Date: Thu, 2 Nov 2017 10:09:47 +0300 From: Alexander Zagrebin <alex@zagrebin.ru> To: freebsd-net@freebsd.org Subject: Re: Help provisioning a Samba AD in a jail on ZFS Message-ID: <20171102100947.424ce456@vm2.home.zagrebin.ru> In-Reply-To: <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it> References: <57dc8e1e-6e38-456d-f70d-291d6bf68bb8@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
В Wed, 1 Nov 2017 16:01:18 +0100
Andrea Venturoli <ml@netfence.it> пишет:
It seems it's offtopic here, but I'll try to answer.
To setup a new samba46-based domain controller on ZFS in jail (I'm
using it with the VIMAGE) you can try following:
1. Rebuild the net/samba46 port with the attached patches
(patch-librpc__idl__xattr.idl, patch-python__samba__provision____init__.py)
2. Initialize new domain with the following command (the last two
parameters makes magic):
samba-tool domain provision --use-rfc2307 \
--host-name=<YOUR_DC_NAME> \
--realm=<YOUR_REALM> \
--domain=<YOUR_DOMAIN_NAME> \
--adminpass=<password> \
--option="vfs objects = acl_xattr" \
--option="acl_xattr:ignore system acls = yes"
3. After successful provisioning, edit /usr/local/etc/smb4.conf:
- remove or comment out
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
- add the following:
vfs objects = zfsacl
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
4. Execute `samba-tool ntacl sysvolreset`
5. Start samba
It is not ideal solution, but it seems to be working,
despite there are another resolvable issues (with BIND9_DLZ
and so on)...
I've sent patches to the port maintainer, but have no answer.
> As per subject, I'm building a new box which must host a jail running
> a Samba AD, but I have trouble provisioning it.
> Currently I'm trying samba44.
>
> I read a lot of material and I think I understand the problem: it
> seems the "samba-tool provision" script is incompatible with NFSv4ACL
> used by ZFS. AFAICT this issue has been raised, the Samba team has
> acknowledged a patch should be made, but so far nothing happened.
>
> So I'm looking into workarounds:
>
> a) someone suggest installing samba43, provision, then upgrade to
> samba44. In fact this is some path I went through a couple of times
> in the past (on UFS, however). Alas samba43 is no longer there.
>
> b) I think I might get around this by provisioning with the
> deprecated NTVFS, then switch to S3FS.
> Unfortunately samba44 does not build NTVFS anymore, unless the
> DEVELOPER option is used; but if the DEVELOPER option is used
> compilation (on Poudriere) fails with:
> > ../source4/lib/socket/socket_ip.c:864:12: error: comparison of
> > array 'addr.__u6_addr.__u6_addr8' equal to a null pointer is always
> > false [-Werror,-Wtautological-pointer-compare] if (addr.s6_addr ==
> > 0) { ~~~~~^~~~~~~ ~ /usr/include/netinet6/in6.h:103:29: note:
> > expanded from macro 's6_addr' #define s6_addr __u6_addr.__u6_addr8
> > ^
> > 1 error generated.
>
> c) I tried creating a ZVOL, formatting it with UFS, mounting it with
> ACLs inside the jail, but still provisioning says I have no ACL
> support.
>
> d) I know samba46 is incompatible with jails (at least as AD DC), but
> didn't try samba45. AFAICT, however, nothing should have improved WRT
> to my problem.
>
> So, after spending a couple of days on this and before spending
> another week trying every path, I tought I'd ask...
>
> Should I temporarily revive samba43?
> Can samba44 with NTVFS compilation error be fixed?
> Should I try samba45 or is it just a waste of time?
> Would creating a jail on another (UFS) box and then moving
> /var/db/samba4 and smb4.conf here work?
>
> I'm open to any other suggestion as long as the objective (AD in a
> jail on ZFS) is met in the end.
--
Alexander Zagrebin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171102100947.424ce456>