Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Nov 2017 10:11:28 +0300
From:      Alexander Zagrebin <alex@zagrebin.ru>
To:        freebsd-net@freebsd.org
Subject:   Re: Help provisioning a Samba AD in a jail on ZFS
Message-ID:  <20171107101128.2f913f86@vm2.home.zagrebin.ru>
In-Reply-To: <8813fc50-2187-2860-eda1-5ace9e120c22@netfence.it>
References:  <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it> <20171102100947.424ce456@vm2.home.zagrebin.ru> <8813fc50-2187-2860-eda1-5ace9e120c22@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help 
В Mon, 6 Nov 2017 08:26:05 +0100
Andrea Venturoli <ml@netfence.it> wrote:

> > To setup a new samba46-based domain controller on ZFS in jail (I'm
> > using it with the VIMAGE) you can try following:  
> 
> I'm not using VIMAGE (at least not yet).
> 
> > 1. Rebuild the net/samba46 port with the attached patches
> >     (patch-librpc__idl__xattr.idl,
> > patch-python__samba__provision____init__.py)
> > 
> > 2. Initialize new domain with the following command (the last two
> >     parameters makes magic):
> >     samba-tool domain provision --use-rfc2307 \
> >      --host-name=<YOUR_DC_NAME> \
> >      --realm=<YOUR_REALM> \
> >      --domain=<YOUR_DOMAIN_NAME> \
> >      --adminpass=<password> \
> >      --option="vfs objects = acl_xattr" \
> >      --option="acl_xattr:ignore system acls = yes"
> > 
> > 3. After successful provisioning, edit /usr/local/etc/smb4.conf:
> >     - remove or comment out
> >       vfs objects = acl_xattr
> >       acl_xattr:ignore system acls = yes
> >     - add the following:
> >       vfs objects = zfsacl
> >       nfs4:mode = special
> >       nfs4:acedup = merge
> >       nfs4:chown = yes
> > 
> > 4. Execute `samba-tool ntacl sysvolreset`
> > 
> > 5. Start samba  
> 
> Looks like it worked.
> Hope I don't get any suprise in the deployment phase...

There is an issue, when GPOs are situated on the ZFS:
sometimes (when a new file appended?) the GPO's files gets a wrong
permissions.
So if you will have problems with a group policy, run
`samba-tool ntacl sysvolreset` at first...

-- 
Alexander Zagrebin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171107101128.2f913f86>