&author.jelmer; &author.jht; &author.tpot; SimoSorceoriginal vfs_skel README AlexanderBokovoyoriginal vfs_netatalk docs StefanMetzmacherUpdate for multiple modules EdRiddleoriginal shadow_copy docs Virtual File SystemVFS modules loaded modules Stackable VFS (Virtual File System) modules support was new to Samba-3 and has proven quite popular. Samba passes each request to access the UNIX file system through the loaded VFS modules. This chapter covers the modules that come with the Samba source and provides references to some external modules. IRIX GNU/Linux If not supplied with your platform distribution binary Samba package, you may have problems compiling these modules, as shared libraries are compiled and linked in different ways on different systems. VFS modules modules recycle bin To use the VFS modules, create a share similar to the one below. The important parameter is the parameter where you can list one or more VFS modules by name. For example, to log all access to files and put deleted files in a recycle bin, see the smb.conf with VFS modules example: Audited /data directory /data audit recycle yes yes virus scanner scanner module recycle bin The modules are used in the order in which they are specified. Let's say that you want to both have a virus scanner module and a recycle bin module. It is wise to put the virus scanner module as the first one so that it is the first to get run and may detect a virus immediately, before any action is performed on that file. vscan-clamav recycle /usr/local/samba/lib/vfs /usr/lib/samba/vfs Samba will attempt to load modules from the /lib directory in the root directory of the Samba installation (usually /usr/lib/samba/vfs or /usr/local/samba/lib/vfs). modules VFS multiple modules multiple VFS Some modules can be used twice for the same share. This can be done using a configuration similar to the one shown in the smb.conf with multiple VFS modules. VFS TEST /data yes yes example:example1 example example:test 1 5 7 audit file access A simple module to audit file access to the syslog facility. The following operations are logged: share connect/disconnect directory opens/create/remove file open/close/rename/unlink/chmod This module allows the default quota values, in the windows explorer GUI, to be stored on a Samba-3 server. The challenge is that linux filesystems only store quotas for users and groups, but no default quotas. Samba returns NO_LIMIT as the default quotas by default and refuses to update them. With this module you can store the default quotas that are reported to a windows client, in the quota record of a user. By default the root user is taken because quota limits for root are typically not enforced. This module takes 2 parametric entries in the &smb.conf; file. The default prefix for each is the default_quota. This can be overwrittem when you load the module in the vfs modules parameter like this: vfs objects = default_quota:myprefix The parametric entries that may be specified for the default_quotas module are: myprefix:uid This parameter takes a integer argument that specifies the uid of the quota record that will be used for storing the default user quotas. The default value is 0 (for root user). An example of use is: vfs objects = default_quota default_quota: uid = 65534 The above demonstrates the case where the myprefix was omitted, thus the default prefix is the name of the module. When a myprefix parameter is specified the above can be re-written like this: vfs objects = default_quota:myprefix myprefix: uid = 65534 myprefix:uid nolimit This parameter takes a boolean argument that specifies if the stored default quota values also be reported for the user record, or if the value NO_LIMIT should be reported to the windows client for the user specified by the prefix:uid parameter. The default value is yes (which means to report NO_LIMIT). An example of use is shown here: vfs objects = default_quota:myprefix myprefix: uid nolimit = no myprefix:gid This parameter takes an integer argument, it's just like the prefix>:uid but for group quotas. NOTE: group quotas are not supported from the windows explorer. The default value is 0 (for root group). An example of use is shown here: vfs objects = default_quota default_quota: gid = 65534 myprefix:gid nolimit This parameter takes a boolean argument, just like the prefix>:uid nolimit but for group quotas. NOTE: group quotas are not supported from the windows explorer. The default value is yes (which means to report NO_LIMIT). An example of use is shown here: vfs objects = default_quota default_quota: uid nolimit = no An example of use of multiple parametric specifications is shown here: ... vfs objects = default_quota:quotasettings quotasettings: uid nolimit = no quotasettings: gid = 65534 quotasettings: gid nolimit = no ... audit module extd_audit module smbd This module is identical with the audit module above except that it sends audit logs to both syslog as well as the smbd log files. The for this module is set in the &smb.conf; file. Valid settings and the information that will be recorded are shown in the next table. Log LevelLog Details - File and Directory Operations0Make Directory, Remove Directory, Unlink1Open Directory, Rename File, Change Permissions/ACLs2Open & Close File10Maximum Debug Level logging This auditing tool is more flexible than most people will readily recognize. There are a number of ways by which useful logging information can be recorded. Syslog can be used to record all transaction. This can be disabled by setting in the &smb.conf; file syslog = 0. Logging can take place to the default log file (log.smbd) for all loaded VFS modules just by setting in the &smb.conf; file log level = 0 vfs:x, where x is the log level. This will disable general logging while activating all logging of VFS module activity at the log level specified. Detailed logging can be obtained per user, per client machine, etc. This requires the above together with the creative use of the log file settings. An example of detailed per-user and per-machine logging can be obtained by setting /var/log/samba/%U.