source: vendor/3.6.0/docs/htmldocs/Samba3-HOWTO/VFS.html

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago

Samba Server: update vendor to 3.6.0
File size: 44.0 KB
Line 
1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. Stackable VFS modules</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="CUPS-printing.html" title="Chapter 22. CUPS Printing Support"><link rel="next" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 23. Stackable VFS modules"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 23. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:tpot@samba.org">tpot@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span> </div></div><div><div class="author"><h3 class="author"><span class="firstname">Ed</span> <span class="surname">Riddle</span></h3><span class="contrib">original shadow_copy docs</span> </div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="VFS.html#id414711">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="VFS.html#id414746">Discussion</a></span></dt><dt><span class="sect1"><a href="VFS.html#id415127">Included Modules</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id415132">audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415172">default_quota</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415364">extd_audit</a></span></dt><dt><span class="sect2"><a href="VFS.html#fakeperms">fake_perms</a></span></dt><dt><span class="sect2"><a href="VFS.html#id415677">recycle</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416047">netatalk</a></span></dt><dt><span class="sect2"><a href="VFS.html#id416094">shadow_copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="VFS.html#id416927">VFS Modules Available Elsewhere</a></span></dt><dd><dl><dt><span class="sect2"><a href="VFS.html#id416949">DatabaseFS</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417002">vscan</a></span></dt><dt><span class="sect2"><a href="VFS.html#id417038">vscan-clamav</a></span></dt></dl></dd></dl></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414711"></a>Features and Benefits</h2></div></div></div><p>
2<a class="indexterm" name="id414719"></a>
3<a class="indexterm" name="id414728"></a>
4<a class="indexterm" name="id414734"></a>
5Stackable VFS (Virtual File System) modules support was new to Samba-3 and has proven quite popular. Samba
6passes each request to access the UNIX file system through the loaded VFS modules. This chapter covers the
7modules that come with the Samba source and provides references to some external modules.
8</p></div><div class="sect1" title="Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id414746"></a>Discussion</h2></div></div></div><p>
9<a class="indexterm" name="id414754"></a>
10<a class="indexterm" name="id414760"></a>
11If not supplied with your platform distribution binary Samba package, you may have problems compiling these
12modules, as shared libraries are compiled and linked in different ways on different systems. They currently
13have been tested against GNU/Linux and IRIX.
14</p><p>
15<a class="indexterm" name="id414773"></a>
16<a class="indexterm" name="id414780"></a>
17<a class="indexterm" name="id414786"></a>
18To use the VFS modules, create a share similar to the one below. The important parameter is the <a class="link" href="smb.conf.5.html#VFSOBJECTS" target="_top">vfs objects</a> parameter where you can list one or more VFS modules by name. For example, to log all
19access to files and put deleted files in a recycle bin, see <a class="link" href="VFS.html#vfsrecyc" title="Example 23.1. smb.conf with VFS modules">the smb.conf with VFS
20modules example</a>:
21</p><div class="example"><a name="vfsrecyc"></a><p class="title"><b>Example 23.1. smb.conf with VFS modules</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[audit]</code></em></td></tr><tr><td><a class="indexterm" name="id414840"></a><em class="parameter"><code>comment = Audited /data directory</code></em></td></tr><tr><td><a class="indexterm" name="id414851"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id414863"></a><em class="parameter"><code>vfs objects = audit recycle</code></em></td></tr><tr><td><a class="indexterm" name="id414874"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id414886"></a><em class="parameter"><code>browseable = yes</code></em></td></tr></table></div></div><br class="example-break"><p>
22<a class="indexterm" name="id414900"></a>
23<a class="indexterm" name="id414907"></a>
24<a class="indexterm" name="id414914"></a>
25The modules are used in the order in which they are specified. Let's say that you want to both have a virus
26scanner module and a recycle bin module. It is wise to put the virus scanner module as the first one so that
27it is the first to get run and may detect a virus immediately, before any action is performed on that file.
28<a class="link" href="smb.conf.5.html#VFSOBJECTS" target="_top">vfs objects = vscan-clamav recycle</a>
29</p><p>
30<a class="indexterm" name="id414938"></a>
31<a class="indexterm" name="id414944"></a>
32Samba will attempt to load modules from the <code class="filename">/lib</code> directory in the root directory of the
33Samba installation (usually <code class="filename">/usr/lib/samba/vfs</code> or
34<code class="filename">/usr/local/samba/lib/vfs</code>).
