基本问题是我有一个域连接的 QNAP,并希望通过 Samba 发布 RSnapshot 快照,以便用户可以从备份中恢复自己的文件。 (根据原始 RSnapshot HowTo:http://rsnapshot.org/rsnapshot/docs/docbook/rest.html#restoring-backups)
但是,除非我设置新快照将继承的默认 ACL (setfacl -mg:MYDOM\Domain\ Users:rx),否则我根本无法浏览共享快照的内容。
RSnapshot 概述
它创建每小时/每天/每周/每月快照,并正确保留标准和扩展 Linux ACL。快照存储在以下目录中:
/share/CACHEDEV1_DATA/Local Backups
为了防止权限发生更改,我清除了该目录的默认 ACL,并简单地设置了默认权限。权限是:
# ls -al
drwxrwxrwx 4 admin administ 4096 Nov 22 17:00 Local Backups/
# getfacl Local\ Backups/
# file: Local Backups/
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:guest:---
group::rwx
group:MYDOM\domain\040users:r-x
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx
这意味着快照子目录(hourly.0、hourly.1 等)的默认权限如下所示:
# cd hourly.0
# ls -al
drwxrwxrwx 3 admin administ 4096 Nov 22 16:02 ./
# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx
至此,RSnapshot 已完全测试并按预期工作。 (如果 FS 权限或 Samba 是问题所在,那么权限相当自由。)
桑巴概述
我通过 WebGUI 创建了一个名为 LocalBackups 的共享,并查看了 smb.conf 文件,我希望它无需修改即可工作。虽然我可以很好地访问 LocalBackups 目录,但每次我尝试访问备份(即 hour.0、hourly.1 等)时,我都会收到错误消息“您无权访问 \192.168.1.20\LocalBackups\每小时.0。
在 smb.conf 中,[global] 部分是:
[global]
# Add this, apparently Windows 7 Bug.
# acl allow execute always = yes
log level = 3
passdb backend = smbpasswd
workgroup = MYDOM
security = ADS
server string =
encrypt passwords = Yes
username level = 0
#map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/.@__qini/.Qsync/.@upload_cache/.qsync/.qsync_sn/.@qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
#force unknown acl user = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = yes
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = yes
conn log = no
kernel oplocks = no
max protocol = SMB2_10
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
aio read size = 1
aio write size = 0
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
winbind expand groups = 1
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
realm = mydom.local
ldap timeout = 5
password server = mydc001.mydom.local
pam password change = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind cache time = 3600
idmap config * : backend = tdb
idmap config * : range = 400001-500000
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000001-20000000
host msdfs = yes
vfs objects = shadow_copy2 acl_xattr catia fruit qnap_macea streams_depot aio_pthread
[LocalBackups] 部分是:
[LocalBackups]
comment =
path = /share/CACHEDEV1_DATA/Local Backups
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = no
recycle bin administrators only = no
qbox = no
public = yes
#invalid users = "guest"
#read list = @"MYDOM\Domain Users"
#write list = "admin"
#valid users = "root","admin",@"MYDOM\Domain Users"
guest ok = yes
read only = yes
inherit permissions = no
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/LocalBackups/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Local Backups
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes
admin users =
admin only = "admin"
#nt acl support = no
使用此配置,我可以进入LocalBackupds目录,但无法进入任何快照子目录,即hourly.0、hourly.1等。
注释掉的行是我试图查看是否有区别的东西,但行为与注释掉的行一致或没有注释掉的行一致。
如果我更改快照目录之一(即 hourly.0)上的 ACL 以包含 MYDOM\Domain Users,我就可以通过 Samba 进入该目录(即 hourly.0)。那么该目录的权限是:
# cd hourly.0
# ls -al
drwxrwxrwx 3 admin administ 4096 Nov 22 18:00 ./
# getfacl .
# file: .
# owner: admin
# group: administrators
user::rwx
group::rwx
group:MYDOM\domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx
目前我还无法弄清楚如何在 QNAP 上启用正确的日志记录。从基本的 WebUI 日志信息中,我可以看到 SMB 连接请求与我的用户名等一起传递。我倾向于 Samba 配置比 FS 权限更严格,但我猜测。
在这个阶段,我不确定我对 ACL、Samba 或两者的了解是否让我失望。有任何想法吗?
答案1
我没有尝试通过 Samba 解决此问题,而是将 samba 配置重置为 QNAP 创建的默认值。 (即取消注释掉注释掉的行。从长远来看,这似乎也更安全,因为smb.conf
如果我自己或其他管理员创建新共享等,Web GUI 可能会覆盖调整后的文件。)
然后,我更改文件系统权限,为组添加扩展 ACL,MYDOM\Domain Users
并读取r+x
目录:
/share
/share/CACHEDEV1_DATA
/share/CACHEDEV1_DATA/homes
这样,当文件备份时,域用户可以一直导航到该homes
目录。然而,由于没有从快照目录 ( /share/CACHEDEV1_DATA/Local Backups
) 继承的默认 ACL,并且用户的主目录也没有更改,因此只有原始用户可以访问自己的主目录。
R快照更改
我认为扩展 ACL 被保留了。事实并非如此,它只是看起来正确,因为主目录的标准 ACL 是使用域用户和组设置的。因此标准 ACL 被保留,但扩展的 ACL 未被保留。为了解决这个问题,我编辑了 rsnapshot 脚本,并-A
通过更改以下内容将标志添加到 rsync:
my $default_rsync_short_args = '-a';
到
my $default_rsync_short_args = '-aA';
create_backup_point_dir
为了修复对快照目录(即 hourly.0 等)的访问,我还通过在函数底部添加以下内容来对函数进行权限更改:
system("setfacl -m g:MYDOM\\\\Domain\\ Users:rx \"$destpath\"");
现在它可以按预期工作,用户可以从备份中恢复自己的私人文件。 :)
完成更多测试后,我将尝试将其纳入 rsnapshot 补丁中。