Enabling s3fs on samba4 DC

Daniele Dario d.dario76 at gmail.com
Tue Aug 28 03:40:08 MDT 2012 

Hi Andrew,

On Tue, 2012-08-28 at 10:56 +0200, Daniele Dario wrote:
> Hi Andrew,
> 
> On Tue, 2012-08-28 at 18:23 +1000, Andrew Bartlett wrote:
> > On Tue, 2012-08-28 at 10:16 +0200, Daniele Dario wrote:
> > > Hi Andrew,
> > > 
> > > On Tue, 2012-08-28 at 15:21 +1000, Andrew Bartlett wrote:
> > > > On Mon, 2012-08-27 at 10:35 +0200, Daniele Dario wrote:
> > > > > Hi samba team,
> > > > > it's a long time since my last question and I've seen many progresses
> > > > > during this time so I'll say you "great job guys".
> > > > > 
> > > > > In my installation I have 2 s4 DCs (at the moment DC1 is Version
> > > > > 4.0.0beta3-GIT-d1aeb2d and DC2 is Version 4.0.0beta3-GIT-c983ea8) both
> > > > > are using bind 9.9 + samba_dlz for DNS and they are running without
> > > > > problems since my last update to beta3 (again great job guys).
> > > > > 
> > > > > I'm planning to move network shares from a s3 fileserver which is joined
> > > > > to the domain to DC2 and I'd use s3fs (to reduce HW) but I've heard that
> > > > > there are some things to do when changing from NTVFS to s3fs (both DCs
> > > > > are using NTVFS) so can someone please point me to the right way to
> > > > > proceed?
> > > > 
> > > > 
> > > > 
> > > > > Is it better to upgrade to latest beta release before to migrate from
> > > > > NTVFS to S3FS?
> > > > 
> > > > Please either wait for beta7 (very soon) or use GIT master.  I've
> > > > finally fixed a lot of issues here. 
> > > > 
> > > > It won't really matter, but you can do it in stages if you like.
> > > > 
> > > > > When upgrading to latest release I would run samba-tool dbcheck
> > > > > --cross-ncs --fix on the installation I've upgraded before to start
> > > > > samba am I right?
> > > > 
> > > > Yes.
> > > > 
> > > > If you only have a sysvol share, then running:
> > > > 
> > > > samba-tool ntacl sysvolreset
> > > > 
> > > > after configuring it back to the default file server (s3fs) will set the
> > > > POSIX ACLs you need.
> > > > 
> > > > > This should check and fix dbs in the DC I've upgraded so shall I check
> > > > > something before to restart samba to avoid replication problems with the
> > > > > other DC?
> > > > 
> > > > Honestly, I don't think we changed anything that this will matter for
> > > > since beta3, so don't worry too much.
> > > > 
> > > > > I would start upgrading the "secondary" DC and once it is again ok and
> > > > > running I would do the same on the "primary", am I right?
> > > > 
> > > > That should be OK.
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > 
> > > I upgraded to latest git (Version 4.0.0beta7-GIT-b05d28e) secondary DC
> > > and this is the response of dbcheck:
> > > 
> > > [root at kdc02:~/samba4/samba-master]# samba-tool dbcheck --cross-ncs --fix
> > > Checking 4207 objects
> > > ERROR: parent object not found for CN=NTDS Settings
> > > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > > Move object CN=NTDS Settings
> > > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into LostAndFound? [y/N/all/none] y
> > > Failed to rename object CN=NTDS Settings
> > > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into lostAndFound at CN=NTDS Settings\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=LostAndFoundConfig,CN=Configuration,DC=saitelitalia,DC=local : (32, 'objectclass: Cannot rename CN=NTDS Settings\\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02\\0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local, entry does not exist!')
> > > Fix isDeleted originating_change_time on 'CN=Deleted
> > > Objects,CN=Configuration,DC=saitelitalia,DC=local' [y/N/all/none] y
> > > Fix isDeleted originating_change_time on 'CN=Deleted
> > > Objects,DC=DomainDnsZones,DC=saitelitalia,DC=local' [y/N/all/none] y
> > > Fix isDeleted originating_change_time on 'CN=Deleted
> > > Objects,DC=ForestDnsZones,DC=saitelitalia,DC=local' [y/N/all/none] y
> > > Fix isDeleted originating_change_time on 'CN=Deleted