35</p><p>
36<a class="indexterm" name="id414973"></a>
37<a class="indexterm" name="id414980"></a>
38<a class="indexterm" name="id414986"></a>
39<a class="indexterm" name="id414993"></a>
40Some modules can be used twice for the same share. This can be done using a configuration similar to the one
41shown in <a class="link" href="VFS.html#multimodule" title="Example 23.2. smb.conf with multiple VFS modules">the smb.conf with multiple VFS modules</a>.
42
43</p><div class="example"><a name="multimodule"></a><p class="title"><b>Example 23.2. smb.conf with multiple VFS modules</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[test]</code></em></td></tr><tr><td><a class="indexterm" name="id415032"></a><em class="parameter"><code>comment = VFS TEST</code></em></td></tr><tr><td><a class="indexterm" name="id415043"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id415055"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id415066"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id415078"></a><em class="parameter"><code>vfs objects = example:example1 example example:test</code></em></td></tr><tr><td><a class="indexterm" name="id415089"></a><em class="parameter"><code>example1: parameter = 1</code></em></td></tr><tr><td><a class="indexterm" name="id415101"></a><em class="parameter"><code>example: parameter = 5</code></em></td></tr><tr><td><a class="indexterm" name="id415112"></a><em class="parameter"><code>test: parameter = 7</code></em></td></tr></table></div></div><p><br class="example-break">
44</p></div><div class="sect1" title="Included Modules"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id415127"></a>Included Modules</h2></div></div></div><div class="sect2" title="audit"><div class="titlepage"><div><div><h3 class="title"><a name="id415132"></a>audit</h3></div></div></div><p>
45<a class="indexterm" name="id415140"></a>
46 A simple module to audit file access to the syslog facility. The following operations are logged:
47 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>share</p></li><li class="listitem"><p>connect/disconnect</p></li><li class="listitem"><p>directory opens/create/remove</p></li><li class="listitem"><p>file open/close/rename/unlink/chmod</p></li></ul></div><p>
48 </p></div><div class="sect2" title="default_quota"><div class="titlepage"><div><div><h3 class="title"><a name="id415172"></a>default_quota</h3></div></div></div><p>
49 This module allows the default quota values, in the windows explorer GUI, to be stored on a Samba-3 server.
50 The challenge is that linux filesystems only store quotas for users and groups, but no default quotas.
51 </p><p>
52 Samba returns NO_LIMIT as the default quotas by default and refuses to update them. With this module you
53 can store the default quotas that are reported to a windows client, in the quota record of a user. By
54 default the root user is taken because quota limits for root are typically not enforced.
55 </p><p>
56 This module takes 2 parametric entries in the <code class="filename">smb.conf</code> file. The default prefix for each is the
57 <span class="quote">&#8220;<span class="quote">default_quota</span>&#8221;</span>. This can be overwrittem when you load the module in the <span class="emphasis"><em>vfs
58 modules</em></span> parameter like this:
59</p><pre class="screen">
60vfs objects = default_quota:myprefix
61</pre><p>
62 </p><p>
63 The parametric entries that may be specified for the default_quotas module are:
64 </p><div class="variablelist"><dl><dt><span class="term">myprefix:uid</span></dt><dd><p>
65 This parameter takes a integer argument that specifies the uid of the quota record that will be
66 used for storing the default user quotas.
67 </p><p>
68 The default value is 0 (for root user). An example of use is:
69</p><pre class="screen">
70vfs objects = default_quota
71default_quota: uid = 65534
72</pre><p>
73 The above demonstrates the case where the <code class="constant">myprefix</code> was omitted, thus the
74 default prefix is the name of the module. When a <code class="constant">myprefix</code> parameter is
75 specified the above can be re-written like this:
76</p><pre class="screen">
77vfs objects = default_quota:myprefix
78myprefix: uid = 65534
79</pre><p>
80 </p></dd><dt><span class="term">myprefix:uid nolimit</span></dt><dd><p>
81 This parameter takes a boolean argument that specifies if the stored default quota values also be
82 reported for the user record, or if the value <code class="constant">NO_LIMIT</code> should be reported to
83 the windows client for the user specified by the <em class="parameter"><code>prefix:uid</code></em> parameter.
84 </p><p>
85 The default value is <code class="constant">yes</code> (which means to report NO_LIMIT). An example of use
86 is shown here:
87</p><pre class="screen">
88vfs objects = default_quota:myprefix
89myprefix: uid nolimit = no
90</pre><p>
91 </p></dd><dt><span class="term">myprefix:gid</span></dt><dd><p>
92 This parameter takes an integer argument, it's just like the <em class="parameter"><code>prefix&gt;:uid</code></em> but
93 for group quotas. NOTE: group quotas are not supported from the windows explorer.
