1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
13 <author><firstname>Simo</firstname><surname>Sorce</surname><contrib>original vfs_skel README</contrib></author>
14 <author><firstname>Alexander</firstname><surname>Bokovoy</surname><contrib>original vfs_netatalk docs</contrib></author>
15 <author><firstname>Stefan</firstname><surname>Metzmacher</surname><contrib>Update for multiple modules</contrib></author>
16 <author><firstname>Ed</firstname><surname>Riddle</surname><contrib>original shadow_copy docs</contrib></author>
18 <title>Stackable VFS modules</title>
21 <title>Features and Benefits</title>
24 Since Samba-3, there is support for stackable VFS (Virtual File System) modules.
25 Samba passes each request to access the UNIX file system through the loaded VFS modules.
26 This chapter covers all the modules that come with the Samba source and references to
27 some external modules.
34 <title>Discussion</title>
37 If not supplied with your platform distribution binary Samba package you may have problems
38 compiling these modules, as shared libraries are compiled and linked in different ways
39 on different systems. They currently have been tested against GNU/Linux and IRIX.
43 To use the VFS modules, create a share similar to the one below. The
44 important parameter is the <smbconfoption><name>vfs objects</name></smbconfoption> parameter where
45 you can list one or more VFS modules by name. For example, to log all access
46 to files and put deleted files in a recycle bin, see <link linkend="vfsrecyc">next configuration</link>:
48 <smbconfexample id="vfsrecyc">
49 <title>smb.conf with VFS modules</title>
50 <smbconfsection>[audit]</smbconfsection>
51 <smbconfoption><name>comment</name><value>Audited /data directory</value></smbconfoption>
52 <smbconfoption><name>path</name><value>/data</value></smbconfoption>
53 <smbconfoption><name>vfs objects</name><value>audit recycle</value></smbconfoption>
54 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
55 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
60 The modules are used in the order in which they are specified.
61 Let's say that you want to both have a virus scanner module and a recycle
62 bin module. It is wise to put the virus scanner module as the first one so
63 that it is the first that get run an may detect a virus immediately, before
64 any action is performed on that file.
65 <smbconfoption><name>vfs objects</name><value>vscan-clamav recycle</value></smbconfoption>
69 Samba will attempt to load modules from the <filename>/lib</filename> directory in the root directory of the
70 Samba installation (usually <filename>/usr/lib/samba/vfs</filename> or <filename>/usr/local/samba/lib/vfs
75 Some modules can be used twice for the same share.
76 This can be done using a configuration similar to the one shown in <link linkend="multimodule">the following example</link>.
78 <smbconfexample id="multimodule">
79 <title>smb.conf with multiple VFS modules</title>
80 <smbconfsection>[test]</smbconfsection>
81 <smbconfoption><name>comment</name><value>VFS TEST</value></smbconfoption>
82 <smbconfoption><name>path</name><value>/data</value></smbconfoption>
83 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
84 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
85 <smbconfoption><name>vfs objects</name><value>example:example1 example example:test</value></smbconfoption>
86 <smbconfoption><name>example1: parameter</name><value>1</value></smbconfoption>
87 <smbconfoption><name>example: parameter</name><value>5</value></smbconfoption>
88 <smbconfoption><name>test: parameter</name><value>7</value></smbconfoption>
95 <title>Included Modules</title>
101 A simple module to audit file access to the syslog
102 facility. The following operations are logged:
104 <listitem><para>share</para></listitem>
105 <listitem><para>connect/disconnect</para></listitem>
106 <listitem><para>directory opens/create/remove</para></listitem>
107 <listitem><para>file open/close/rename/unlink/chmod</para></listitem>
114 <title>extd_audit</title>
117 This module is identical with the <command>audit</command> module above except
118 that it sends audit logs to both syslog as well as the <command>smbd</command> log files. The
119 <smbconfoption><name>log level</name></smbconfoption> for this module is set in the &smb.conf; file.
123 Valid settings and the information that will be recorded are shown in <link linkend="xtdaudit">the next table</link>.
