doc differences

Andrew Buckeridge andrewb at
Sat Jun 30 22:56:19 MDT 2012

Step 4: Provision Samba4


>  # /usr/local/samba/sbin/provision \
> --domain=SAMDOM \
>    --adminpass=SOMEPASSWORD --server-role=dc


> get_nt_acl_no_snum: fset_nt_acl returned zero.
> ProvisioningError: Your filesystem or build does not support posix
> ACLs, which s3fs requires.  Try the mounting the filesystem with the
> 'acl' option.


> posix:eadb = /usr/local/samba/eadb.tdb

Did not help with provision, but --use-xattrs=no did. I would recommend
this as normal practice if you want to keep the host system Unixy for
other applications. This will enhance both security and reliability of
that system. It will make audits and testing much simpler.

Made this mistake of remounting volume with ACLs before I found
--use-xattrs=no. Its now dirty and needs to be cleaned.

My guidelines for ACLs on Unix:--
 1. Don't.
 2. If you think you want fine grained control, think again.
 3. The Unix group if used properly will probably do what you want.
 4. If you must have an ACL, make it the exception and don't rely on it.
 5. Have you looked at Plan9.

In the case of the exception being in a TDB it not apply to shell
accounts so you should rely on Unix permissions. Point 4. I like using
groups, sticky and setgid of ratified POSIX and not the non-ratified
ACLs. Its only Windows stuff anyway.

Step 8 Configure DNS

Windows XP looked for _ldap._tcp inside dc._msdcs!

So added both copies to there.

_ldap._tcp      IN SRV  0 100 389 chrp
_kerberos._udp  IN SRV  0 100 88 chrp
_ldap._tcp.dc._msdcs    IN SRV  0 100 389 chrp
_kerberos._udp.dc._msdcs        IN SRV  0 100 88 chrp

Note that my Windows XP is in VM running through NAT, but DNS knows it
as the host due to NAT. See if I can bridge and still get VMWare

Instructions for bind9 9.7.x 

Note that I could not get BIND 9.7.3 build with Debian squeeze to
accept the step 8 hacks. Using isc-dhcp-server ddns-update-style
interim to update DNS zone used as realm. (Similar to the wins
proxy of Samba3.)

Note that a DHCP user can block machine from registering, but this does
not happen often. E.g. give laptop and desktop machines the same name.

/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was

Is it possible to get this to use ddns-update-style interim as root or
bind user on localhost? I think privilege separation is superior (both
secure and reliable) when compared to secrets and hashes. (The chances
of anything coming from Mars are ... Bogons are another problem, but
localhost is loopback interface only in GNU/Linux.)

Rather than have dhcpd do it Samba could do it after authentication.

Step 7 Create a share in smb.conf

After kill -15 or kill -1 of master it may have left PID file behind
which was not checked. I was attempting to load a new share.

chrp:/usr/local/samba$ ./bin/smbclient4 -L localhost -U%
Failed to connect to ncacn_np:localhost - NT_STATUS_NO_MEMORY
REWRITE: list servers not implemented

Before it had succeeded. Now it started, but did not function properly.

Windows domain logon as administrator failed with:--
> The format of the specified network name is invalid.

(This is Microspeak, the annoyances that pop up on average every 5 min in
Windows. You can emulate this experience in Unix with Bash (for RANDOM):
while xmessage -buttons "Ok:0,No\, It's not ok:0" -- `fortune`; do
sleep $((RANDOM%599)); done&)

Had to clean invalid
which was not checked and replaced at start up.

Could then connect with Samba 3.0 of snow leopard.
(Have a build of samba4 from ports for later if NAT is an issue.)

Could then complete Windows XP logon dialog.

More information about the samba-technical mailing list