94 </p><p>
95 The default value is 0 (for root group). An example of use is shown here:
96</p><pre class="screen">
97vfs objects = default_quota
98default_quota: gid = 65534
99</pre><p>
100 </p></dd><dt><span class="term">myprefix:gid nolimit</span></dt><dd><p>
101 This parameter takes a boolean argument, just like the <em class="parameter"><code>prefix&gt;:uid nolimit</code></em>
102 but for group quotas. NOTE: group quotas are not supported from the windows explorer.
103 </p><p>
104 The default value is <code class="constant">yes</code> (which means to report NO_LIMIT). An example of use
105 is shown here:
106</p><pre class="screen">
107vfs objects = default_quota
108default_quota: uid nolimit = no
109</pre><p>
110 </p></dd></dl></div><p>
111 An example of use of multiple parametric specifications is shown here:
112</p><pre class="screen">
113...
114vfs objects = default_quota:quotasettings
115quotasettings: uid nolimit = no
116quotasettings: gid = 65534
117quotasettings: gid nolimit = no
118...
119</pre><p>
120 </p></div><div class="sect2" title="extd_audit"><div class="titlepage"><div><div><h3 class="title"><a name="id415364"></a>extd_audit</h3></div></div></div><p>
121<a class="indexterm" name="id415372"></a>
122<a class="indexterm" name="id415379"></a>
123<a class="indexterm" name="id415386"></a>
124 This module is identical with the <code class="literal">audit</code> module above except
125 that it sends audit logs to both syslog as well as the <code class="literal">smbd</code> log files. The
126 <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> for this module is set in the <code class="filename">smb.conf</code> file.
127 </p><p>
128 Valid settings and the information that will be recorded are shown in <a class="link" href="VFS.html#xtdaudit" title="Table 23.1. Extended Auditing Log Information">the next table</a>.
129 </p><div class="table"><a name="xtdaudit"></a><p class="title"><b>Table 23.1. Extended Auditing Log Information</b></p><div class="table-contents"><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Make Directory, Remove Directory, Unlink</td></tr><tr><td align="center">1</td><td align="left">Open Directory, Rename File, Change Permissions/ACLs</td></tr><tr><td align="center">2</td><td align="left">Open &amp; Close File</td></tr><tr><td align="center">10</td><td align="left">Maximum Debug Level</td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" title="Configuration of Auditing"><div class="titlepage"><div><div><h4 class="title"><a name="id415517"></a>Configuration of Auditing</h4></div></div></div><p>
130<a class="indexterm" name="id415524"></a>
131 This auditing tool is more flexible than most people will readily recognize. There are a number of ways
132 by which useful logging information can be recorded.
133 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Syslog can be used to record all transaction. This can be disabled by setting
134 in the <code class="filename">smb.conf</code> file <em class="parameter"><code>syslog = 0</code></em>.</p></li><li class="listitem"><p>Logging can take place to the default log file (<code class="filename">log.smbd</code>)
135 for all loaded VFS modules just by setting in the <code class="filename">smb.conf</code> file
136 <em class="parameter"><code>log level = 0 vfs:x</code></em>, where x is the log level.
137 This will disable general logging while activating all logging of VFS
138 module activity at the log level specified.</p></li><li class="listitem"><p>Detailed logging can be obtained per user, per client machine, etc.
139 This requires the above together with the creative use of the
140 <em class="parameter"><code>log file</code></em> settings.</p><p>An example of detailed per-user and per-machine logging can
141 be obtained by setting
142 <a class="link" href="smb.conf.5.html#LOGFILE" target="_top">log file = /var/log/samba/%U.%m.log</a>.
143 </p></li></ul></div><p>
144 Auditing information often must be preserved for a long time. So that the log files do not get rotated
145 it is essential that the <a class="link" href="smb.conf.5.html#MAXLOGSIZE" target="_top">max log size = 0</a> be set
146 in the <code class="filename">smb.conf</code> file.
147 </p></div></div><div class="sect2" title="fake_perms"><div class="titlepage"><div><div><h3 class="title"><a name="fakeperms"></a>fake_perms</h3></div></div></div><p>
148<a class="indexterm" name="id415641"></a>
149<a class="indexterm" name="id415648"></a>
150<a class="indexterm" name="id415654"></a>
151<a class="indexterm" name="id415661"></a>
152 This module was created to allow Roaming Profile files and directories to be set (on the Samba server
153 under UNIX) as read only. This module will, if installed on the Profiles share, report to the client
154 that the Profile files and directories are writeable. This satisfies the client even though the files
155 will never be overwritten as the client logs out or shuts down.