126 <table frame="all" id="xtdaudit">
127 <title>Extended Auditing Log Information</title>
128 <tgroup cols="2" align="center">
130 <row><entry align="center">Log Level</entry><entry>Log Details - File and Directory Operations</entry></row>
133 <row><entry align="center">0</entry><entry align="left">Make Directory, Remove Directory, Unlink</entry></row>
134 <row><entry align="center">1</entry><entry align="left">Open Directory, Rename File, Change Permissions/ACLs</entry></row>
135 <row><entry align="center">2</entry><entry align="left">Open & Close File</entry></row>
136 <row><entry align="center">10</entry><entry align="left">Maximum Debug Level</entry></row>
143 <sect2 id="fakeperms">
144 <title>fake_perms</title>
147 This module was created to allow Roaming Profile files and directories to be set (on the Samba server
148 under UNIX) as read only. This module will, if installed on the Profiles share, report to the client
149 that the Profile files and directories are writeable. This satisfies the client even though the files
150 will never be overwritten as the client logs out or shuts down.
156 <title>recycle</title>
159 A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved
160 to the recycle directory instead of being deleted. This gives the same effect as the
161 <guiicon>Recycle Bin</guiicon> on Windows computers.
165 The <guiicon>Recycle Bin</guiicon> will not appear in <application>Windows Explorer</application> views of the network file system
166 (share) nor on any mapped drive. Instead, a directory called <filename>.recycle</filename> will be
167 automatically created when the first file is deleted. Users can recover files from the
168 <filename>.recycle</filename> directory. If the <parameter>recycle:keeptree</parameter> has been
169 specified, deleted files will be found in a path identical with that from which the file was deleted.
172 <para>Supported options for the <command>recycle</command> module are as follow:
175 <term>recycle:repository</term>
177 Relative path of the directory where deleted files should be moved.
182 <term>recycle:keeptree</term>
184 Specifies whether the directory structure should be kept or if the files in the directory that is being
185 deleted should be kept separately in the recycle bin.
190 <term>recycle:versions</term>
192 If this option is set, two files
193 with the same name that are deleted will both
194 be kept in the recycle bin. Newer deleted versions
195 of a file will be called <quote>Copy #x of <replaceable>filename</replaceable></quote>.
200 <term>recycle:touch</term>
202 Specifies whether a file's access date should be touched when the file is moved to the recycle bin.
207 <term>recycle:maxsize</term>
209 Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
214 <term>recycle:exclude</term>
216 List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
221 <term>recycle:exclude_dir</term>
223 Contains a list of directories. When files from these directories are
224 deleted, they are not put into the
225 recycle bin but are deleted in the
231 <term>recycle:noversions</term>
233 Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning should be used. Only useful when <emphasis>recycle:versions</emphasis> is enabled.
242 <title>netatalk</title>
245 A netatalk module will ease co-existence of Samba and netatalk file sharing services.
248 <para>Advantages compared to the old netatalk module:
250 <listitem><para>Does not care about creating .AppleDouble forks, just keeps them in sync.</para></listitem>
251 <listitem><para>If a share in &smb.conf; does not contain .AppleDouble item in hide or veto list, it will be added automatically.</para></listitem>
258 <title>shadow_copy</title>
261 <emphasis>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL
262 SOLUTION!</emphasis></para>
264 With Samba or Windows servers, shadow copy is designed to be
265 an end-user tool only. It does not replace or enhance your
266 backup and archival solutions and should in no way be
267 considered as such. Additionally, if you need version
268 control, implement a version control system. You have been
272 The shadow_copy module allows you to setup functionality that
273 is similar to MS shadow copy services. When setup properly,
274 this module allows Microsoft shadow copy clients to browse
275 "shadow copies" on samba shares. You will need to install the
276 shadow copy client. You can get the MS shadow copy client
278 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">here.</ulink>.