%m.log. Auditing information often must be preserved for a long time. So that the log files do not get rotated it is essential that the 0 be set in the &smb.conf; file. fake_perms Roaming Profile writeable read only This module was created to allow Roaming Profile files and directories to be set (on the Samba server under UNIX) as read only. This module will, if installed on the Profiles share, report to the client that the Profile files and directories are writeable. This satisfies the client even though the files will never be overwritten as the client logs out or shuts down. recycle unlink calls recycle directory A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved to the recycle directory instead of being deleted. This gives the same effect as the Recycle Bin on Windows computers. recycle .recycle recycle:keeptree deleted files The Recycle Bin will not appear in Windows Explorer views of the network file system (share) nor on any mapped drive. Instead, a directory called .recycle will be automatically created when the first file is deleted and recycle:repository is not configured. If recycle:repository is configured, the name of the created directory depends on recycle:repository. Users can recover files from the recycle bin. If the recycle:keeptree has been specified, deleted files will be found in a path identical with that from which the file was deleted. Supported options for the recycle module are as follow: recycle:repository recycle:repository Path of the directory where deleted files should be moved. recycle:directory_mode directory_mode Set it to the octal mode you want for the recycle directory. With this mode the recycle directory will be created if it not exists and the first file is deleted. If recycle:subdir_mode is not set, these mode also apply to sub directories. If directory_mode not exists, the default mode 0700 is used. recycle:subdir_mode recycle:subdir_mode Set it to the octal mode you want for the sub directories of the recycle directory. With this mode the sub directories will be created. If recycle:subdir_mode is not set, the sub directories will be created with the mode from directory_mode. recycle:keeptree recycle:keeptree Specifies whether the directory structure should be kept or if the files in the directory that is being deleted should be kept separately in the recycle bin. recycle:versions recycle:versions If this option is set, two files with the same name that are deleted will both be kept in the recycle bin. Newer deleted versions of a file will be called Copy #x of filename. recycle:touch recycle:touch Specifies whether a file's access date should be touched when the file is moved to the recycle bin. recycle:touch_mtime recycle:touch Specifies whether a file's last modify date date should be touched when the file is moved to the recycle bin. recycle:maxsize recycle:maxsize Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin. recycle:exclude recycle:exclude List of files that should not be put into the recycle bin when deleted, but deleted in the regular way. recycle:exclude_dir recycle:exclude_dir Contains a list of directories. When files from these directories are deleted, they are not put into the recycle bin but are deleted in the regular way. recycle:noversions recycle:noversions Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning should be used. Only useful when recycle:versions is enabled. netatalk A netatalk module will ease co-existence of Samba and netatalk file sharing services. Advantages compared to the old netatalk module: .AppleDouble Does not care about creating .AppleDouble forks, just keeps them in sync. If a share in &smb.conf; does not contain .AppleDouble item in hide or veto list, it will be added automatically. shadow_copy THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL SOLUTION! version control With Samba or Windows servers, shadow_copy is designed to be an end-user tool only. It does not replace or enhance your backup and archival solutions and should in no way be considered as such. Additionally, if you need version control, implement a version control system. You have been warned. The shadow_copy module allows you to setup functionality that is similar to MS shadow copy services. When setup properly, this module allows Microsoft shadow copy clients to browse "shadow copies" on Samba shares. You will need to install the shadow copy client. You can get the MS shadow copy client here.. Note the additional requirements for pre-Windows XP clients. I did not test this functionality with any pre-Windows XP clients. You should be able to get more information about MS Shadow Copy from the Microsoft's site. shadow_copy VFS module shadow_copy module LVM EVMS Logical Volume ManagerLVM The shadow_copy VFS module requires some underlying file system setup with some sort of Logical