6 <author><firstname>Simo</firstname><surname>Sorce</surname><contrib>original vfs_skel README</contrib></author>
7 <author><firstname>Alexander</firstname><surname>Bokovoy</surname><contrib>original vfs_netatalk docs</contrib></author>
8 <author><firstname>Stefan</firstname><surname>Metzmacher</surname><contrib>Update for multiple modules</contrib></author>
9 <author><firstname>Ed</firstname><surname>Riddle</surname><contrib>original shadow_copy docs</contrib></author>
11 <title>Stackable VFS modules</title>
14 <title>Features and Benefits</title>
17 Since Samba-3, there is support for stackable VFS (Virtual File System) modules.
18 Samba passes each request to access the UNIX file system through the loaded VFS modules.
19 This chapter covers all the modules that come with the Samba source and references to
20 some external modules.
27 <title>Discussion</title>
30 If not supplied with your platform distribution binary Samba package you may have problems
31 compiling these modules, as shared libraries are compiled and linked in different ways
32 on different systems. They currently have been tested against GNU/Linux and IRIX.
36 To use the VFS modules, create a share similar to the one below. The
37 important parameter is the <smbconfoption><name>vfs objects</name></smbconfoption> parameter where
38 you can list one or more VFS modules by name. For example, to log all access
39 to files and put deleted files in a recycle bin, see <link linkend="vfsrecyc">next configuration</link>:
41 <smbconfexample id="vfsrecyc">
42 <title>smb.conf with VFS modules</title>
43 <smbconfsection>[audit]</smbconfsection>
44 <smbconfoption><name>comment</name><value>Audited /data directory</value></smbconfoption>
45 <smbconfoption><name>path</name><value>/data</value></smbconfoption>
46 <smbconfoption><name>vfs objects</name><value>audit recycle</value></smbconfoption>
47 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
48 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
53 The modules are used in the order in which they are specified.
54 Let's say that you want to both have a virus scanner module and a recycle
55 bin module. It is wise to put the virus scanner module as the first one so
56 that it is the first that get run an may detect a virus immediately, before
57 any action is performed on that file.
58 <smbconfoption><name>vfs objects</name><value>vscan-clamav recycle</value></smbconfoption>
62 Samba will attempt to load modules from the <filename>/lib</filename> directory in the root directory of the
63 Samba installation (usually <filename>/usr/lib/samba/vfs</filename> or <filename>/usr/local/samba/lib/vfs
68 Some modules can be used twice for the same share.
69 This can be done using a configuration similar to the one shown in <link linkend="multimodule">the following example</link>.
71 <smbconfexample id="multimodule">
72 <title>smb.conf with multiple VFS modules</title>
73 <smbconfsection>[test]</smbconfsection>
74 <smbconfoption><name>comment</name><value>VFS TEST</value></smbconfoption>
75 <smbconfoption><name>path</name><value>/data</value></smbconfoption>
76 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
77 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
78 <smbconfoption><name>vfs objects</name><value>example:example1 example example:test</value></smbconfoption>
79 <smbconfoption><name>example1: parameter</name><value>1</value></smbconfoption>
80 <smbconfoption><name>example: parameter</name><value>5</value></smbconfoption>
81 <smbconfoption><name>test: parameter</name><value>7</value></smbconfoption>
88 <title>Included Modules</title>
94 A simple module to audit file access to the syslog
95 facility. The following operations are logged:
97 <listitem><para>share</para></listitem>
98 <listitem><para>connect/disconnect</para></listitem>
99 <listitem><para>directory opens/create/remove</para></listitem>
100 <listitem><para>file open/close/rename/unlink/chmod</para></listitem>
107 <title>extd_audit</title>
110 This module is identical with the <command>audit</command> module above except
111 that it sends audit logs to both syslog as well as the <command>smbd</command> log files. The
112 <smbconfoption><name>log level</name></smbconfoption> for this module is set in the &smb.conf; file.
116 Valid settings and the information that will be recorded are shown in <link linkend="xtdaudit">the next table</link>.
