Samba domain controller

[usdmatt]

Anyone know if it's currently possible to run a Samba DC with ZFS?

I've tried 4.8 and the latest pkg for 4.10 which is supposed to contain "fix(?) for provision on ZFS". I can only get as far as "Setting up self join", then get an error such as the following -

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.

There's bugs reported for the issues on several versions of samba. The bugs on the current versions are un-fixed. The bugs on older versions have been closed, basically with "no longer supported, please use samba 4.x", with no reference to the fact that the new version still has the same problems.

I've also tried following the wiki instructions which suggest using a UFS partition for the sysvol, which I don't mind doing, especially if it makes the permissions on that folder more stable. It produces the exact same error though. Even if I make the entire /var/db/samba4 directory UFS with standard acls.

It seems it may still work in FreeNAS but it's not easy to find out what they do different. It could be some tweaks on the filesystem of provision commands, or a patched package, or both.

 

[fulano]

Anyone know if it's currently possible to run a Samba DC with ZFS?

Yes, is perfectly possible.

We use Samba with ZFS since version 4.1, with nfsv4 acls . Recent update do 4.10. Never saw the error you mentioned.

 

[von_Gaden]

The error obviously occurs during domain provision or samba-tool ntacl sysvolreset and I think it's not ZFS related. Due to some strange or customer-disturbing behavior I make PDCs in dedicated virtual machines with UFS + ACLs. Now when I try to provision a new domain I get:

Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 3000000
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2351, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1955, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)

I'm using FreeBSD 12.1-RELEASE-p1 with latest Samba samba410-4.10.10 built form ports. I tried with pkg version first, which is a little bit older, but with same fault. The functions of a domain member (e.g. file server) are not hurt but it's not enough for me.

I'm afraid because I see a lot of new and/or reoccurring errors in the very important samba-tool. I have to provision the new domain NOW and I have to consider installing some linux (ex. Ubuntu) in the virtual machine to act as a pdc. My pain is that I use FreeBSD since 2001, I'm not confortable with Linux at all but otherwise I'll fall into much bigger trouble.

 

[usdmatt]

Yes, it's a bit of a pain.

I spent several hours at the time trying to get the provision tool to work. I tried both 4.8 & 4.10 in various ways. I was quite hopeful when I found the workaround of using a UFS formatted zvol for the sysvol directory, as I didn't mind having that on UFS if I could still create data shares on ZFS (especially as the sysvol would just be backed by a ZFS dataset anyway), but that gave exactly the same error.

As I said originally, I can find several bug reports for it, but they're all either closed because that specific version is now outdated, or still open with no fixes.

I have no desperate need for a BSD domain controller at the moment fortunately, but it currently scuppers my ideas for replacing our old windows server in the office. As you say a Linux VM is an option, but that's extra complication and I have a fraction of Linux experience compared to BSD.

 

[von_Gaden]

My experience shows that if PDC is also a file server it works a little bit odd. The computer can't be found browsing the network and this disturbs the people using its resources. I guess I read something about different ACL attributes handling too but it was a long time ago (maybe around 2013/2014, samba 4.1 or 4.2) so I neither remember or can find anything about it. Then I found that a dedicated machine acting only as PDC is much better and headache-free solution

 

[Gigi-Kitsune]

Suffering the exact same error.
I'm setting up a second DC, have successfully joined it to the domain, but cannot complete the sysvol replication step.

Replication step:

Main DC::

cd /var/db/samba4/private
tdbbackup -s .bak /var/db/samba4/private/idmap.ldb


Produces idmap.ldb.bak, which I then copy to the second DC and rename it.

New Second DC::

cd /var/db/samba4/private
mv idmap.ldb.bak idmap.ldb


Clear the net cache
net cache flush


Synch the sysvol from the main DC to the second DC
rsync -XAavz -vvv --delete-after sysvol-replication@192.168.0.7::SysVol/ /var/db/samba4/sysvol/


This appears to work perfectly fine. Then the final step is where we get stuck
samba-tool ntacl sysvolreset


Produces
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
load_module_absolute_path: Module '/usr/local/lib/samba4/modules/vfs/acl_xattr.so' loaded
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 3000000
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/samba/netcmd/ntacl.py", line 283, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
_setntacl(sysvol)
File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl
service=SYSVOL_SERVICE, session_info=session_info)
File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl
service=service, session_info=session_info)


It is unclear whether the problems start further up ('force unknown acl user = true' for service Unknown Service (snum == -1)) looks a bit strange, for example. But the error message is identical to previous posters.

