[Samba] FreeBSD-11 and Samba-4.6 as a DC

Rowland Penny rpenny at samba.org
Thu Jul 13 17:52:12 UTC 2017 

On Fri, 14 Jul 2017 02:52:12 +1000
Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au> wrote:

> 
> Rowland - you may have missed that I did say (no NFS).  There are no
> FreeBSD patches regarding NFSv*.

If Freebsd hasn't come up with some way to use NFSv4 ACLs, then it
isn't going to be possible to provision a Samba AD DC.

> 
> James, Unfortunately I have a Samba AD but its 4.3.  (like you).  I
> use tunefs to assign posix ACL's to the disks, hence they are:
> ufs, local, noatime, soft-updates, acls
> 
> So I thought ok - lets just build the latest samba46 (4.6.4) on a
> virgin platform Xeon, FreeBSD 11.1-Prerelease amd64.  All devices are
> gmirrored UFS with posix ACLs
> 
> So I created a script that modelled as closely as possible
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> changing only:
> 
> HOST=jupiter
> DOMAIN=hs
> REALM=HS1
> IPv4="10.0.5.198"
> PASSWD="abcdef_1A"
> # Note: SAMBA_ZONE and PRIMARY_DNS substitutions occur later
> 
> and populating /etc/hosts appropriately.
> 
> # samba-tool domain provision --use-rfc2307 --realm=$REALM
> --domain=$DOMAIN --server-role=dc --option="interfaces=lo blue"
> --option="bind interfaces only=yes" --dns-backend=BIND9_DLZ
> --adminpass="$PASSWD"
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> ...
> Setting up self join
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
> ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected
> information received')
>   File
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 471, in run nosync=ldap_backend_nosync,
> ldap_dryrun_mode=ldap_dryrun_mode) File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 2175, in provision
>     skip_sysvolacl=skip_sysvolacl)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1806, in provision_fill
>     names.domaindn, lp, use_ntvfs)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1593, in setsysvolacl
>     service=SYSVOL_SERVICE)
>   File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line
> 162, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> #
> 
> Is this your experience?

This is what I get when I try to provision a DC on Freebsd.

> 
> Take note of the line:
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1806, in provision_fill
>     names.domaindn, lp, use_ntvfs)
> as the default samba (FreeBSD port) build does not enable ntvfs as its
> deprecated.  Maybe a rebuild is in order?

If you want to enable 'ntvfs', you can, by using '--enable-selftest'
with ./configure. But, you should be aware that 'ntvfs' is deprecated
and is now only used in tests and could be removed at any time.
> 
> 
> For Timur, (the FreeBSD maintainer of the Samba ports):
> # smbd -b
> Build environment:
>    Built by:    root at b2.hs
>    Built on:    Tue Jul 11 23:26:55 AEST 2017
>    Built using: gcc5
>    Build host:  FreeBSD b2.hs 11.1-PRERELEASE FreeBSD 11.1-PRERELEASE
> #0 r320703M: Thu Jul  6 22:35:19 AEST 2017
> root at hathor:/110007/D/K8/hqdev-amd64-smp-vga
> amd64
> SRCDIR:      /var/ports/usr/ports/net/samba46/work/samba-4.6.4/source3
> BUILDDIR:    /var/ports/usr/ports/net/samba46/work/samba-4.6.4/source3
> 
> Paths:
>    SBINDIR: /usr/local/sbin
>    BINDIR: /usr/local/bin
>    CONFIGFILE: /usr/local/etc/smb4.conf
>    LOGFILEBASE: /var/log/samba4
>    LMHOSTSFILE: /usr/local/etc/lmhosts
>    LIBDIR: /usr/local/lib/samba4
>    MODULESDIR: /usr/local/lib/shared-modules
>    SHLIBEXT: so
>    LOCKDIR: /var/db/samba4
>    STATEDIR: /var/db/samba4
>    CACHEDIR: /var/db/samba4
>    PIDDIR: /var/run/samba4
>    SMB_PASSWD_FILE: /var/db/samba4-private/smbpasswd
>    PRIVATE_DIR: /var/db/samba4-private
> ...
> Builtin modules:
>    vfs_default vfs_posixacl auth_domain auth_builtin auth_sam
> auth_winbind pdb_wbc_sam auth_unix auth_wbc nss_info_template
> idmap_tdb idmap_passdb pdb_samba_dsdb auth_samba4 vfs_dfs_samba4
> 
> Timur, I modified from standard the modules (as we were testing
> various settings, particularly authentication) but I doubt that's
> significant?
> 
> If it is a requirement for Samba AD to use EXT4 formatted devices, as
> Rowland advises, then there is a serious problem.

I am not saying you have to use ext4, I am saying that Samba requires a
filesystem that understands the same ACLs that ext4 does. Either that or
patches to make Samba understand NFSv4 ACLs

Rowland

More information about the samba mailing list