From owner-freebsd-net@freebsd.org Thu Nov 2 07:09:52 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 75C62E51DDA for ; Thu, 2 Nov 2017 07:09:52 +0000 (UTC) (envelope-from alex@zagrebin.ru) Received: from mail.zagrebin.ru (srv0.zagrebin.ru [IPv6:2001:470:1f15:30e::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2D59670556 for ; Thu, 2 Nov 2017 07:09:51 +0000 (UTC) (envelope-from alex@zagrebin.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zagrebin.ru ; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sPDel+8wpLSXgTu4qjZ933pSsL1QuKI59311awd22+I=; b=bonSEgtyCIKoS0tpELAAoTAyFf 9Cbp0UPERjLaKI5KN/558P2955GYvNPKZUlD0T9JxtR329DcE7uGboxefl0UltFpJWcI9XYt5IdLg d2pPSGILclHVSCfqVlUez8wsu3lqVq/Y/b0XoWpghd30Zt+H+jY7NRE1pq8zdhtemst8oX8Bwz8ML dHQc0JP6CxMBYnHMKEis7RG8s+uOEuMySqXyBR/CZJy7PxpiZLERDH+XLB9Me6wBz2zTqbZrv9DXp 4mLYKpKk8d2k3/duWd3nZEGX+aphwnuV7pQevIi3qlJnr3AMKcJkhDcqLugsoSBY278URK1EsCGLA ms5qHx8A==; Received: from [2001:470:1f15:30e::2] (helo=vm2.home.zagrebin.ru) by mail.zagrebin.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89 (FreeBSD)) (envelope-from ) id 1eA9dM-0005Xo-7k; Thu, 02 Nov 2017 10:09:48 +0300 Date: Thu, 2 Nov 2017 10:09:47 +0300 From: Alexander Zagrebin To: freebsd-net@freebsd.org Subject: Re: Help provisioning a Samba AD in a jail on ZFS Message-ID: <20171102100947.424ce456@vm2.home.zagrebin.ru> In-Reply-To: <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it> References: <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2017 07:09:52 -0000 В Wed, 1 Nov 2017 16:01:18 +0100 Andrea Venturoli пишет: It seems it's offtopic here, but I'll try to answer. To setup a new samba46-based domain controller on ZFS in jail (I'm using it with the VIMAGE) you can try following: 1. Rebuild the net/samba46 port with the attached patches (patch-librpc__idl__xattr.idl, patch-python__samba__provision____init__.py) 2. Initialize new domain with the following command (the last two parameters makes magic): samba-tool domain provision --use-rfc2307 \ --host-name= \ --realm= \ --domain= \ --adminpass= \ --option="vfs objects = acl_xattr" \ --option="acl_xattr:ignore system acls = yes" 3. After successful provisioning, edit /usr/local/etc/smb4.conf: - remove or comment out vfs objects = acl_xattr acl_xattr:ignore system acls = yes - add the following: vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes 4. Execute `samba-tool ntacl sysvolreset` 5. Start samba It is not ideal solution, but it seems to be working, despite there are another resolvable issues (with BIND9_DLZ and so on)... I've sent patches to the port maintainer, but have no answer. > As per subject, I'm building a new box which must host a jail running > a Samba AD, but I have trouble provisioning it. > Currently I'm trying samba44. > > I read a lot of material and I think I understand the problem: it > seems the "samba-tool provision" script is incompatible with NFSv4ACL > used by ZFS. AFAICT this issue has been raised, the Samba team has > acknowledged a patch should be made, but so far nothing happened. > > So I'm looking into workarounds: > > a) someone suggest installing samba43, provision, then upgrade to > samba44. In fact this is some path I went through a couple of times > in the past (on UFS, however). Alas samba43 is no longer there. > > b) I think I might get around this by provisioning with the > deprecated NTVFS, then switch to S3FS. > Unfortunately samba44 does not build NTVFS anymore, unless the > DEVELOPER option is used; but if the DEVELOPER option is used > compilation (on Poudriere) fails with: > > ../source4/lib/socket/socket_ip.c:864:12: error: comparison of > > array 'addr.__u6_addr.__u6_addr8' equal to a null pointer is always > > false [-Werror,-Wtautological-pointer-compare] if (addr.s6_addr == > > 0) { ~~~~~^~~~~~~ ~ /usr/include/netinet6/in6.h:103:29: note: > > expanded from macro 's6_addr' #define s6_addr __u6_addr.__u6_addr8 > > ^ > > 1 error generated. > > c) I tried creating a ZVOL, formatting it with UFS, mounting it with > ACLs inside the jail, but still provisioning says I have no ACL > support. > > d) I know samba46 is incompatible with jails (at least as AD DC), but > didn't try samba45. AFAICT, however, nothing should have improved WRT > to my problem. > > So, after spending a couple of days on this and before spending > another week trying every path, I tought I'd ask... > > Should I temporarily revive samba43? > Can samba44 with NTVFS compilation error be fixed? > Should I try samba45 or is it just a waste of time? > Would creating a jail on another (UFS) box and then moving > /var/db/samba4 and smb4.conf here work? > > I'm open to any other suggestion as long as the objective (AD in a > jail on ZFS) is met in the end. -- Alexander Zagrebin