Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Nov 2017 08:26:05 +0100
From:      Andrea Venturoli <ml@netfence.it>
To:        Alexander Zagrebin <alex@zagrebin.ru>, freebsd-net@freebsd.org
Subject:   Re: Help provisioning a Samba AD in a jail on ZFS
Message-ID:  <8813fc50-2187-2860-eda1-5ace9e120c22@netfence.it>
In-Reply-To: <20171102100947.424ce456@vm2.home.zagrebin.ru>
References:  <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it> <20171102100947.424ce456@vm2.home.zagrebin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 11/02/17 08:09, Alexander Zagrebin wrote:
> В Wed, 1 Nov 2017 16:01:18 +0100
> Andrea Venturoli <ml@netfence.it> пишет:
> 
> It seems it's offtopic here, but I'll try to answer.

Doh!
I was going to write to -port, but wrote -net in the end...
Sorry!




> To setup a new samba46-based domain controller on ZFS in jail (I'm
> using it with the VIMAGE) you can try following:

I'm not using VIMAGE (at least not yet).



> 1. Rebuild the net/samba46 port with the attached patches
>     (patch-librpc__idl__xattr.idl, patch-python__samba__provision____init__.py)
> 
> 2. Initialize new domain with the following command (the last two
>     parameters makes magic):
>     samba-tool domain provision --use-rfc2307 \
>      --host-name=<YOUR_DC_NAME> \
>      --realm=<YOUR_REALM> \
>      --domain=<YOUR_DOMAIN_NAME> \
>      --adminpass=<password> \
>      --option="vfs objects = acl_xattr" \
>      --option="acl_xattr:ignore system acls = yes"
> 
> 3. After successful provisioning, edit /usr/local/etc/smb4.conf:
>     - remove or comment out
>       vfs objects = acl_xattr
>       acl_xattr:ignore system acls = yes
>     - add the following:
>       vfs objects = zfsacl
>       nfs4:mode = special
>       nfs4:acedup = merge
>       nfs4:chown = yes
> 
> 4. Execute `samba-tool ntacl sysvolreset`
> 
> 5. Start samba

Looks like it worked.
Hope I don't get any suprise in the deployment phase...

Thank you very much!!!




> It is not ideal solution, but it seems to be working,
> despite there are another resolvable issues (with BIND9_DLZ
> and so on)...

I'm using internal DNS, anyway...



> I've sent patches to the port maintainer, but have no answer.

Perhaps you could try and file a bug report?
At the very least users would be able to find your patches.



  bye & Thanks
	av.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8813fc50-2187-2860-eda1-5ace9e120c22>