> > > Objects,DC=saitelitalia,DC=local' [y/N/all/none] y
> > > Checked 4207 objects (5 errors)
> > > 
> > > Retrying 
> > > 
> > > [root at kdc02:~/samba4/samba-master]# samba-tool dbcheck --cross-ncs --fix
> > > Checking 4207 objects
> > > ERROR: parent object not found for CN=NTDS Settings
> > > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > > Move object CN=NTDS Settings
> > > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into LostAndFound? [y/N/all/none] y
> > > Failed to rename object CN=NTDS Settings
> > > \0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02
> > > \0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local into lostAndFound at CN=NTDS Settings\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=LostAndFoundConfig,CN=Configuration,DC=saitelitalia,DC=local : (32, 'objectclass: Cannot rename CN=NTDS Settings\\0ADEL:66e2d411-467c-4375-b6f6-0408c2fa6544,CN=KDC02\\0ADEL:fed27b3b-88f2-4360-97f2-e28e8372ccc9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local, entry does not exist!')
> > > Checked 4207 objects (1 errors)
> > 
> > That is an interesting case.  Each deleted object should be a child of
> > 'cn=deleted objects' directly I think.  Clearly we need to add a rule
> > that puts it there, rather than tries to put it in lostAndFound. 
> > 
> > > This seems to be a non blocking error because I restarted samba4 on the
> > > secondary DC and all seems to be ok.
> > 
> > Yeah, we need to improve the tool, but it won't harm anything as far as
> > I know. 
> > 
> > > Now I will run samba-tool ntacl sysvolreset but this should be done with
> > > samba stopped am I right?
> > 
> > This can run on-line. 
> > 
> > > Before to restart the service I have to enable s3fs and disable ntvfs
> > > isn't it?
> > 
> > Yes, you should remove:
> > 
> > server services = +smb -s3fs
> > dcerpc endpoint servers = +winreg +srvsvc
> > 
> > from your smb.conf before you run 'samba-tool ntacl sysvolreset' and before you restart samba.
> > 
> > (See also the --use-ntvfs and --use-s3fs options to samba-tool ntacl sysvolreset)
> > 
> > Andrew Bartlett
> > 
> 
> I changed smb.conf this way (according to the samba wiki):
> [global]
> ...
>         server services = -smb +s3fs
>         dcerpc endpoint servers = -winreg -srvsvc
> ...
> 
> Than I restarted samba and running samba-tool ntacl sysvolreset I see
> this:
> 
> [root at kdc02:/usr/local/samba]# samba-tool ntacl sysvolreset
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> lp_load_ex: refreshing parameters
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ldb_wrap open of idmap.ldb
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Module 'acl_xattr' loaded
> Initialising custom vfs hooks from [dfs_samba4]
> unpack_nt_owners: owner sid mapped to uid 0
> unpack_nt_owners: group sid mapped to gid 4
> ldb_wrap open of idmap.ldb
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> unpack_nt_owners: owner sid mapped to uid 0
> unpack_nt_owners: group sid mapped to gid 4
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> unpack_nt_owners: owner sid mapped to uid 0
> unpack_nt_owners: group sid mapped to gid 4
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> Initialising custom vfs hooks from [dfs_samba4]
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 180, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1456, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1386, in set_gpos_acl
>     setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
> use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 108, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL, sd)
> 
> Daniele.
> 

trying to understand the error I've seen that it was trying to change
ACLs for Policies.

I was working on the secondary DC so the Policies folder was not present
(it is not replicated by itself) so I just copied it from the primary DC
and all went fine.

Now I'll try to add the Policies share also to the secondary smb.conf
and see what happens.

Daniele

More information about the samba-technical mailing list