Volume Manager (LVM) such as LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of this document; however, we will outline the steps we took to test this functionality for example purposes only. You need to make sure the LVM implementation you choose to deploy is ready for production. Make sure you do plenty of tests. Here are some common resources for LVM and EVMS: Sistina's LVM1 and LVM2 Enterprise Volume Management System (EVMS) The LVM HOWTO See Learning Linux LVM, Part 1 and Learning Linux LWM, Part 2 for Daniel Robbins' well-written, two part tutorial on Linux and LVM using LVM source code and reiserfs. XFS file system Debian Sarge At the time of this writing, not much testing has been done. I tested the shadow copy VFS module with a specific scenario which was not deployed in a production environment, but more as a proof of concept. The scenario involved a Samba-3 file server on Debian Sarge with an XFS file system and LVM1. I do NOT recommend you use this as a solution without doing your own due diligence with regard to all the components presented here. That said, following is an basic outline of how I got things going. In my tests, I used Debian Sarge (i.e., testing) on an XFS file system. Setting up the OS is a bit beyond the scope of this document. It is assumed that you have a working OS capable of running Samba. See the installation section of this HOWTO for more detail on this. It doesn't matter if it is a Domain Controller or Member File Server, but it is assumed that you have a working Samba 3.0.3 or later server running. shadow copies Snapshots Before you can make shadow copies available to the client, you have to create the shadow copies. This is done by taking some sort of file system snapshot. Snapshots are a typical feature of Logical Volume Managers such as LVM, so we first need to have that setup. The following is provided as an example and will be most helpful for Debian users. Again, this was tested using the "testing" or "Sarge" distribution. lvm10 package devfsd package Debian xfsprogs apt-get Install lvm10 and devfsd packages if you have not done so already. On Debian systems, you are warned of the interaction of devfs and lvm1 which requires the use of devfs filenames. Running apt-get update && apt-get install lvm10 devfsd xfsprogs should do the trick for this example. create volume create partition fdisk cfdisk Linux LVM Now you need to create a volume. You will need to create a partition (or partitions) to add to your volume. Use your favorite partitioning tool (e.g., Linux fdisk, cfdisk, etc.). The partition type should be set to 0x8e for "Linux LVM." In this example, we will use /dev/hdb1. Linux LVM partition LVM volume modprobe Once you have the Linux LVM partition (type 0x8e), you can run a series of commands to create the LVM volume. You can use several disks and/or partitions, but we will use only one in this example. You may also need to load the kernel module with something like modprobe lvm-mod and set your system up to load it on reboot by adding it to (/etc/modules). pvcreate Create the physical volume with pvcreate /dev/hdb1 vgcreate volume group Create the volume group and add /dev/hda1 to it with vgcreate shadowvol /dev/hdb1 vgdisplay You can use vgdisplay to review information about the volume group. lvcreate Now you can create the logical volume with something like lvcreate -L400M -nsh_test shadowvol /dev/shadowvol This creates the logical volume of 400 MBs named "sh_test" in the volume group we created called shadowvol. If everything is working so far, you should see them in /dev/shadowvol. mkfs.xfs Now we should be ready to format the logical volume we named sh_test with mkfs.xfs /dev/shadowvol/sh_test logical volume LVM freezing resizing growing You can format the logical volume with any file system you choose, but make sure to use one that allows you to take advantage of the additional features of LVM such as freezing, resizing, and growing your file systems. LVM volume shadow_copy module Now we have an LVM volume where we can play with the shadow_copy VFS module. mkdir permissions chmod Now we need to prepare the directory with something like &rootprompt; mkdir -p /data/shadow_share or whatever you want to name your shadow copy-enabled Samba share. Make sure you set the permissions so that you can use it. If in doubt, use chmod 777 /data/shadow_share and tighten the permissions once you get things working. mount Mount the LVM volume using something like mount /dev/shadowvol/sh_test /data/shadow_share /etc/fstab You may also want to edit your /etc/fstab so that this partition mounts during the system boot. Finally we get to the actual shadow_copy VFS module. The shadow_copy VFS module should be available in Samba 3.0.3 and higher. The smb.conf configuration is pretty standard. Here is our example of a share configured with the shadow_copy VFS module: Shadow Copy Enabled Share /data/shadow_share shadow_copy yes yes shadow_copy LVM snapshots module Before you can browse the shadow copies, you must create them and mount them. This will most likely be done with a script that runs as a cron job. With this particular solution, the shadow_copy VFS module is used to browse LVM snapshots. Those snapshots are not created by the module. They are not made available by the module either. This module allows the shadow copy-enabled client to browse the snapshots you take and make available. Here is a simple script used to create and mount the snapshots: #!