Enabling s3fs on samba4 DC

Daniele Dario d.dario76 at gmail.com
Tue Aug 28 02:56:34 MDT 2012 

Hi Andrew,

On Tue, 2012-08-28 at 18:23 +1000, Andrew Bartlett wrote:
> On Tue, 2012-08-28 at 10:16 +0200, Daniele Dario wrote:
> > Hi Andrew,
> > 
> > On Tue, 2012-08-28 at 15:21 +1000, Andrew Bartlett wrote:
> > > On Mon, 2012-08-27 at 10:35 +0200, Daniele Dario wrote:
> > > > Hi samba team,
> > > > it's a long time since my last question and I've seen many progresses
> > > > during this time so I'll say you "great job guys".
> > > > 
> > > > In my installation I have 2 s4 DCs (at the moment DC1 is Version
> > > > 4.0.0beta3-GIT-d1aeb2d and DC2 is Version 4.0.0beta3-GIT-c983ea8) both
> > > > are using bind 9.9 + samba_dlz for DNS and they are running without
> > > > problems since my last update to beta3 (again great job guys).
> > > > 
> > > > I'm planning to move network shares from a s3 fileserver which is joined
> > > > to the domain to DC2 and I'd use s3fs (to reduce HW) but I've heard that
> > > > there are some things to do when changing from NTVFS to s3fs (both DCs
> > > > are using NTVFS) so can someone please point me to the right way to
> > > > proceed?
> > > 
> > > 
> > > 
> > > > Is it better to upgrade to latest beta release before to migrate from
> > > > NTVFS to S3FS?
> > > 
> > > Please either wait for beta7 (very soon) or use GIT master.  I've
> > > finally fixed a lot of issues here. 
> > > 
> > > It won't really matter, but you can do it in stages if you like.
> > > 
> > > > When upgrading to latest release I would run samba-tool dbcheck
> > > > --cross-ncs --fix on the installation I've upgraded before to start
> > > > samba am I right?
> > > 
> > > Yes.
> > > 
> > > If you only have a sysvol share, then running:
> > > 
> > > samba-tool ntacl sysvolreset
> > > 
> > > after configuring it back to the default file server (s3fs) will set the
> > > POSIX ACLs you need.
> > > 
> > > > This should check and fix dbs in the DC I've upgraded so shall I check
> > > > something before to restart samba to avoid replication problems with the
> > > > other DC?
> > > 
> > > Honestly, I don't think we changed anything that this will matter for
> > > since beta3, so don't worry too much.
> > > 
> > > > I would start upgrading the "secondary" DC and once it is again ok and
> > > > running I would do the same on the "primary", am I right?
> > > 
> > > That should be OK.
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > I upgraded to latest git (Version 4.0.0beta7-GIT-b05d28e) secondary DC
> > and this is the response of dbcheck:
> > 
> > [root at kdc02:~/samba4/samba-master]# samba-tool dbcheck --cross-ncs --fix
> > Checking 4207 objects
> > ERROR: parent object not found for CN=NTDS Settings
> > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > Move object CN=NTDS Settings
> > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into LostAndFound? [y/N/all/none] y
> > Failed to rename object CN=NTDS Settings
> > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into lostAndFound at CN=NTDS Settings\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=LostAndFoundConfig,CN=Configuration,DC=saitelitalia,DC=local : (32, 'objectclass: Cannot rename CN=NTDS Settings\\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02\\0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local, entry does not exist!')
> > Fix isDeleted originating_change_time on 'CN=Deleted
> > Objects,CN=Configuration,DC=saitelitalia,DC=local' [y/N/all/none] y
> > Fix isDeleted originating_change_time on 'CN=Deleted
> > Objects,DC=DomainDnsZones,DC=saitelitalia,DC=local' [y/N/all/none] y
> > Fix isDeleted originating_change_time on 'CN=Deleted
> > Objects,DC=ForestDnsZones,DC=saitelitalia,DC=local' [y/N/all/none] y
> > Fix isDeleted originating_change_time on 'CN=Deleted
> > Objects,DC=saitelitalia,DC=local' [y/N/all/none] y
> > Checked 4207 objects (5 errors)
> > 
> > Retrying 
> > 
> > [root at kdc02:~/samba4/samba-master]# samba-tool dbcheck --cross-ncs --fix
> > Checking 4207 objects
> > ERROR: parent object not found for CN=NTDS Settings
> > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > Move object CN=NTDS Settings
> > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into LostAndFound? [y/N/all/none] y
> > Failed to rename object CN=NTDS Settings
> > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into lostAndFound at CN=NTDS Settings\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=LostAndFoundConfig,CN=Configuration,DC=saitelitalia,DC=local : (32, 'objectclass: Cannot rename CN=NTDS Settings\\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02\\0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local, entry does not exist!')
> > Checked 4207 objects (1 errors)
> 
> That is an interesting case.  Each deleted object should be a child of
> 'cn=deleted objects' directly I think.  Clearly we need to add a rule
> that puts it there, rather than tries to put it in lostAndFound. 
> 
> > This seems to be a non blocking error because I restarted samba4 on the
> > secondary DC and all seems to be ok.
> 
> Yeah, we need to improve the tool, but it won't harm anything as far as
> I know. 
> 
> > Now I will run samba-tool ntacl sysvolreset but this should be done with
> > samba stopped am I right?
> 
> This can run on-line. 
> 
> > Before to restart the service I have to enable s3fs and disable ntvfs
> > isn't it?
> 
> Yes, you should remove:
> 
> server services = +smb -s3fs
> dcerpc endpoint servers = +winreg +srvsvc
> 
> from your smb.conf before you run 'samba-tool ntacl sysvolreset' and before you restart samba.
> 
> (See also the --use-ntvfs and --use-s3fs options to samba-tool ntacl sysvolreset)
> 
> Andrew Bartlett
> 

I changed smb.conf this way (according to the samba wiki):
[global]
...
        server services = -smb +s3fs
        dcerpc endpoint servers = -winreg -srvsvc
...

Than I restarted samba and running samba-tool ntacl sysvolreset I see
this:

[root at kdc02:/usr/local/samba]# samba-tool ntacl sysvolreset
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 160, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 180, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1456, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1386, in set_gpos_acl
    setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 108, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL, sd)

Daniele.

More information about the samba-technical mailing list