From owner-freebsd-net@freebsd.org Mon Nov 6 07:32:27 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E10AEE55A49 for ; Mon, 6 Nov 2017 07:32:27 +0000 (UTC) (envelope-from ml@netfence.it) Received: from smtp205.alice.it (smtp205.alice.it [82.57.200.101]) by mx1.freebsd.org (Postfix) with ESMTP id 782046398E for ; Mon, 6 Nov 2017 07:32:27 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.ventu (212.171.20.179) by smtp205.alice.it (8.6.060.28) id 59C3CE95097896C1; Mon, 6 Nov 2017 08:26:16 +0100 Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) by soth.ventu (8.15.2/8.15.2) with ESMTP id vA67QAji052662; Mon, 6 Nov 2017 08:26:10 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.ventu: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: Help provisioning a Samba AD in a jail on ZFS To: Alexander Zagrebin , freebsd-net@freebsd.org References: <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it> <20171102100947.424ce456@vm2.home.zagrebin.ru> From: Andrea Venturoli Message-ID: <8813fc50-2187-2860-eda1-5ace9e120c22@netfence.it> Date: Mon, 6 Nov 2017 08:26:05 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171102100947.424ce456@vm2.home.zagrebin.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 07:32:28 -0000 On 11/02/17 08:09, Alexander Zagrebin wrote: > В Wed, 1 Nov 2017 16:01:18 +0100 > Andrea Venturoli пишет: > > It seems it's offtopic here, but I'll try to answer. Doh! I was going to write to -port, but wrote -net in the end... Sorry! > To setup a new samba46-based domain controller on ZFS in jail (I'm > using it with the VIMAGE) you can try following: I'm not using VIMAGE (at least not yet). > 1. Rebuild the net/samba46 port with the attached patches > (patch-librpc__idl__xattr.idl, patch-python__samba__provision____init__.py) > > 2. Initialize new domain with the following command (the last two > parameters makes magic): > samba-tool domain provision --use-rfc2307 \ > --host-name= \ > --realm= \ > --domain= \ > --adminpass= \ > --option="vfs objects = acl_xattr" \ > --option="acl_xattr:ignore system acls = yes" > > 3. After successful provisioning, edit /usr/local/etc/smb4.conf: > - remove or comment out > vfs objects = acl_xattr > acl_xattr:ignore system acls = yes > - add the following: > vfs objects = zfsacl > nfs4:mode = special > nfs4:acedup = merge > nfs4:chown = yes > > 4. Execute `samba-tool ntacl sysvolreset` > > 5. Start samba Looks like it worked. Hope I don't get any suprise in the deployment phase... Thank you very much!!! > It is not ideal solution, but it seems to be working, > despite there are another resolvable issues (with BIND9_DLZ > and so on)... I'm using internal DNS, anyway... > I've sent patches to the port maintainer, but have no answer. Perhaps you could try and file a bug report? At the very least users would be able to find your patches. bye & Thanks av.