEV1_DATA/Local Backups

为了防止权限发生更改,我清除了该目录的默认 ACL,并简单地设置了默认权限。权限是:

# ls -al
drwxrwxrwx    4 admin    administ      4096 Nov 22 17:00 Local Backups/

# getfacl Local\ Backups/
# file: Local Backups/
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:guest:---
group::rwx
group:MYDOM\domain\040users:r-x
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

这意味着快照子目录(hourly.0、hourly.1 等)的默认权限如下所示:

# cd hourly.0

# ls -al
drwxrwxrwx    3 admin    administ      4096 Nov 22 16:02 ./

# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

至此,RSnapshot 已完全测试并按预期工作。 (如果 FS 权限或 Samba 是问题所在,那么权限相当自由。)

桑巴概述

我通过 WebGUI 创建了一个名为 LocalBackups 的共享,并查看了 smb.conf 文件,我希望它无需修改即可工作。虽然我可以很好地访问 LocalBackups 目录,但每次我尝试访问备份(即 hour.0、hourly.1 等)时,我都会收到错误消息“您无权访问 \192.168.1.20\LocalBackups\每小时.0。

在 smb.conf 中,[global] 部分是:

[global]
# Add this, apparently Windows 7 Bug.
# acl allow execute always = yes
log level = 3
passdb backend = smbpasswd
workgroup = MYDOM
security = ADS
server string =
encrypt passwords = Yes
username level = 0
#map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/.@__qini/.Qsync/.@upload_cache/.qsync/.qsync_sn/.@qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
#force unknown acl user = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = yes
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = yes
conn log = no
kernel oplocks = no
max protocol = SMB2_10
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
aio read size = 1
aio write size = 0
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
winbind expand groups = 1
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
realm = mydom.local
ldap timeout = 5
password server = mydc001.mydom.local
pam password change = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind cache time = 3600
idmap config * : backend = tdb
idmap config * : range = 400001-500000
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000001-20000000
host msdfs = yes
vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea streams_depot aio_pthread

[LocalBackups] 部分是:

[LocalBackups]
comment =
path = /share/CACHEDEV1_DATA/Local Backups
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = no
recycle bin administrators only = no
qbox = no
public = yes
#invalid users = "guest"
#read list = @"MYDOM\Domain Users"
#write list = "admin"
#valid users = "root","admin",@"MYDOM\Domain Users"
guest ok = yes
read only = yes
inherit permissions = no
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/LocalBackups/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Local Backups
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes
admin users =
admin only = "admin"
#nt acl support = no

使用此配置,我可以进入LocalBackupds目录,但无法进入任何快照子目录,即hourly.0、hourly.1等。

注释掉的行是我试图查看是否有区别的东西,但行为与注释掉的行一致或没有注释掉的行一致。

如果我更改快照目录之一(即 hourly.0)上的 ACL 以包含 MYDOM\Domain Users,我就可以通过 Samba 进入该目录(即 hourly.0)。那么该目录的权限是:

# cd hourly.0

# ls -al
drwxrwxrwx    3 admin    administ      4096 Nov 22 18:00 ./

# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
group::rwx
group:MYDOM\domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

目前我还无法弄清楚如何在 QNAP 上启用正确的日志记录。从基本的 WebUI 日志信息中,我可以看到 SMB 连接请求与我的用户名等一起传递。我倾向于 Samba 配置比 FS 权限更严格,但我猜测。

在这个阶段,我不确定我对 ACL、Samba 或两者的了解是否让我失望。有任何想法吗?

答案1

我没有尝试通过 Samba 解决此问题,而是将 samba 配置重置为 QNAP 创建的默认值。 (即取消注释掉注释掉的行。从长远来看,这似乎也更安全,因为smb.conf如果我自己或其他管理员创建新共享等,Web GUI 可能会覆盖调整后的文件。)

然后,我更改文件系统权限,为组添加扩展 ACL,MYDOM\Domain Users并读取r+x目录:

/share
/share/CACHEDEV1_DATA
/share/CACHEDEV1_DATA/homes

这样,当文件备份时,域用户可以一直导航到该homes目录。然而,由于没有从快照目录 ( /share/CACHEDEV1_DATA/Local Backups) 继承的默认 ACL,并且用户的主目录也没有更改,因此只有原始用户可以访问自己的主目录。

R快照更改

我认为扩展 ACL 被保留了。事实并非如此,它只是看起来正确,因为主目录的标准 ACL 是使用域用户和组设置的。因此标准 ACL 被保留,但扩展的 ACL 未被保留。为了解决这个问题,我编辑了 rsnapshot 脚本,并-A通过更改以下内容将标志添加到 rsync:

my $default_rsync_short_args = '-a';

my $default_rsync_short_args = '-aA';

create_backup_point_dir为了修复对快照目录(即 hourly.0 等)的访问,我还通过在函数底部添加以下内容来对函数进行权限更改:

system("setfacl -m g:MYDOM\\\\Domain\\ Users:rx \"$destpath\"");

现在它可以按预期工作,用户可以从备份中恢复自己的私人文件。 :)

完成更多测试后,我将尝试将其纳入 rsnapshot 补丁中。

相关内容