119 <table frame="all" id="xtdaudit">
120 <title>Extended Auditing Log Information</title>
121 <tgroup cols="2" align="center">
123 <row><entry align="center">Log Level</entry><entry>Log Details - File and Directory Operations</entry></row>
126 <row><entry align="center">0</entry><entry align="left">Creation / Deletion</entry></row>
127 <row><entry align="center">1</entry><entry align="left">Create / Delete / Rename / Permission Changes</entry></row>
128 <row><entry align="center">2</entry><entry align="left">Create / Delete / Rename / Perm Change / Open / Close</entry></row>
135 <sect2 id="fakeperms">
136 <title>fake_perms</title>
139 This module was created to allow Roaming Profile files and directories to be set (on the Samba server
140 under UNIX) as read only. This module will, if installed on the Profiles share, report to the client
141 that the Profile files and directories are writeable. This satisfies the client even though the files
142 will never be overwritten as the client logs out or shuts down.
148 <title>recycle</title>
151 A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved
152 to the recycle directory instead of being deleted. This gives the same effect as the
153 <guiicon>Recycle Bin</guiicon> on Windows computers.
157 The <guiicon>Recycle Bin</guiicon> will not appear in <application>Windows Explorer</application> views of the network file system
158 (share) nor on any mapped drive. Instead, a directory called <filename>.recycle</filename> will be
159 automatically created when the first file is deleted. Users can recover files from the
160 <filename>.recycle</filename> directory. If the <parameter>recycle:keeptree</parameter> has been
161 specified, deleted files will be found in a path identical with that from which the file was deleted.
164 <para>Supported options for the <command>recycle</command> module are as follow:
167 <term>recycle:repository</term>
169 Relative path of the directory where deleted files should be moved.
174 <term>recycle:keeptree</term>
176 Specifies whether the directory structure should be kept or if the files in the directory that is being
177 deleted should be kept separately in the recycle bin.
182 <term>recycle:versions</term>
184 If this option is set, two files
185 with the same name that are deleted will both
186 be kept in the recycle bin. Newer deleted versions
187 of a file will be called <quote>Copy #x of <replaceable>filename</replaceable></quote>.
192 <term>recycle:touch</term>
194 Specifies whether a file's access date should be touched when the file is moved to the recycle bin.
199 <term>recycle:maxsize</term>
201 Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
206 <term>recycle:exclude</term>
208 List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
213 <term>recycle:exclude_dir</term>
215 Contains a list of directories. When files from these directories are
216 deleted, they are not put into the
217 recycle bin but are deleted in the
223 <term>recycle:noversions</term>
225 Opposite of <parameter>recycle:versions</parameter>. If both options are specified, this one takes precedence.
234 <title>netatalk</title>
237 A netatalk module will ease co-existence of Samba and netatalk file sharing services.
240 <para>Advantages compared to the old netatalk module:
242 <listitem><para>Does not care about creating .AppleDouble forks, just keeps them in sync.</para></listitem>
243 <listitem><para>If a share in &smb.conf; does not contain .AppleDouble item in hide or veto list, it will be added automatically.</para></listitem>
250 <title>shadow_copy</title>
253 <emphasis>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL
254 SOLUTION!</emphasis></para>
256 With Samba or Windows servers, shadow copy is designed to be
257 an end-user tool only. It does not replace or enhance your
258 backup and archival solutions and should in no way be
259 considered as such. Additionally, if you need version
260 control, implement a version control system. You have been
264 The shadow_copy module allows you to setup functionality that
265 is similar to MS shadow copy services. When setup properly,
266 this module allows Microsoft shadow copy clients to browse
267 "shadow copies" on samba shares. You will need to install the
268 shadow copy client. You can get the MS shadow copy client
270 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">here.</ulink>.
271 Note the additional requirements for pre-Windows XP clients.
272 I did not test this functionality with any pre-Windows XP
273 clients. You should be able to get more information about MS
274 Shadow Copy <ulink noescape="1"
275 url="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx">from
276 the Microsoft's site</ulink>.</para>
278 The shadow_copy VFS module requires some underlying file system
279 setup with some sort of Logical Volume Manager (LVM) such as
280 LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of
281 this document; however, we will outline the steps we took to
282 test this functionality for <emphasis>example purposes
283 only.</emphasis> You need to make sure the LVM implementation
284 you choose to deploy is ready for production. Make sure you
285 do plenty of tests.</para>
287 Here are some common resources for LVM and EVMS:
290 <para><ulink noescape="1"
291 url="http://www.sistina.com/products_lvm_download.htm">Sistina's
292 LVM1 and LVM2</ulink></para>
295 <para><ulink url="http://evms.sourceforge.net/">Enterprise
296 Volume Management System (EVMS)</ulink></para>
299 <para><ulink url="http://tldp.org/HOWTO/LVM-HOWTO/">The LVM HOWTO</ulink></para>