156 </p></div><div class="sect2" title="recycle"><div class="titlepage"><div><div><h3 class="title"><a name="id415677"></a>recycle</h3></div></div></div><p>
157<a class="indexterm" name="id415684"></a>
158<a class="indexterm" name="id415691"></a>
159<a class="indexterm" name="id415698"></a>
160 A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved
161 to the recycle directory instead of being deleted. This gives the same effect as the
162 <span class="guiicon">Recycle Bin</span> on Windows computers.
163 </p><p>
164<a class="indexterm" name="id415716"></a>
165<a class="indexterm" name="id415722"></a>
166<a class="indexterm" name="id415729"></a>
167<a class="indexterm" name="id415736"></a>
168 The <span class="guiicon">Recycle Bin</span> will not appear in
169 <span class="application">Windows Explorer</span> views of the network
170 file system (share) nor on any mapped drive. Instead, a directory
171 called <code class="filename">.recycle</code> will be automatically created
172 when the first file is deleted and <em class="parameter"><code>recycle:repository</code></em>
173 is not configured.
174 If <em class="parameter"><code>recycle:repository</code></em> is configured, the name
175 of the created directory depends on <em class="parameter"><code>recycle:repository</code></em>.
176 Users can recover files from the recycle bin. If the
177 <em class="parameter"><code>recycle:keeptree</code></em> has been specified, deleted
178 files will be found in a path identical with that from which the
179 file was deleted.
180 </p><p>Supported options for the <code class="literal">recycle</code> module are as follow:
181 </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>
182<a class="indexterm" name="id415809"></a>
183 Path of the directory where deleted files should be moved.
184 </p></dd><dt><span class="term">recycle:directory_mode</span></dt><dd><p>
185<a class="indexterm" name="id415827"></a>
186 Set it to the octal mode you want for the recycle directory. With
187 this mode the recycle directory will be created if it not
188 exists and the first file is deleted.
189 If <em class="parameter"><code>recycle:subdir_mode</code></em> is not set, these
190 mode also apply to sub directories.
191 If <em class="parameter"><code>directory_mode</code></em> not exists, the default
192 mode 0700 is used.
193 </p></dd><dt><span class="term">recycle:subdir_mode</span></dt><dd><p>
194<a class="indexterm" name="id415859"></a>
195 Set it to the octal mode you want for the sub directories of
196 the recycle directory. With this mode the sub directories will
197 be created.
198 If <em class="parameter"><code>recycle:subdir_mode</code></em> is not set, the
199 sub directories will be created with the mode from
200 <em class="parameter"><code>directory_mode</code></em>.
201 </p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>
202<a class="indexterm" name="id415890"></a>
203 Specifies whether the directory structure should be kept or if the files in the directory that is being
204 deleted should be kept separately in the recycle bin.
205 </p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>
206<a class="indexterm" name="id415910"></a>
207 If this option is set, two files
208 with the same name that are deleted will both
209 be kept in the recycle bin. Newer deleted versions
210 of a file will be called <span class="quote">&#8220;<span class="quote">Copy #x of <em class="replaceable"><code>filename</code></em></span>&#8221;</span>.
211 </p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>
212<a class="indexterm" name="id415935"></a>
213 Specifies whether a file's access date should be touched when the file is moved to the recycle bin.
214 </p></dd><dt><span class="term">recycle:touch_mtime</span></dt><dd><p>
215<a class="indexterm" name="id415954"></a>
216 Specifies whether a file's last modify date date should be touched when the file is moved to the recycle bin.
217 </p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>
218<a class="indexterm" name="id415973"></a>
219 Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
220 </p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>
221<a class="indexterm" name="id415992"></a>
222 List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
223 </p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>
224<a class="indexterm" name="id416010"></a>
225 Contains a list of directories. When files from these directories are
226 deleted, they are not put into the
227 recycle bin but are deleted in the
228 regular way.
229 </p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>
230<a class="indexterm" name="id416030"></a>
231 Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning
232 should be used. Only useful when <span class="emphasis"><em>recycle:versions</em></span> is enabled.
233 </p></dd></dl></div><p>
234 </p></div><div class="sect2" title="netatalk"><div class="titlepage"><div><div><h3 class="title"><a name="id416047"></a>netatalk</h3></div></div></div><p>
235<a class="indexterm" name="id416055"></a>
236 A netatalk module will ease co-existence of Samba and netatalk file sharing services.
237 </p><p>Advantages compared to the old netatalk module:
238 </p><div class="itemizedlist"><a class="indexterm" name="id416068"></a><ul class="itemizedlist" type="disc"><li class="listitem"><p>Does not care about creating .AppleDouble forks, just keeps them in sync.</p></li><li class="listitem"><p>If a share in <code class="filename">smb.conf</code> does not contain .AppleDouble item in hide or veto list, it will be added automatically.</p></li></ul></div><p>
239 </p></div><div class="sect2" title="shadow_copy"><div class="titlepage"><div><div><h3 class="title"><a name="id416094"></a>shadow_copy</h3></div></div></div><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
240<a class="indexterm" name="id416103"></a>
241 <span class="emphasis"><em>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL SOLUTION!</em></span>
242 </p><p>
243<a class="indexterm" name="id416117"></a>
244 With Samba or Windows servers, shadow_copy is designed to be an end-user tool only. It does not replace or
245 enhance your backup and archival solutions and should in no way be considered as such. Additionally, if you
246 need version control, implement a version control system. You have been warned.
