Samba4 on OpenBSD: a report (tags: waf, s3fs, ntvfs)

Tue Sep 1 01:43:49 UTC 2015

On Mon, 2015-08-31 at 11:29 -0700, Jeremy Allison wrote:
> On Mon, Aug 31, 2015 at 05:41:32PM +0200, Jérémie Courrèges-Anglas 
> wrote:
> > 
> > Hi,
> > 
> > last week we (OpenBSD) have switched the net/samba package in our 
> > ports
> > tree from latest Samba3 (+ patches) to Samba4 - samba-4.1.19 to be
> > exact.  The work on Samba4 was started by OpenBSD developer Vadim
> > Zhukov, who did a big amount of work.  The co-maintainers of this 
> > samba
> > port are Ian (cc'd) and I.
> > 
> > Here's a bit of feedback about the transition to samba4.
> > 
> > One thing made the transition complicated: waf.  The problem is 
> > that, as
> > opposed to autotools that have been tested on and have knowledge of 
> > tons
> > of environments, waf is young.  Plus it encourages you to write 
> > custom
> > code, which then breaks on "exotic" setups.  This is the case on
> > OpenBSD, where we use a traditional shared libraries naming scheme.
> > Right now updating to samba-4.2.3 is not possible because of 
> > changes in
> > this regard in samba 4.2.x.  I'll try to discuss these problems in 
> > time
> > with Samba developers that want to give a hand.
> 
> Yeah, opinions in the Team are very divided over waf. Those who
> love it, really love it. Those who don't... are less happy :-).

The waf journey has been an interesting one.  One thing it has done
(along with autobuild to enforce it) is raise the bar substantially on
what we expect out of a build system.

> As always, patches to make us work better on OpenBSD would be
> very welcome.
> 
> > There is another particular point that matters for OpenBSD support: 
> > s3fs
> > vs. ntvfs.  I have lightly tested a Samba AD DC setup, which 
> > required
> > the use of ntvfs instead of s3fs (the default).  s3fs failed 
> > because ACL
> > support is required, alas "POSIX" ACLs aren't available on OpenBSD 
> > (and
> > there is no plan to change that).  Thus I'd like to inquire what 
> > are the
> > plans regarding ntvfs and s3fs.  Maybe s3fs could be made to work
> > without requiring ACLs?
> 
> Unfortunately that can't be done. AD-DC *requires* ACL support
> on the filesystem. You could run it in a configuration that
> allows Windows ACLs to be stored in extended attributes (or
> a tdb database) but then it wouldn't be safe to allow local
> users access to the files.

Exactly.  The only area that I can see some forward progress being
possible on is allowing a provision onto an NFSv4-ACLed filesystem, as
that is mostly a matter of setting up the right VFS modules.  I don't
see OpenBSD supporting the AD DC any time soon.

This won't stop it being used as a great file server, however.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba