doc differences

Andrew Bartlett abartlet at
Sun Jul 1 15:54:16 MDT 2012

On Sun, 2012-07-01 at 12:56 +0800, Andrew Buckeridge wrote:
> Step 4: Provision Samba4
> Tried
> >  # /usr/local/samba/sbin/provision \
> > --domain=SAMDOM \
> >    --adminpass=SOMEPASSWORD --server-role=dc
> Gave
> > get_nt_acl_no_snum: fset_nt_acl returned zero.
> > ProvisioningError: Your filesystem or build does not support posix
> > ACLs, which s3fs requires.  Try the mounting the filesystem with the
> > 'acl' option.
> Tried
> > posix:eadb = /usr/local/samba/eadb.tdb
> Did not help with provision, but --use-xattrs=no did. I would recommend
> this as normal practice if you want to keep the host system Unixy for
> other applications. This will enhance both security and reliability of
> that system. It will make audits and testing much simpler.
> Made this mistake of remounting volume with ACLs before I found
> --use-xattrs=no. Its now dirty and needs to be cleaned.

This hasn't changed the storage of posix ACLS, which are required for
the default file server.  This simply means that the copy of the NT ACL
is no longer stored in the xattr, but in a tdb. 

> My guidelines for ACLs on Unix:--
>  1. Don't.
>  2. If you think you want fine grained control, think again.
>  3. The Unix group if used properly will probably do what you want.
>  4. If you must have an ACL, make it the exception and don't rely on it.
>  5. Have you looked at Plan9.
> In the case of the exception being in a TDB it not apply to shell
> accounts so you should rely on Unix permissions. Point 4. I like using
> groups, sticky and setgid of ratified POSIX and not the non-ratified
> ACLs. Its only Windows stuff anyway.

You may dislike ACLs, and your previous experience of Samba may have let
you to think they are not required, but for group policies, they are
strictly required.  We either have to emulate them, or provide them, and
most of our users seem to want us to match our ACLs as seen from windows
with those as seen from unix, so we map down to posix ACLs.

Turning off ACL support in the FS after the provision will just break

If you really must run without support from the system for the ACLs on
these files, then you must use the ntvfs file server (--use-ntvfs).  I
still recommend keeping the NT ACL in the xattr however. 

> Step 8 Configure DNS
> Windows XP looked for _ldap._tcp inside dc._msdcs!
> So added both copies to there.
> _ldap._tcp      IN SRV  0 100 389 chrp
> _kerberos._udp  IN SRV  0 100 88 chrp
> _ldap._tcp.dc._msdcs    IN SRV  0 100 389 chrp
> _kerberos._udp.dc._msdcs        IN SRV  0 100 88 chrp
> Note that my Windows XP is in VM running through NAT, but DNS knows it
> as the host due to NAT. See if I can bridge and still get VMWare
> services.
> Instructions for bind9 9.7.x 
> Note that I could not get BIND 9.7.3 build with Debian squeeze to
> accept the step 8 hacks. Using isc-dhcp-server ddns-update-style
> interim to update DNS zone used as realm. (Similar to the wins
> proxy of Samba3.)
> Note that a DHCP user can block machine from registering, but this does
> not happen often. E.g. give laptop and desktop machines the same name.
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
> Is it possible to get this to use ddns-update-style interim as root or
> bind user on localhost? I think privilege separation is superior (both
> secure and reliable) when compared to secrets and hashes. (The chances
> of anything coming from Mars are ... Bogons are another problem, but
> localhost is loopback interface only in GNU/Linux.)
> Rather than have dhcpd do it Samba could do it after authentication.

I'm rather lost as to what you are talking about here.  However what I
can say is that using GSS-TSIG dynamic updates against bind 9.7 is a
world of pain, and I'll remove any doc references to it shortly. 

Samba needs to update DNS for it's own needs (when there are multiple
DCs in the forest in particular).  You can however adjust the 'dns
update command' to refer to a static key like you have dhcp using.
(Note that static keys won't work with our DLZ module, only when using
bind's native flat files). 

> Step 7 Create a share in smb.conf
> After kill -15 or kill -1 of master it may have left PID file behind
> which was not checked. I was attempting to load a new share.

> Had to clean invalid
> /usr/local/samba/var/run/
> which was not checked and replaced at start up.

We do check it, but for some reason the check indicates that smbd is
still running and has an fcntl lock on the file.  That is why we haven't
fixed this yet - I need to work out why smbd is 'still there', or why
our pid file code is incorrect. 

> Could then connect with Samba 3.0 of snow leopard.
> (Have a build of samba4 from ports for later if NAT is an issue.)
> Could then complete Windows XP logon dialog.

I hope this clarifies things,

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list