From owner-freebsd-questions@freebsd.org Thu May 21 19:31:51 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B593E2F2746 for ; Thu, 21 May 2020 19:31:51 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mx32.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49SfrQ4Yclz4BZ0 for ; Thu, 21 May 2020 19:31:50 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (localhost [127.0.32.1]) by mx32.harte-lyne.ca (Postfix) with ESMTP id 0BE9129BB0; Thu, 21 May 2020 15:31:49 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from mx32.harte-lyne.ca ([127.0.32.1]) by mx32.harte-lyne.ca (mx32.harte-lyne.ca [127.0.32.1]) (amavisd-new, port 10024) with ESMTP id UrzQ3LaskO51; Thu, 21 May 2020 15:31:42 -0400 (EDT) Received: from webmail.harte-lyne.ca (webmail.hamilton.harte-lyne.ca [216.185.71.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx32.harte-lyne.ca (Postfix) with ESMTPSA id 31ECC29BA2; Thu, 21 May 2020 15:31:42 -0400 (EDT) Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Thu, 21 May 2020 15:31:42 -0400 Message-ID: <1d6dd578eadaf13def02280d06f37ffe.squirrel@webmail.harte-lyne.ca> In-Reply-To: References: Date: Thu, 21 May 2020 15:31:42 -0400 Subject: Re: FreeBSD as an Active Directory Domain Controller From: "James B. Byrne" To: "Andrea Venturoli" Cc: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.23 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Rspamd-Queue-Id: 49SfrQ4Yclz4BZ0 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.04 / 15.00]; HAS_REPLYTO(0.00)[byrnejb@harte-lyne.ca]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; R_DKIM_ALLOW(-0.20)[harte-lyne.ca:s=dkim_hll]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:216.185.71.0/26]; NEURAL_HAM_LONG(-1.05)[-1.051]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DWL_DNSWL_LOW(-1.00)[harte-lyne.ca:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[216.185.71.32:from]; RCPT_COUNT_TWO(0.00)[2]; HAS_X_PRIO_THREE(0.00)[3]; DKIM_TRACE(0.00)[harte-lyne.ca:+]; DMARC_POLICY_ALLOW(-0.50)[harte-lyne.ca,quarantine]; NEURAL_HAM_MEDIUM(-1.00)[-1.004]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12021, ipnet:216.185.64.0/20, country:CA]; NEURAL_HAM_SHORT(-1.29)[-1.290] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2020 19:31:51 -0000 On Wed, May 20, 2020 13:16, Andrea Venturoli wrote: > On 2020-05-20 19:09, James B. Byrne via freebsd-questions wrote: > >> What I would like to find out is whether it is at all possible to have a >> samba-4.10 (or 4.11) based AD on FreeBSD using ZFS with multiple DCs and >> replication. Is someone has this working I would appreciate being told how it >> is done. > > Hi James. > Sounds like the same question you asked ten days ago, which I already > answered briefly (I use rsync). > > Perhaps you could tell what you tried, how you did it and how it is > going wrong? > I have a DC that was setup on FreeBSD-10.3 using samba-4.3 and UFS. At the time samba on FreeBSD could only be set up on ufs. Samba-4.4 and later removed support for nt style acls, that samba on FreeBSD required. Samba43 disappeared with the update to 10.4 and Samba-4.4 did not work, so that system could not be updated. Fast forward to now. Samba410-4.10.15 on FreeBSD-12.1p5 and using ZFS now can be provisioned as a DC so acls obviously must be working on ZFS, I created a Samab410 instance, checked that it could provision, undid that work and reinstalled samba and used samba-tool to join the existing domain. I then attempted to replicate the sysvol using rsync. However, I get acl error messages when I do that and the resulting permissions do not resemble what I see on the DC. rsync -XAavz --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol /var/db/samba4 receiving file list ... done rsync: set_acl: sys_acl_set_file(sysvol, ACL_TYPE_ACCESS): Invalid argument (22) rsync: set_acl: sys_acl_set_file(sysvol/brockley-2016.harte-lyne.ca, ACL_TYPE_ACCESS): Invalid argument (22) rsync: set_acl: sys_acl_set_file(sysvol/brockley-2016.harte-lyne.ca/Policies, ACL_TYPE_ACCESS): Invalid argument (22) I have gone down different routes to get around this block but I keep being stymied by one incompatibility or another, to the point where today I installed Debian on a BHyve vm to see id rsync behaves any differently on it than on FreeBSD. What I am looking for some guidance as to what is supposed to work and has been observed to work by someone running a multi DC environment of FreeBSD and zfs. I presume that if I can provision a new domain on samba41 then I can likewise set the acls using rsat. However, if one can only have one DC in that configuration because replication via rsync does not work on FreeBSD then that is no better than what I have now. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3