304 url="http://www-106.ibm.com/developerworks/linux/library/l-lvm/">Learning
305 Linux LVM, Part 1</ulink> and <ulink
306 url="http://www-106.ibm.com/developerworks/library/l-lvm2.html">Learning
307 Linux LWM, Part 2</ulink> for Daniel Robbins' well
308 written a two part tutorial on Linux and LVM using LVM
309 source code and reiserfs.</para>
314 <title>Shadow Copy Setup</title>
316 At the time of this writing, not much testing has been done.
317 I tested the shadow copy VFS module with a specific scenario
318 which was not deployed in a production environment, but more
319 as a proof of concept. The scenario involved a Samba 3 file
320 server on Debian Sarge with an XFS file system and LVM1. I
321 do NOT recommend you use this as a solution without doing
322 your own due diligence with regard to all the components
323 presented here. That said, following is an basic outline of
324 how I got things going.</para>
328 <title>Installed Operating System </title>
330 In my tests, I used <ulink
331 url="http://www.debian.org/devel/debian-installer/">Debian
332 Sarge</ulink> (i.e. testing) on an XFS file system.
333 Setting up the OS is a bit beyond the scope of this
334 document. It is assumed that you have a working OS
335 capable of running Samba.</para>
340 <title>Install & Configure Samba</title>
342 See the <link linkend="introduction">installation
343 section</link> of this HOWTO for more detail on this.
344 It doesn't matter if it is a Domain Controller or
345 Member File Server, but it is assumed that you have a
346 working Samba 3.0.3 or newer server running.</para>
351 <title>Install & Configure LVM</title>
353 Before you can make shadow copies available to the
354 client, you have to create the shadow copies. This is
355 done by taking some sort of file system snapshot.