279 Note the additional requirements for pre-Windows XP clients.
280 I did not test this functionality with any pre-Windows XP
281 clients. You should be able to get more information about MS
282 Shadow Copy <ulink noescape="1"
283 url="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx">from
284 the Microsoft's site</ulink>.</para>
286 The shadow_copy VFS module requires some underlying file system
287 setup with some sort of Logical Volume Manager (LVM) such as
288 LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of
289 this document; however, we will outline the steps we took to
290 test this functionality for <emphasis>example purposes
291 only.</emphasis> You need to make sure the LVM implementation
292 you choose to deploy is ready for production. Make sure you
293 do plenty of tests.</para>
295 Here are some common resources for LVM and EVMS:
298 <para><ulink noescape="1"
299 url="http://www.sistina.com/products_lvm_download.htm">Sistina's
300 LVM1 and LVM2</ulink></para>
303 <para><ulink url="http://evms.sourceforge.net/">Enterprise
304 Volume Management System (EVMS)</ulink></para>
307 <para><ulink url="http://tldp.org/HOWTO/LVM-HOWTO/">The LVM HOWTO</ulink></para>
312 url="http://www-106.ibm.com/developerworks/linux/library/l-lvm/">Learning
313 Linux LVM, Part 1</ulink> and <ulink
314 url="http://www-106.ibm.com/developerworks/library/l-lvm2.html">Learning
315 Linux LWM, Part 2</ulink> for Daniel Robbins' well
316 written a two part tutorial on Linux and LVM using LVM
317 source code and reiserfs.</para>
322 <title>Shadow Copy Setup</title>
324 At the time of this writing, not much testing has been done.
325 I tested the shadow copy VFS module with a specific scenario
326 which was not deployed in a production environment, but more
327 as a proof of concept. The scenario involved a Samba 3 file
328 server on Debian Sarge with an XFS file system and LVM1. I
329 do NOT recommend you use this as a solution without doing
330 your own due diligence with regard to all the components
331 presented here. That said, following is an basic outline of
332 how I got things going.</para>
336 <title>Installed Operating System </title>
338 In my tests, I used <ulink
339 url="http://www.debian.org/devel/debian-installer/">Debian
340 Sarge</ulink> (i.e. testing) on an XFS file system.
341 Setting up the OS is a bit beyond the scope of this
342 document. It is assumed that you have a working OS
343 capable of running Samba.</para>
348 <title>Install & Configure Samba</title>
350 See the <link linkend="introduction">installation
351 section</link> of this HOWTO for more detail on this.
352 It doesn't matter if it is a Domain Controller or
353 Member File Server, but it is assumed that you have a
354 working Samba 3.0.3 or newer server running.</para>
359 <title>Install & Configure LVM</title>
361 Before you can make shadow copies available to the
362 client, you have to create the shadow copies. This is
363 done by taking some sort of file system snapshot.