247 </p></div><p>
248 The shadow_copy module allows you to setup functionality that is similar to MS shadow copy services. When
249 setup properly, this module allows Microsoft shadow copy clients to browse "shadow copies" on Samba shares.
250 You will need to install the shadow copy client. You can get the MS shadow copy client <a class="ulink" href="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx" target="_top">here.</a>. Note the
251 additional requirements for pre-Windows XP clients. I did not test this functionality with any pre-Windows XP
252 clients. You should be able to get more information about MS Shadow Copy <a class="ulink" href="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx" target="_top">from the Microsoft's site</a>.
253 </p><p>
254<a class="indexterm" name="id416154"></a>
255<a class="indexterm" name="id416161"></a>
256<a class="indexterm" name="id416168"></a>
257<a class="indexterm" name="id416174"></a>
258<a class="indexterm" name="id416181"></a>
259<a class="indexterm" name="id416188"></a>
260 The shadow_copy VFS module requires some underlying file system setup with some sort of Logical Volume Manager
261 (LVM) such as LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of this document; however, we will
262 outline the steps we took to test this functionality for <span class="emphasis"><em>example purposes only.</em></span> You need
263 to make sure the LVM implementation you choose to deploy is ready for production. Make sure you do plenty of
264 tests.
265 </p><p>
266 Here are some common resources for LVM and EVMS:
267 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="ulink" href="http://www.sistina.com/products_lvm_download.htm" target="_top">Sistina's
268 LVM1 and LVM2</a></p></li><li class="listitem"><p><a class="ulink" href="http://evms.sourceforge.net/" target="_top">Enterprise Volume Management System (EVMS)</a></p></li><li class="listitem"><p><a class="ulink" href="http://tldp.org/HOWTO/LVM-HOWTO/" target="_top">The LVM HOWTO</a></p></li><li class="listitem"><p>
269 See <a class="ulink" href="http://www-106.ibm.com/developerworks/linux/library/l-lvm/" target="_top">Learning
270 Linux LVM, Part 1</a> and <a class="ulink" href="http://www-106.ibm.com/developerworks/library/l-lvm2.html" target="_top">Learning
271 Linux LWM, Part 2</a> for Daniel Robbins' well-written, two part tutorial on Linux and LVM using LVM
272 source code and reiserfs.</p></li></ul></div><div class="sect3" title="Shadow Copy Setup"><div class="titlepage"><div><div><h4 class="title"><a name="id416266"></a>Shadow Copy Setup</h4></div></div></div><p>
273<a class="indexterm" name="id416274"></a>
274<a class="indexterm" name="id416281"></a>
275 At the time of this writing, not much testing has been done. I tested the shadow copy VFS module with a
276 specific scenario which was not deployed in a production environment, but more as a proof of concept. The
277 scenario involved a Samba-3 file server on Debian Sarge with an XFS file system and LVM1. I do NOT recommend
278 you use this as a solution without doing your own due diligence with regard to all the components presented
279 here. That said, following is an basic outline of how I got things going.
280 </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p title="Installed Operating System"><b>Installed Operating System . </b>
281 In my tests, I used <a class="ulink" href="http://www.debian.org/devel/debian-installer/" target="_top">Debian
282 Sarge</a> (i.e., testing) on an XFS file system. Setting up the OS is a bit beyond the scope of this
283 document. It is assumed that you have a working OS capable of running Samba.
284 </p></li><li class="listitem"><p title="Install &amp; Configure Samba"><b>Install &amp; Configure Samba. </b>
285 See the <a class="link" href="introduction.html" title="Part I. General Installation">installation section</a> of this HOWTO for more detail on this.
286 It doesn't matter if it is a Domain Controller or Member File Server, but it is assumed that you have a
287 working Samba 3.0.3 or later server running.