356 Snapshots are a typical feature of Logical Volume
357 Managers such as LVM, so we first need to have that
362 The following is provided as an example and will be
363 most helpful for Debian users. Again, this was tested
364 using the "testing" or "Sarge" distribution.</para>
367 Install lvm10 and devfsd packages if you have not
368 done so already. On Debian systems, you are warned
369 of the interaction of devfs and lvm1 which requires
370 the use of devfs filenames. Running
371 <command>apt-get update && apt-get install
372 lvm10 devfsd xfsprogs</command> should do the trick
373 for this example.</para>
377 Now you need to create a volume. You will need to
378 create a partition (or partitions) to add to your
379 volume. Use your favorite partitioning tool
380 (e.g. Linux fdisk, cfdisk, etc.). The partition
381 type should be set to 0x8e for "Linux LVM." In this
382 example, we will use /dev/hdb1.</para>
384 Once you have the Linux LVM partition (type 0x8e),
385 you can run a series of commands to create the LVM
386 volume. You can use several disks and or
387 partitions, but we will use only one in this
388 example. You may also need to load the kernel
389 module with something like <command>modprobe lvm-mod
390 </command> and set your system up to load it on
391 reboot by adding it to
392 (<filename>/etc/modules</filename>). </para>
396 Create the physical volume with <command>pvcreate
397 /dev/hdb1</command></para>
401 Create the volume group with and add /dev/hda1 to it
402 with <command>vgcreate shadowvol /dev/hdb1</command>
405 You can use <command>vgdisplay</command> to review
406 information about the volume group.</para>
410 Now you can create the logical volume with something
411 like <command>lvcreate -L400M -nsh_test
412 shadowvol</command></para>
414 This creates the logical volume of 400MB's named
415 "sh_test" in the volume group we created called
416 shadowvol. If everything is working so far, you
418 <filename>/dev/shadowvol</filename>.</para>
422 Now we should be ready to format the logical volume
423 we named sh_test with <command>mkfs.xfs
424 /dev/shadowvol/sh_test</command></para>
426 You can format the logical volume with any file
427 system you choose, but make sure to use one that
428 allows you to take advantage of the additional
429 features of LVM such as freezing, resizing and
430 growing your file systems.</para>
432 Now we have an LVM volume where we can play with the
433 shadow_copy VFS module.</para>
437 Now we need to prepare the directory with something
438 like <command>mkdir -p /data/shadow_share</command>
439 or whatever you want to name your shadow copy
440 enabled Samba share. Make sure you set the
441 permissions such that you can use it. If in doubt,
442 use <command>chmod 777 /data/shadow_share</command>
443 and tighten the permissions once you get things
448 Mount the LVM volume using something like
449 <command>mount /dev/shadowvol/sh_test
450 /data/shadow_share</command></para>
452 You may also want to edit your
453 <filename>/etc/fstab</filename> so that this
454 partition mounts during the system boot.</para>
460 <title>Install & Configure the shadow_copy VFS
463 Finally we get to the actual shadow_copy VFS module.
464 The shadow_copy VFS module should be available in
465 Samba 3.0.3 and higher. The smb.conf configuration is pretty
466 standard. Here is our example of a share configured
467 with the shadow_copy VFS module:</para>
470 <smbconfexample id="vfsshadow">
471 <title>Share With shadow_copy VFS</title>
472 <smbconfsection>[shadow_share]</smbconfsection>
473 <smbconfoption><name>comment</name><value>Shadow Copy Enabled Share</value></smbconfoption>
474 <smbconfoption><name>path</name><value>/data/shadow_share</value></smbconfoption>
475 <smbconfoption><name>vfs objects</name><value>shadow_copy</value></smbconfoption>
476 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
477 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
483 <title>Create Snapshots and Make Them Available to shadow_copy.so</title>
485 Before you can browse the shadow copies, you must
486 create them and mount them. This will most likely be
487 done with a script that runs as a cron job. With this
488 particular solution, the shadow_copy VFS module is
489 used to browse LVM snapshots. Those snapshots are not
490 created by the module. They are not made available by
491 the module either. This module allows the shadow copy
492 enabled client to browse the snapshots you take and
493 make available.</para>
496 Here is a simple script used to create and mount the
500 # This is a test, this is only a test
501 SNAPNAME=`date +%Y.%m.%d-%H.%M.%S`
502 xfs_freeze -f /data/shadow_share/
503 lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test
504 xfs_freeze -u /data/shadow_share/
505 mkdir /data/shadow_share/@GMT-$SNAPNAME
506 mount /dev/shadowvol/$SNAPNAME /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro
508 Note that the script does not handle other things like
509 remounting snapshots on reboot.
514 <title>Test From Client</title>
516 To test, you will need to install the shadow copy
517 client which you can obtain from the <ulink
518 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">Microsoft
519 web site.</ulink> I only tested this with an XP client
520 so your results may vary with other pre-XP clients.
521 Once installed, with your XP client you can
522 right-click on specific files or in the empty space of
523 the shadow_share and view the "properties". If
524 anything has changed, then you will see it on the
525 "Previous Versions" tab of the properties
536 <title>VFS Modules Available Elsewhere</title>
539 This section contains a listing of various other VFS modules that
540 have been posted but do not currently reside in the Samba CVS
541 tree for one reason or another (e.g., it is easy for the maintainer
542 to have his or her own CVS tree).
546 No statements about the stability or functionality of any module
547 should be implied due to its presence here.
551 <title>DatabaseFS</title>
554 URL: <ulink noescape="1" url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink>
557 <para>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer.</ulink></para>
560 I have created a VFS module that implements a fairly complete read-only
561 filesystem. It presents information from a database as a filesystem in
562 a modular and generic way to allow different databases to be used
563 (originally designed for organizing MP3s under directories such as
564 <quote>Artists,</quote> <quote>Song Keywords,</quote> and so on. I have since easily
565 applied it to a student
566 roster database.) The directory structure is stored in the
567 database itself and the module makes no assumptions about the database
568 structure beyond the table it requires to run.
572 Any feedback would be appreciated: comments, suggestions, patches,
573 and so on. If nothing else, hopefully it might prove useful for someone
574 else who wishes to create a virtual filesystem.
582 <para>URL: <ulink noescape="1" url="http://www.openantivirus.org/">http://www.openantivirus.org/</ulink></para>
585 <filename>samba-vscan</filename> is a proof-of-concept module for Samba, which
586 uses the VFS (virtual file system) features of Samba 2.2.x/3.0
587 alphaX. Of course, Samba has to be compiled with VFS support.
588 <filename>samba-vscan</filename> supports various virus scanners and is maintained