/bin/bash # This is a test, this is only a test SNAPNAME=`date +%Y.%m.%d-%H.%M.%S` xfs_freeze -f /data/shadow_share/ lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test xfs_freeze -u /data/shadow_share/ mkdir /data/shadow_share/@GMT-$SNAPNAME mount /dev/shadowvol/$SNAPNAME \ /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro Note that the script does not handle other things like remounting snapshots on reboot. To test, you will need to install the shadow copy client which you can obtain from the Microsoft web site. I only tested this with an XP client so your results may vary with other pre-XP clients. Once installed, with your XP client you can right-click on specific files or in the empty space of the shadow_share and view the "properties." If anything has changed, then you will see it on the "Previous Versions" tab of the properties window. VFS modules This section contains a listing of various other VFS modules that have been posted but do not currently reside in the Samba CVS tree for one reason or another (e.g., it is easy for the maintainer to have his or her own CVS tree). No statements about the stability or functionality of any module should be implied due to its presence here. DatabaseFS URL: Taylors University DatabaeFS By Eric Lorimer. I have created a VFS module that implements a fairly complete read-only filesystem. It presents information from a database as a filesystem in a modular and generic way to allow different databases to be used. (Originally designed for organizing MP3s under directories such as Artists, Song Keywords, and so on. I have since easily applied it to a student roster database.) The directory structure is stored in the database itself and the module makes no assumptions about the database structure beyond the table it requires to run. Any feedback would be appreciated: comments, suggestions, patches, and so on. If nothing else, it might prove useful for someone else who wishes to create a virtual filesystem. vscan URL: Open Anti-Virus vscan samba-vscan samba-vscan is a proof-of-concept module for Samba, which provides on-access anti-virus support for files shared using Samba. samba-vscan supports various virus scanners and is maintained by Rainer Link. Samba users have been using the RPMS from SerNet without a problem. OpenSUSE Linux users have also used the vscan scanner for quite some time with excellent results. It does impact overall write performance though. The following share stanza is a good guide for those wanting to configure vscan-clamav: [share] vfs objects = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf The following example of the vscan-clamav.conf file may help to get this fully operational: # # /etc/samba/vscan-clamav.conf # [samba-vscan] ; run-time configuration for vscan-samba using ; clamd ; all options are set to default values ; do not scan files larger than X bytes. If set to 0 (default), ; this feature is disable (i.e. all files are scanned) max file size = 10485760 ; log all file access (yes/no). If set to yes, every access will ; be logged. If set to no (default), only access to infected files ; will be logged verbose file logging = no ; if set to yes (default), a file will be scanned while opening scan on open = yes ; if set to yes, a file will be scanned while closing (default is yes) scan on close = yes ; if communication to clamd fails, should access to file denied? ; (default: yes) deny access on error = no ; if daemon failes with a minor error (corruption, etc.), ; should access to file denied? ; (default: yes) deny access on minor error = no ; send a warning message via Windows Messenger service ; when virus is found? ; (default: yes) send warning message = yes ; what to do with an infected file ; quarantine: try to move to quantine directory ; delete: delete infected file ; nothing: do nothing (default) infected file action = quarantine ; where to put infected files - you really want to change this! quarantine directory = /opt/clamav/quarantine ; prefix for files in quarantine quarantine prefix = vir- ; as Windows tries to open a file multiple time in a (very) short time ; of period, samba-vscan use a last recently used file mechanism to avoid ; multiple scans of a file. This setting specified the maximum number of ; elements of the last recently used file list. (default: 100) max lru files entries = 100 ; an entry is invalidad after lru file entry lifetime (in seconds). ; (Default: 5) lru file entry lifetime = 5 ; exclude files from being scanned based on the MIME-type! Semi-colon ; separated list (default: empty list). Use this with care! exclude file types = ; socket name of clamd (default: /var/run/clamd). Setting will be ignored if ; libclamav is used clamd socket name = /tmp/clamd ; limits, if vscan-clamav was build for using the clamav library (libclamav) ; instead of clamd ; maximum number of files in archive (default: 1000) libclamav max files in archive = 1000 ; maximum archived file size, in bytes (default: 10 MB) libclamav max archived file size = 5242880 ; maximum recursion level (default: 5) libclamav max recursion level = 5 Obviously, a running clam daemon is necessary for this to work. This is a working example for me using ClamAV. The ClamAV documentation should provide additional configuration examples. On your system these may be located under the /usr/share/doc/ directory. Some examples may also target other virus scanners, any of which can be used.