Samba domain controller

usdmatt

Daemon

Reaction score: 527
Messages: 1,418

Anyone know if it's currently possible to run a Samba DC with ZFS?

I've tried 4.8 and the latest pkg for 4.10 which is supposed to contain "fix(?) for provision on ZFS". I can only get as far as "Setting up self join", then get an error such as the following -
Code:
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
There's bugs reported for the issues on several versions of samba. The bugs on the current versions are un-fixed. The bugs on older versions have been closed, basically with "no longer supported, please use samba 4.x", with no reference to the fact that the new version still has the same problems.

I've also tried following the wiki instructions which suggest using a UFS partition for the sysvol, which I don't mind doing, especially if it makes the permissions on that folder more stable. It produces the exact same error though. Even if I make the entire /var/db/samba4 directory UFS with standard acls.

It seems it may still work in FreeNAS but it's not easy to find out what they do different. It could be some tweaks on the filesystem of provision commands, or a patched package, or both.
 

fulano

Member

Reaction score: 11
Messages: 61

Anyone know if it's currently possible to run a Samba DC with ZFS?
Yes, is perfectly possible.

We use Samba with ZFS since version 4.1, with nfsv4 acls . Recent update do 4.10. Never saw the error you mentioned.
 

von_Gaden

Active Member

Reaction score: 13
Messages: 124

The error obviously occurs during domain provision or samba-tool ntacl sysvolreset and I think it's not ZFS related. Due to some strange or customer-disturbing behavior I make PDCs in dedicated virtual machines with UFS + ACLs. Now when I try to provision a new domain I get:
Code:
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 3000000
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2351, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1955, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)
I'm using FreeBSD 12.1-RELEASE-p1 with latest Samba samba410-4.10.10 built form ports. I tried with pkg version first, which is a little bit older, but with same fault. The functions of a domain member (e.g. file server) are not hurt but it's not enough for me.

I'm afraid because I see a lot of new and/or reoccurring errors in the very important samba-tool. I have to provision the new domain NOW and I have to consider installing some linux (ex. Ubuntu) in the virtual machine to act as a pdc. My pain is that I use FreeBSD since 2001, I'm not confortable with Linux at all but otherwise I'll fall into much bigger trouble.
 
OP
OP
U

usdmatt

Daemon

Reaction score: 527
Messages: 1,418

Yes, it's a bit of a pain.

I spent several hours at the time trying to get the provision tool to work. I tried both 4.8 & 4.10 in various ways. I was quite hopeful when I found the workaround of using a UFS formatted zvol for the sysvol directory, as I didn't mind having that on UFS if I could still create data shares on ZFS (especially as the sysvol would just be backed by a ZFS dataset anyway), but that gave exactly the same error.

As I said originally, I can find several bug reports for it, but they're all either closed because that specific version is now outdated, or still open with no fixes.

I have no desperate need for a BSD domain controller at the moment fortunately, but it currently scuppers my ideas for replacing our old windows server in the office. As you say a Linux VM is an option, but that's extra complication and I have a fraction of Linux experience compared to BSD.
 

von_Gaden

Active Member

Reaction score: 13
Messages: 124

My experience shows that if PDC is also a file server it works a little bit odd. The computer can't be found browsing the network and this disturbs the people using its resources. I guess I read something about different ACL attributes handling too but it was a long time ago (maybe around 2013/2014, samba 4.1 or 4.2) so I neither remember or can find anything about it. Then I found that a dedicated machine acting only as PDC is much better and headache-free solution
 
Top