364 Snapshots are a typical feature of Logical Volume
365 Managers such as LVM, so we first need to have that
370 The following is provided as an example and will be
371 most helpful for Debian users. Again, this was tested
372 using the "testing" or "Sarge" distribution.</para>
375 Install lvm10 and devfsd packages if you have not
376 done so already. On Debian systems, you are warned
377 of the interaction of devfs and lvm1 which requires
378 the use of devfs filenames. Running
379 <command>apt-get update && apt-get install
380 lvm10 devfsd xfsprogs</command> should do the trick
381 for this example.</para>
385 Now you need to create a volume. You will need to
386 create a partition (or partitions) to add to your
387 volume. Use your favorite partitioning tool
388 (e.g. Linux fdisk, cfdisk, etc.). The partition
389 type should be set to 0x8e for "Linux LVM." In this
390 example, we will use /dev/hdb1.</para>
392 Once you have the Linux LVM partition (type 0x8e),
393 you can run a series of commands to create the LVM
394 volume. You can use several disks and or
395 partitions, but we will use only one in this
396 example. You may also need to load the kernel
397 module with something like <command>modprobe lvm-mod
398 </command> and set your system up to load it on
399 reboot by adding it to
400 (<filename>/etc/modules</filename>). </para>
404 Create the physical volume with <command>pvcreate
405 /dev/hdb1</command></para>
409 Create the volume group with and add /dev/hda1 to it
410 with <command>vgcreate shadowvol /dev/hdb1</command>
413 You can use <command>vgdisplay</command> to review
414 information about the volume group.</para>
418 Now you can create the logical volume with something
419 like <command>lvcreate -L400M -nsh_test
420 shadowvol</command></para>
422 This creates the logical volume of 400MB's named
423 "sh_test" in the volume group we created called
424 shadowvol. If everything is working so far, you
426 <filename>/dev/shadowvol</filename>.</para>
430 Now we should be ready to format the logical volume
431 we named sh_test with <command>mkfs.xfs
432 /dev/shadowvol/sh_test</command></para>
434 You can format the logical volume with any file
435 system you choose, but make sure to use one that
436 allows you to take advantage of the additional
437 features of LVM such as freezing, resizing and
438 growing your file systems.</para>
440 Now we have an LVM volume where we can play with the
441 shadow_copy VFS module.</para>
445 Now we need to prepare the directory with something
446 like <command>mkdir -p /data/shadow_share</command>
447 or whatever you want to name your shadow copy
448 enabled Samba share. Make sure you set the
449 permissions such that you can use it. If in doubt,
450 use <command>chmod 777 /data/shadow_share</command>
451 and tighten the permissions once you get things
456 Mount the LVM volume using something like
457 <command>mount /dev/shadowvol/sh_test
458 /data/shadow_share</command></para>
460 You may also want to edit your
461 <filename>/etc/fstab</filename> so that this
462 partition mounts during the system boot.</para>
468 <title>Install & Configure the shadow_copy VFS
471 Finally we get to the actual shadow_copy VFS module.
472 The shadow_copy VFS module should be available in
473 Samba 3.0.3 and higher. The smb.conf configuration is pretty
474 standard. Here is our example of a share configured
475 with the shadow_copy VFS module:</para>
478 <smbconfexample id="vfsshadow">
479 <title>Share With shadow_copy VFS</title>
480 <smbconfsection>[shadow_share]</smbconfsection>
481 <smbconfoption><name>comment</name><value>Shadow Copy Enabled Share</value></smbconfoption>
482 <smbconfoption><name>path</name><value>/data/shadow_share</value></smbconfoption>
483 <smbconfoption><name>vfs objects</name><value>shadow_copy</value></smbconfoption>
484 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
485 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
491 <title>Create Snapshots and Make Them Available to shadow_copy.so</title>
493 Before you can browse the shadow copies, you must
494 create them and mount them. This will most likely be
495 done with a script that runs as a cron job. With this
496 particular solution, the shadow_copy VFS module is
497 used to browse LVM snapshots. Those snapshots are not
498 created by the module. They are not made available by
499 the module either. This module allows the shadow copy
500 enabled client to browse the snapshots you take and
501 make available.</para>
504 Here is a simple script used to create and mount the
508 # This is a test, this is only a test
509 SNAPNAME=`date +%Y.%m.%d-%H.%M.%S`
510 xfs_freeze -f /data/shadow_share/
511 lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test
512 xfs_freeze -u /data/shadow_share/
513 mkdir /data/shadow_share/@GMT-$SNAPNAME
514 mount /dev/shadowvol/$SNAPNAME /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro
516 Note that the script does not handle other things like
517 remounting snapshots on reboot.
522 <title>Test From Client</title>
524 To test, you will need to install the shadow copy
525 client which you can obtain from the <ulink
526 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">Microsoft
527 web site.</ulink> I only tested this with an XP client
528 so your results may vary with other pre-XP clients.
529 Once installed, with your XP client you can
530 right-click on specific files or in the empty space of
531 the shadow_share and view the "properties". If
532 anything has changed, then you will see it on the
533 "Previous Versions" tab of the properties
544 <title>VFS Modules Available Elsewhere</title>
547 This section contains a listing of various other VFS modules that
548 have been posted but do not currently reside in the Samba CVS
549 tree for one reason or another (e.g., it is easy for the maintainer
550 to have his or her own CVS tree).
554 No statements about the stability or functionality of any module
555 should be implied due to its presence here.
559 <title>DatabaseFS</title>
562 URL: <ulink noescape="1" url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink>
565 <para>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer.</ulink></para>
568 I have created a VFS module that implements a fairly complete read-only
569 filesystem. It presents information from a database as a filesystem in
570 a modular and generic way to allow different databases to be used
571 (originally designed for organizing MP3s under directories such as
572 <quote>Artists,</quote> <quote>Song Keywords,</quote> and so on. I have since easily
573 applied it to a student
574 roster database.) The directory structure is stored in the
575 database itself and the module makes no assumptions about the database
576 structure beyond the table it requires to run.
580 Any feedback would be appreciated: comments, suggestions, patches,
581 and so on. If nothing else, hopefully it might prove useful for someone
582 else who wishes to create a virtual filesystem.
590 <para>URL: <ulink noescape="1" url="http://www.openantivirus.org/projects.php#samba-vscan">http://www.openantivirus.org/projects.php#samba-vscan</ulink></para>
593 samba-vscan is a proof-of-concept module for Samba, which
594 provides on-access anti-virus support for files shared using
596 samba-vscan supports various virus scanners and is maintained