http://wiki.samba.org/index.php/Samba4/HOWTO doc differences

[Matthieu Patou]

On 06/30/2012 09:56 PM, Andrew Buckeridge wrote:
> Step 4: Provision Samba4
>
> Tried
>
>>   # /usr/local/samba/sbin/provision \
>>     --realm=samdom.example.com --domain=SAMDOM \
>>     --adminpass=SOMEPASSWORD --server-role=dc
> Gave
>
>> get_nt_acl_no_snum: fset_nt_acl returned zero.
>> ProvisioningError: Your filesystem or build does not support posix
>> ACLs, which s3fs requires.  Try the mounting the filesystem with the
>> 'acl' option.
> Tried
>
>> posix:eadb = /usr/local/samba/eadb.tdb
> Did not help with provision, but --use-xattrs=no did. I would recommend
> this as normal practice if you want to keep the host system Unixy for
> other applications. This will enhance both security and reliability of
> that system. It will make audits and testing much simpler.
>
> Made this mistake of remounting volume with ACLs before I found
> --use-xattrs=no. Its now dirty and needs to be cleaned.
You need to install the libacl1-dev packet and rebuild samba that's 
because s3fs needs to be able to set both extended posix acls and 
extended attributes.

>
> My guidelines for ACLs on Unix:--
>   1. Don't.
>   2. If you think you want fine grained control, think again.
>   3. The Unix group if used properly will probably do what you want.
>   4. If you must have an ACL, make it the exception and don't rely on it.
>   5. Have you looked at Plan9.
You have to understand also that you really really really want that 
files created in Windows have similar ACLs on the unix side that's why 
extended ACLs are needed because Samba will rely on the kernel to 
enforce file access so you could end up with NTACL granting you access 
on the file but posix rights denying it
>
> In the case of the exception being in a TDB it not apply to shell
> accounts so you should rely on Unix permissions. Point 4. I like using
> groups, sticky and setgid of ratified POSIX and not the non-ratified
> ACLs. Its only Windows stuff anyway.
No see my point just before and also you have to understand that very 
often it's compeling to create files on the Unix side and have them with 
pretty decent NTACL on the windows side (ie. file created with scripting).

> Step 8 Configure DNS
>
> Windows XP looked for _ldap._tcp inside dc._msdcs!
>
> So added both copies to there.
>
> _ldap._tcp      IN SRV  0 100 389 chrp
> _kerberos._udp  IN SRV  0 100 88 chrp
> _ldap._tcp.dc._msdcs    IN SRV  0 100 389 chrp
> _kerberos._udp.dc._msdcs        IN SRV  0 100 88 chrp
>
> Note that my Windows XP is in VM running through NAT, but DNS knows it
> as the host due to NAT. See if I can bridge and still get VMWare
> services.
This is not needed something must be wrong in your setup as samba 
register automatically this records.
> Instructions for bind9 9.7.x
>
> Note that I could not get BIND 9.7.3 build with Debian squeeze to
> accept the step 8 hacks. Using isc-dhcp-server ddns-update-style
> interim to update DNS zone used as realm. (Similar to the wins
> proxy of Samba3.)
You have to try harder I was able to make it work using the flat file 
backend and the interim solution.
> Note that a DHCP user can block machine from registering, but this does
> not happen often. E.g. give laptop and desktop machines the same name.
>
> /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was
> unsuccessful
>
> Is it possible to get this to use ddns-update-style interim as root or
> bind user on localhost? I think privilege separation is superior (both
> secure and reliable) when compared to secrets and hashes. (The chances
> of anything coming from Mars are ... Bogons are another problem, but
> localhost is loopback interface only in GNU/Linux.)
>
> Rather than have dhcpd do it Samba could do it after authentication.
This part of the email is really not clear, english is not my native 
language so it might be the reason the other reason is that you are 
mixing things ihmo.
So I'll do a kind of answer that is not completely related to your 
question but that should give you enough hints.
So you can use bind 9.7.3 and samba 4 with the flat file backend you 
need to follow closely the instruction here:
https://wiki.samba.org/index.php/Samba4/HOWTO#Instructions_for_bind9_9.7.x
You have to be sure that bind can access the files that are in the 
<path_to_samba_provision>/private, be sure to check that apparmor is not 
running as it makes things much more complicated.

Once you have this working you can add static entries in 
<path_to_samba_provision>/private/named.conf.static to grant dhcp the 
right to update DNS records (interim ddns-update-style).
Interim ddns-update is not superior to GSS-TSIG in term of security as 
basically you configure bind to trust any changes from dhcpd which in 
term use the MD5 of the client identification to check if the DNS 
records can updated. This makes very very easy for machineA to pretend 
it's machineB and update the DNS record.

At the opposite GSS-TSIG as used by bind9 is leveraging Kerberos so 
first when machineA sends a signed update request you know that it has 
been signed by someone/something knowing machineA secrets (which pretty 
boils down to "be machineA" unless this box compromised) then you have a 
second set of rules in bind (as described by named.conf.update) that 
defines who can do what and by default everybody but the DCs and 
Administrator can only change A and AAAA records related to their 
identity as described in the kerberos ticket.
It makes impossible (without exploiting a bug) for machineA to update a 
A or AAAA record for machineB.

As far as I'm concerned I found the second solution much more secure but 
that's maybe a matter of taste.

>
> Step 7 Create a share in smb.conf
>
> After kill -15 or kill -1 of master it may have left PID file behind
> which was not checked. I was attempting to load a new share.
>
> chrp:/usr/local/samba$ ./bin/smbclient4 -L localhost -U%
> Failed to connect to ncacn_np:localhost - NT_STATUS_NO_MEMORY
> REWRITE: list servers not implemented
>
> Before it had succeeded. Now it started, but did not function properly.
>
> Windows domain logon as administrator failed with:--
>> The format of the specified network name is invalid.
This is a known issue with s3fs not cleaning correctly it's pid file, 
I'll update the howto to reflect the fact that if you have this error 
message then try to remove the pid file.
In the long run we might make samba, who spawns the s3fs processes, 
remove the pid file at startup but this solution has also problems.

Matthieu

-- 
Matthieu Patou
Samba Team
http://samba.org