288 </p></li><li class="listitem"><p title="Install &amp; Configure LVM"><b>Install &amp; Configure LVM. </b>
289<a class="indexterm" name="id416350"></a>
290<a class="indexterm" name="id416357"></a>
291 Before you can make shadow copies available to the client, you have to create the shadow copies. This is
292 done by taking some sort of file system snapshot. Snapshots are a typical feature of Logical Volume
293 Managers such as LVM, so we first need to have that setup.
294 </p><div class="itemizedlist"><p>
295 The following is provided as an example and will be most helpful for Debian users. Again, this was tested
296 using the "testing" or "Sarge" distribution.
297 </p><ul class="itemizedlist" type="disc"><li class="listitem"><p>
298<a class="indexterm" name="id416378"></a>
299<a class="indexterm" name="id416385"></a>
300<a class="indexterm" name="id416392"></a>
301<a class="indexterm" name="id416398"></a>
302<a class="indexterm" name="id416405"></a>
303 Install lvm10 and devfsd packages if you have not done so already. On Debian systems, you are warned of the
304 interaction of devfs and lvm1 which requires the use of devfs filenames. Running <code class="literal">apt-get update
305 &amp;&amp; apt-get install lvm10 devfsd xfsprogs</code> should do the trick for this example.
306 </p></li><li class="listitem"><p>
307<a class="indexterm" name="id416425"></a>
308<a class="indexterm" name="id416432"></a>
309<a class="indexterm" name="id416439"></a>
310<a class="indexterm" name="id416446"></a>
311<a class="indexterm" name="id416453"></a>
312 Now you need to create a volume. You will need to create a partition (or partitions) to add to your volume.
313 Use your favorite partitioning tool (e.g., Linux fdisk, cfdisk, etc.). The partition type should be set to
314 0x8e for "Linux LVM." In this example, we will use /dev/hdb1.
315 </p><p>
316<a class="indexterm" name="id416465"></a>
317<a class="indexterm" name="id416472"></a>
318<a class="indexterm" name="id416479"></a>
319 Once you have the Linux LVM partition (type 0x8e), you can run a series of commands to create the LVM volume.
320 You can use several disks and/or partitions, but we will use only one in this example. You may also need to
321 load the kernel module with something like <code class="literal">modprobe lvm-mod</code> and set your system up to load
322 it on reboot by adding it to (<code class="filename">/etc/modules</code>).
323 </p></li><li class="listitem"><p>
324<a class="indexterm" name="id416505"></a>
325 Create the physical volume with <code class="literal">pvcreate /dev/hdb1</code>
326 </p></li><li class="listitem"><p>
327<a class="indexterm" name="id416522"></a>
328<a class="indexterm" name="id416529"></a>
329 Create the volume group and add /dev/hda1 to it with <code class="literal">vgcreate shadowvol /dev/hdb1</code>
330 </p><p>
331<a class="indexterm" name="id416545"></a>
332 You can use <code class="literal">vgdisplay</code> to review information about the volume group.
333 </p></li><li class="listitem"><p>
334<a class="indexterm" name="id416563"></a>
335 Now you can create the logical volume with something like <code class="literal">lvcreate -L400M -nsh_test shadowvol</code>
336 </p><p>
337<a class="indexterm" name="id416579"></a>
338 This creates the logical volume of 400 MBs named "sh_test" in the volume group we created called shadowvol.
339 If everything is working so far, you should see them in <code class="filename">/dev/shadowvol</code>.
340 </p></li><li class="listitem"><p>
341<a class="indexterm" name="id416598"></a>
342 Now we should be ready to format the logical volume we named sh_test with <code class="literal">mkfs.xfs
343 /dev/shadowvol/sh_test</code>
344 </p><p>
345<a class="indexterm" name="id416615"></a>
346<a class="indexterm" name="id416621"></a>
347<a class="indexterm" name="id416628"></a>
348<a class="indexterm" name="id416635"></a>
349<a class="indexterm" name="id416642"></a>
350 You can format the logical volume with any file system you choose, but make sure to use one that allows you to
351 take advantage of the additional features of LVM such as freezing, resizing, and growing your file systems.
352 </p><p>
353<a class="indexterm" name="id416654"></a>
354<a class="indexterm" name="id416660"></a>
355<a class="indexterm" name="id416667"></a>
356 Now we have an LVM volume where we can play with the shadow_copy VFS module.
357 </p></li><li class="listitem"><p>
358<a class="indexterm" name="id416679"></a>
359<a class="indexterm" name="id416686"></a>
360<a class="indexterm" name="id416693"></a>
361 Now we need to prepare the directory with something like
362</p><pre class="screen">
363<code class="prompt">root# </code> mkdir -p /data/shadow_share
364</pre><p>
365 or whatever you want to name your shadow copy-enabled Samba share. Make sure you set the permissions so that
366 you can use it. If in doubt, use <code class="literal">chmod 777 /data/shadow_share</code> and tighten the permissions
367 once you get things working.