A quick overview of our set up:

Main DC
- Samba Samba version 4.7.4
- FreeBSD 11.1 release p4 amd64
- Inside vmbhyve (RAM 8GB , CPU 3) in a ZVOL on ZFS
- FS is UFS with ACLs enabled

Domain member (fileserver)
- Samba 4.10.8 (was originally 4.7.x when it was joined to the domain without issue around two years ago)
- Samba was updated in place a few months ago - experienced zero errors.
- 11.2-RELEASE-p2 amd64
- ZFS

Second DC
- Samba 4.10.11
- 12.1-RELEASE r354233 GENERIC amd64
- FS is UFS with ACLs enabled
- Inside vmbhyve (RAM 8GB , CPU 3) in a ZVOL on ZFS (different physical host to main DC)


All of these were installed from packages, except the main DC which was originally compiled (but was later updated/replaced by a packaged version (couldn't get it to provision without compiling because there was something missing from the package of the time which was needed to be able to provision - sorry I don't recall the details).

I'm going to go looking through the python code to see if I can understand exactly where it is really getting stuck. Not sure if I will be able to find a solution though. Anyone else have some thoughts on this?

As for trying other versions of Samba
- Samba 4.8 is basically dead (it was discontinued 2019-09-17 and in it's current from packages (tested today) samba-tool is broken. See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239480
- Samba 4.11 is the current version (since 2019-09-17 - see https://wiki.samba.org/index.php/Samba_Release_Planning)

This is my very first posting. Been lurking here for, um, years and years. Thanks.

 

[von_Gaden]

I'm sorry to inform you that samba-tool on FreeBSD is buggy these days (or years). I'd suggest you to compile net/samba410 from ports and try again with no guaranteed success. Last month I had to provision a new PDC for a customer, broken samba-tool betrayed me with its uncaught exceptions and I ended in quickly installing a new virtual machine with Ubuntu server. The same tools worked perfectly. It seems I have to learn a bit Linux, I am very unfamiliar with it. I'm not good enough in Python (yet) to help port maintainer to fix the isue. I'm sure it's related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239105

 

[Franconian_Witchcraft]

Hi,
I'm interested in setting up a domain controller with FreeBSD. So I wonder what is the state of this topic? Any news/updates?

 

[von_Gaden]

I'm happy to inform you that right now samba-tool works!

 

[Franconian_Witchcraft]

That are good news! Hopefully it will not break again.

 

[dweimer]

Appears to be broken again, trying to provision a new domain, Even tried making the entire /var/db/samba4 directory a UFS volume, and it fails.

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.8/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/samba/netcmd/domain.py", line 515, in run
    result = provision(self.logger,
  File "/usr/local/lib/python3.8/site-packages/samba/provision/__init__.py", line 2339, in provision
    provision_fill(samdb, secrets_ldb, logger, names, paths,
  File "/usr/local/lib/python3.8/site-packages/samba/provision/__init__.py", line 1953, in provision_fill
    setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
  File "/usr/local/lib/python3.8/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.8/site-packages/samba/provision/__init__.py", line 1729, in _setntacl
    return setntacl(
  File "/usr/local/lib/python3.8/site-packages/samba/ntacls.py", line 230, in setntacl
    smbd.set_nt_acl(

Running 12.1-r359145-RELEASE-p3, everything compiled from ports tree this morning.
Repository Root: https://svn.freebsd.org/ports
Repository UUID: 35697150-7ecd-e111-bb59-0022644237b5
Revision: 529323
Node Kind: directory
Schedule: normal
Last Changed Author: mfechner
Last Changed Rev: 529323
Last Changed Date: 2020-03-28 04:10:14 -0500 (Sat, 28 Mar 2020)

 

[usdmatt]

Appears to be broken again

I was planning on giving this another go but haven’t got round to it. Based on the lack of any notable commits I wasn’t confident it had been fixed in the first place, and you appear to get a similar error to the one I got months ago. Even if you make the entire samba data directory UFS, trying to provision an actual domain just fails with acl errors.

