[WIP] Remove confusing --use-xattrs option from samba-tool domain provision

Sun Sep 4 14:02:33 UTC 2016

On Sun, 04 Sep 2016, Rowland Penny wrote:
> On Sun, 4 Sep 2016 16:21:24 +0300
> Alexander Bokovoy <ab at samba.org> wrote:
> 
> > On Sun, 04 Sep 2016, Rowland Penny wrote:
> > > On Sun, 04 Sep 2016 22:32:46 +1200
> > > Andrew Bartlett <abartlet at samba.org> wrote:
> > > 
> > > > We keep it if built with NTVFS support, but it should cause less
> > > > confusion once most users stop seeing it. 
> > > > 
> > > > I realise this may break some scripts, but in this case I think
> > > > it is worth it for the simplification. 
> > > > 
> > > > This isn't for 4.5 (we don't change this kind of thing during an
> > > > RC), but should help simplify things for 4.6, and make it clear
> > > > to others that the default of --use-xattr is and has always been
> > > > perfectly correct. 
> > > > 
> > > > I'm running an autobuild to confirm I haven't broken anything
> > > > else. 
> > > > 
> > > > Comment welcome.
> > > > 
> > > > Andrew Bartlett
> > > 
> > > Hi Andrew, there is this in the patch header:
> > > 
> > > The only reasonable use --use-xattrs=no should be used is in
> > > selftest, and there is no need for that or --use-xattrs=auto without
> > > --use-ntvfs, all systems we support in production for the AD DC have
> > > xattrs, as using smbd needs posix ACLs.
> > > 
> > > I take it we are no longer supporting UNIX OS's, because from my
> > > testing on Freebsd, you cannot provision an AD DC on that OS, this
> > > is because '--use-ntvfs' has been removed from the options and
> > > Freebsd uses ntvfs4 ACLs.
> > > 
> > > Can I also ask why, now that we only seem to support OS's that also
> > > support posix ACLs, why we are still using ntvfs, wouldn't this be a
> > > good time to get rid of it. I mean, what is the point of keeping
> > > code around that will never be used except for testing against.
> > Rowland, FreeBSD has support for POSIX ACLs and extended attributes
> > for years. See http://zewaren.net/site/node/154 for example how to
> > enable them in UFS volumes.
> > 
> 
> ON UFS they may do, but I was trying to find out why a user was having
> problems and he was using ZFS. To provision a DC on ZFS, you
> have to use '--use-ntvfs', the only problem is that this option no
> longer exists, so you have to ptovision with an earlier version and
> then update Samba.
ZFS does not provide POSIX ACLs, it provides NFSv4 ACLs. You need to use
vfs_zfsacl which requires libsunacl. libsunacl is available in FreeBSD
ports collection.

https://wiki.freebsd.org/NFSv4_ACLs describes briefly how it is done.

A typical setup is shown here:
https://daniel.washburn.at/howtos/freebsd-samba4-zfs-recipe

I think we need to look into the provision script and add a
configuration variant for installing with vfs_zfsacl.

-- 
/ Alexander Bokovoy