From owner-freebsd-net@freebsd.org  Tue Nov  7 07:11:34 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58B2AE50D39
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  7 Nov 2017 07:11:34 +0000 (UTC)
 (envelope-from alex@zagrebin.ru)
Received: from mail.zagrebin.ru (srv0.zagrebin.ru [IPv6:2001:470:1f15:30e::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 11D25679EF
 for <freebsd-net@freebsd.org>; Tue,  7 Nov 2017 07:11:33 +0000 (UTC)
 (envelope-from alex@zagrebin.ru)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zagrebin.ru
 ; s=mail;
 h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:
 In-Reply-To:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=zX+sh4nJ4xfULuJhJmi4grTXHs6ishsjTPvfa2C/mbU=; b=ILO+C27x9U5hRwlioX0utcYTe0
 3ifUvEMCs6LSWFLzTLUwP6fKQKUhRqLXpcELnEvgfFqqawP/2yVG/MvZdZnXWQf35QyAD7GTvvHpq
 gECwMrOr5XpHHH/bqgIA45WUZa2o5iV8ZZI+getk4SFDmt3rNzC3q+BYEUj1cjdsHXc1/1FTF+dK4
 pH7t6dq44O2UQf4UL63EIP4FPJHEFhOHpuIOMVa3CVgtQlSM6umjPTG+DNRqyq1WcrvRX3KUO/oTl
 lc/7sk8jJq8GcOrO7QX8wZGDvJ0cY4+F4YyvCi+h2CLKiwjKlxqp80Q95WIiDK6tPlrL52gbxsq1m
 faSNh6XA==;
Received: from [2001:470:1f15:30e::2] (helo=vm2.home.zagrebin.ru)
 by mail.zagrebin.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
 (Exim 4.89 (FreeBSD)) (envelope-from <alex@zagrebin.ru>)
 id 1eBy2l-000DH6-2m
 for freebsd-net@freebsd.org; Tue, 07 Nov 2017 10:11:31 +0300
Date: Tue, 7 Nov 2017 10:11:28 +0300
From: Alexander Zagrebin <alex@zagrebin.ru>
To: freebsd-net@freebsd.org
Subject: Re: Help provisioning a Samba AD in a jail on ZFS
Message-ID: <20171107101128.2f913f86@vm2.home.zagrebin.ru>
In-Reply-To: <8813fc50-2187-2860-eda1-5ace9e120c22@netfence.it>
References: <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it>
 <20171102100947.424ce456@vm2.home.zagrebin.ru>
 <8813fc50-2187-2860-eda1-5ace9e120c22@netfence.it>
X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 07:11:34 -0000

В Mon, 6 Nov 2017 08:26:05 +0100
Andrea Venturoli <ml@netfence.it> wrote:

> > To setup a new samba46-based domain controller on ZFS in jail (I'm
> > using it with the VIMAGE) you can try following:  
> 
> I'm not using VIMAGE (at least not yet).
> 
> > 1. Rebuild the net/samba46 port with the attached patches
> >     (patch-librpc__idl__xattr.idl,
> > patch-python__samba__provision____init__.py)
> > 
> > 2. Initialize new domain with the following command (the last two
> >     parameters makes magic):
> >     samba-tool domain provision --use-rfc2307 \
> >      --host-name=<YOUR_DC_NAME> \
> >      --realm=<YOUR_REALM> \
> >      --domain=<YOUR_DOMAIN_NAME> \
> >      --adminpass=<password> \
> >      --option="vfs objects = acl_xattr" \
> >      --option="acl_xattr:ignore system acls = yes"
> > 
> > 3. After successful provisioning, edit /usr/local/etc/smb4.conf:
> >     - remove or comment out
> >       vfs objects = acl_xattr
> >       acl_xattr:ignore system acls = yes
> >     - add the following:
> >       vfs objects = zfsacl
> >       nfs4:mode = special
> >       nfs4:acedup = merge
> >       nfs4:chown = yes
> > 
> > 4. Execute `samba-tool ntacl sysvolreset`
> > 
> > 5. Start samba  
> 
> Looks like it worked.
> Hope I don't get any suprise in the deployment phase...

There is an issue, when GPOs are situated on the ZFS:
sometimes (when a new file appended?) the GPO's files gets a wrong
permissions.
So if you will have problems with a group policy, run
`samba-tool ntacl sysvolreset` at first...

-- 
Alexander Zagrebin