 

[spanglefox]

I also have run into this problem. I installed from packages.
Running a vanilla test install vm on UFS with acls activated. My provision effort in pastebin:
https://pastebin.com/Dn5F1Qmd

 

[NetBLOKS]

I also had these problems for years.
Since recently it works with zfs out of the box.
For ufs you have to add:

vfs objects = freebsd

Into the global section of your smb4.conf and at domain creation:

samba-tool domain provision --use-rfc2307 --interactive --option="vfs objects"="freebsd"

 

[spanglefox]

Thanks for that.

I had been approaching it from the old method that UFS worked and ZFS didn't. I had been wanting to get a FreeBSD 9 (UFS) box upgraded and set filesystem to ZFS.

I always worked with test UFS first then try ZFS. The joy that it works with ZFS can't be stated. Although ACLs on ZFS are trickier.

The hardest part now though is negotiating some downtime to process the upgrade. I put in Guacamole and the machines are being used harder than ever. Diddling myself out of maintenance time!

Thanks once again.

 

[NetBLOKS]

No problem.
ZFS is really a joy to work with.
I think, since OpenZFS and ZFS on Linux are "merging" we will get the following feature:
zfs set acltype=posixacl tank
so that you can work with normal posix acls in zfs and no extra work has to be done to enable zfs for Samba in FreeBSD.
Works like a charm on Debian and will be even better on FreeBSD, since ZFS on FreeBSD is much more advanced and stable.

 

[NetBLOKS]

For everyone upgrading to Samba411:
Samba411 gets a schema upgrade.
To Upgrade, you need to
pkg install py37-markdown
and then
samba-tool domain schemaupgrade

 

[Franconian_Witchcraft]

I also had these problems for years.
Since recently it works with zfs out of the box.
For ufs you have to add:

vfs objects = freebsd

Into the global section of your smb4.conf and at domain creation:

samba-tool domain provision --use-rfc2307 --interactive --option="vfs objects"="freebsd"

So you recommend to use ZFS?

 

[lemanp]

Maybe can to this way idea from this link:
Samba 4.11 with ZFS and UFS sysvol folder

The main file system is ZFS and create a additional UFS partiction (2GB ok) for sysvol only.

 

[von_Gaden]

I usually install a virtual machine with UFS for the AD domain controller. The main reason is that Samba appears to work in very different way when acts as an AD DC. I found it easier to maintain AD DC and file servers as AD members on separate machines. Plus, UFS is light and easy so I don't see any reason to put ZFS inside a VM. Well,
vfs objects = freebsd is new to me.

 

[Franconian_Witchcraft]

I usually install a virtual machine with UFS for the AD domain controller. The main reason is that Samba appears to work in very different way when acts as an AD DC. I found it easier to maintain AD DC and file servers as AD members on separate machines. Plus, UFS is light and easy so I don't see any reason to put ZFS inside a VM.

That's actually the way I'd like to do it, too. The VM images will be on ZFS anyway.

 

[yds]

Here's a reworked 0001-Zfs-provision-1.patch to check if sysvol is on a filesystem with ZFS ACLs
(cherry picked from <https://Bugs.FreeBSD.org/bugzilla/show_bug.cgi?id=239105#c47>)

replace files/0001-Zfs-provision-1.patch with the one from the gist and rebuild net/samba41[0123]
worked for me on 12.1-STABLE to get past the dreaded
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')

 

[tictactux]

This is what worked for me, samba411 on FreeBSD 12.1, on UFS, with posix ACLs active:
sudo samba-tool domain provision --use-rfc2307 --interactive --option="vfs objects"="freebsd acl_xattr"

The lightbulb idea came when I realised that in also in member servers I had to manually add "freebsd" and "acl_xattr" to the vfs objects list, in order to properly set NTFS permissions.