368 </p></li><li class="listitem"><p>
369<a class="indexterm" name="id416724"></a>
370 Mount the LVM volume using something like <code class="literal">mount /dev/shadowvol/sh_test /data/shadow_share</code>
371 </p><p>
372<a class="indexterm" name="id416740"></a>
373 You may also want to edit your <code class="filename">/etc/fstab</code> so that this partition mounts during the system boot.
374 </p></li></ul></div></li><li class="listitem"><p title="Install &amp; Configure the shadow_copy VFS Module"><b>Install &amp; Configure the shadow_copy VFS Module. </b>
375 Finally we get to the actual shadow_copy VFS module. The shadow_copy VFS module should be available in Samba
376 3.0.3 and higher. The smb.conf configuration is pretty standard. Here is our example of a share configured
377 with the shadow_copy VFS module:
378 </p><div class="example"><a name="vfsshadow"></a><p class="title"><b>Example 23.3. Share With shadow_copy VFS</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[shadow_share]</code></em></td></tr><tr><td><a class="indexterm" name="id416794"></a><em class="parameter"><code>comment = Shadow Copy Enabled Share</code></em></td></tr><tr><td><a class="indexterm" name="id416805"></a><em class="parameter"><code>path = /data/shadow_share</code></em></td></tr><tr><td><a class="indexterm" name="id416817"></a><em class="parameter"><code>vfs objects = shadow_copy</code></em></td></tr><tr><td><a class="indexterm" name="id416828"></a><em class="parameter"><code>writeable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id416840"></a><em class="parameter"><code>browseable = yes</code></em></td></tr></table></div></div><br class="example-break"></li><li class="listitem"><p title="Create Snapshots and Make Them Available to shadow_copy.so"><b>Create Snapshots and Make Them Available to shadow_copy.so. </b>
379<a class="indexterm" name="id416863"></a>
380<a class="indexterm" name="id416870"></a>
381<a class="indexterm" name="id416876"></a>
382 Before you can browse the shadow copies, you must create them and mount them. This will most likely be done
383 with a script that runs as a cron job. With this particular solution, the shadow_copy VFS module is used to
384 browse LVM snapshots. Those snapshots are not created by the module. They are not made available by the
385 module either. This module allows the shadow copy-enabled client to browse the snapshots you take and make
386 available.
387 </p><p>
388 Here is a simple script used to create and mount the snapshots:
389</p><pre class="screen">
390#!/bin/bash
391# This is a test, this is only a test
392SNAPNAME=`date +%Y.%m.%d-%H.%M.%S`
393xfs_freeze -f /data/shadow_share/
394lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test
395xfs_freeze -u /data/shadow_share/
396mkdir /data/shadow_share/@GMT-$SNAPNAME
397mount /dev/shadowvol/$SNAPNAME \
398 /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro
399</pre><p>
400 Note that the script does not handle other things like remounting snapshots on reboot.
401 </p></li><li class="listitem"><p title="Test From Client"><b>Test From Client. </b>
402 To test, you will need to install the shadow copy client which you can obtain from the <a class="ulink" href="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx" target="_top">Microsoft web site.</a> I
403 only tested this with an XP client so your results may vary with other pre-XP clients. Once installed, with
404 your XP client you can right-click on specific files or in the empty space of the shadow_share and view the
405 "properties." If anything has changed, then you will see it on the "Previous Versions" tab of the properties
406 window.
407 </p></li></ol></div></div></div></div><div class="sect1" title="VFS Modules Available Elsewhere"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id416927"></a>VFS Modules Available Elsewhere</h2></div></div></div><p>
408<a class="indexterm" name="id416935"></a>
409This section contains a listing of various other VFS modules that have been posted but do not currently reside
410in the Samba CVS tree for one reason or another (e.g., it is easy for the maintainer to have his or her own
411CVS tree).
412</p><p>
413No statements about the stability or functionality of any module should be implied due to its presence here.
414</p><div class="sect2" title="DatabaseFS"><div class="titlepage"><div><div><h3 class="title"><a name="id416949"></a>DatabaseFS</h3></div></div></div><p>
415<a class="indexterm" name="id416957"></a>
416URL: <a class="ulink" href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top">
417Taylors University DatabaeFS</a>
418</p><p>By <a class="ulink" href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer.</a></p><p>
419I have created a VFS module that implements a fairly complete read-only filesystem. It presents information
420from a database as a filesystem in a modular and generic way to allow different databases to be used.
