[Samba] DC replications of FreeBSD samba-4.10.15

Andrew Walker walker.aj325 at gmail.com
Mon Jul 13 14:47:20 UTC 2020


On Mon, Jul 13, 2020 at 10:24 AM Andrea Venturoli via samba <
samba at lists.samba.org> wrote:

> On 2020-07-13 15:06, James B. Byrne wrote:
>
> >> Just out of curiosity, are you also using vfs_zfsacl?
> >
> > Yes.
>
> But only on DC1, AFAICT!
> I see no mention of it on DC2's smb.conf.
> That could be the reason why you have two different behaviour.
>
>   bye
>         av.
>
>
> This is highly probable. Try setting vfs_zfsacl.

In the absence of explicitly configured vfs objects samba will default to
"vfs objects = dfs_samba4 acl_xattr" when the AD Domain Controller role is
set. Unfortunately, this doesn't work as intended on FreeBSD due to
differences in available xattr namespaces. This is particularly problematic
for a DC in a jail because by default (and with good reason) jailed
processes can't write into the system namespace [if we decide to write the
ACL there instead of security]. It's theoretically possible to write the NT
acl xattr into the user namespace, but it would be pretty horrible from a
security standpoint. The result is that currently vfs_zfsacl is the only
real option for jails.


More information about the samba mailing list