421(Originally designed for organizing MP3s under directories such as <span class="quote">&#8220;<span class="quote">Artists,</span>&#8221;</span> <span class="quote">&#8220;<span class="quote">Song
422Keywords,</span>&#8221;</span> and so on. I have since easily applied it to a student roster database.) The directory
423structure is stored in the database itself and the module makes no assumptions about the database structure
424beyond the table it requires to run.
425</p><p>
426Any feedback would be appreciated: comments, suggestions, patches, and so on. If nothing else, it
427might prove useful for someone else who wishes to create a virtual filesystem.
428</p></div><div class="sect2" title="vscan"><div class="titlepage"><div><div><h3 class="title"><a name="id417002"></a>vscan</h3></div></div></div><a class="indexterm" name="id417007"></a><p>URL: <a class="ulink" href="http://www.openantivirus.org/projects.php#samba-vscan" target="_top">
429Open Anti-Virus vscan</a>
430</p><p>
431<a class="indexterm" name="id417028"></a>
432samba-vscan is a proof-of-concept module for Samba, which provides on-access anti-virus support for files
433shared using Samba. samba-vscan supports various virus scanners and is maintained by Rainer Link.
434</p></div><div class="sect2" title="vscan-clamav"><div class="titlepage"><div><div><h3 class="title"><a name="id417038"></a>vscan-clamav</h3></div></div></div><p>
435Samba users have been using the RPMS from SerNet without a problem.
436OpenSUSE Linux users have also used the vscan scanner for quite some time
437with excellent results. It does impact overall write performance though.
438</p><p>
439The following share stanza is a good guide for those wanting to configure vscan-clamav:
440</p><pre class="screen">
441[share]
442vfs objects = vscan-clamav
443vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
444</pre><p>
445The following example of the <code class="filename">vscan-clamav.conf</code> file may help to get this
446fully operational:
447</p><pre class="screen">
448<span style="color: red">&lt;title&gt;VFS: Vscan ClamAV Control File&lt;/title&gt;</span>
449#
450# /etc/samba/vscan-clamav.conf
451#
452
453[samba-vscan]
454; run-time configuration for vscan-samba using
455; clamd
456; all options are set to default values
457
458; do not scan files larger than X bytes. If set to 0 (default),
459; this feature is disable (i.e. all files are scanned)
460max file size = 10485760
461
462; log all file access (yes/no). If set to yes, every access will
463; be logged. If set to no (default), only access to infected files
464; will be logged
465verbose file logging = no
466
467; if set to yes (default), a file will be scanned while opening
468scan on open = yes
469; if set to yes, a file will be scanned while closing (default is yes)
470scan on close = yes
471
472; if communication to clamd fails, should access to file denied?
473; (default: yes)
474deny access on error = no
475
476; if daemon failes with a minor error (corruption, etc.),
477; should access to file denied?
478; (default: yes)
479deny access on minor error = no
480
481; send a warning message via Windows Messenger service
482; when virus is found?
483; (default: yes)
484send warning message = yes
485
486; what to do with an infected file
487; quarantine: try to move to quantine directory
488; delete: delete infected file
489; nothing: do nothing (default)
490infected file action = quarantine
491
492; where to put infected files - you really want to change this!
493quarantine directory = /opt/clamav/quarantine
494; prefix for files in quarantine
495quarantine prefix = vir-
496
497; as Windows tries to open a file multiple time in a (very) short time
498; of period, samba-vscan use a last recently used file mechanism to avoid
499; multiple scans of a file. This setting specified the maximum number of
500; elements of the last recently used file list. (default: 100)
501max lru files entries = 100
502
503; an entry is invalidad after lru file entry lifetime (in seconds).
504; (Default: 5)
505lru file entry lifetime = 5
506
507; exclude files from being scanned based on the MIME-type! Semi-colon
508; seperated list (default: empty list). Use this with care!
509exclude file types =
510
511; socket name of clamd (default: /var/run/clamd). Setting will be ignored if
512; libclamav is used
513clamd socket name = /tmp/clamd
514
515; limits, if vscan-clamav was build for using the clamav library (libclamav)
516; instead of clamd
517
518; maximum number of files in archive (default: 1000)
519libclamav max files in archive = 1000
520
521; maximum archived file size, in bytes (default: 10 MB)
522libclamav max archived file size = 5242880
523
524; maximum recursion level (default: 5)
525libclamav max recursion level = 5
526</pre><p>
527Obviously, a running clam daemon is necessary for this to work. This is a working example for me using ClamAV.
528The ClamAV documentation should provide additional configuration examples. On your system these may be located
529under the <code class="filename">/usr/share/doc/</code> directory. Some examples may also target other virus scanners,
530any of which can be used.
531</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. CUPS Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Winbind: Use of Domain Accounts</td></tr></table></div></body></html>
Note: See TracBrowser for help on using the repository browser.