Hi,
I'm struggling around for one week with a new Samba4 installation under FreeBSD with ZFS and I need really help - it's a "totally disaster".
My Server has following settings/details:
I could install the Samba4 and provisioning it. All tests have been sucessfull.
A) Bind9 gives me for
B) The update for samba's DNS works, the
C) Kerberos is OK,
D) I set up my filesystem(root share), which will get used only by samba, as followed:
E) My /usr/local/etc/smb4.conf looks like:
Samba starts, within the log I can not identify any problems, also bind is fine, so everthing "seems" to be OK. I can also join a client to the AD without any problems (but it lasts about 10 minutes). When it comes to the point, where I try to access the share
So I tried to set the right things to the ACLs, but I could not access the groups and users available within the AD by
So far, so good - that seems all to be ok. But when I try to
Also
If I disable the "group_compat" and replace it with the uncommented "#group: files nis winbind" I won't logon into FreeBSD any more. But maybe, that here is a failure within the config, I don't know?
Here are my questions:
Any help would be really appreciated, thanks a lot.
ps. some tutorials and threads I read additionally to the above ones:
I'm struggling around for one week with a new Samba4 installation under FreeBSD with ZFS and I need really help - it's a "totally disaster".
My Server has following settings/details:
- Hardware: i5, 64GB RAM, 4x4 TB server disks
- Storage: 4x4 TB via RAID Z2 (eff. 8 TB), zfs
- FreeBSD 10.3 (because port samba42 only works under FreeBSD 10.3 properly and samba43 and up don't have --with-nfsacls option anymore built in :-( )
- Samba 4.2.12 (via port samba42)
- Installed/Setup: ACL_SUPPORT, ADS, AIO_SUPPORT, CUPS, DEBUG, DNSUPDATE, EXP MODULES, FAM_SUPPORT, LDAP, PAM_SMBPASS, PTHREADPOOL, QUOTAS, SYSLOG, UTMP, BIND910, AVAHI (and all of the default stuff)
- Provisioned:
/usr/local/bin/samba-tool domain provision --interactive [B]--use-ntvfs[/B] --use-rfc2307
Code:Realm [MYDOMAIN.INTERN]: MYDOMAIN.INTERN Domain [MYDOMAIN]: MYDOMAIN Server Role (dc, member, standalone) [dc]: dc DNS backend(SAMBA_INTERNAL,BIND9_FLATFILE,BIND9_DLZ,NONE)[SAMBA_INTERNAL]:BIND9_DLZ Administrator password: ******** Retype password: *******
I could install the Samba4 and provisioning it. All tests have been sucessfull.
A) Bind9 gives me for
host -t SRV _ldap._tcp.mydomain.intern.
Code:
_ldap._tcp.mydomain.intern has SRV record 0 100 389 pdc.mydomain.intern.
B) The update for samba's DNS works, the
samba_dnsupdate --verbose
- output has been ok, no errors or warnings occured.C) Kerberos is OK,
klist
has following output:
Code:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@MYDOMAIN.INTERN
Issued Expires Principal
Aug 27 14:50:58 2014 Aug 28 00:50:58 2014 krbtgt/MYDOMAIN.INTERN@MYDOMAIN.INTERN
D) I set up my filesystem(root share), which will get used only by samba, as followed:
zfs create -o casesensitivity=insensitive zroot/data
zfs set mountpoint=/data zroot/data
zfs set aclmode=passthrough zroot/data
zfs set aclinherit=passthrough zroot/data
E) My /usr/local/etc/smb4.conf looks like:
Code:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.INTERN
netbios name = PDC
server role = active directory domain controller
server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
idmap_ldb:use rfc2307 = yes
# diverses
debug uid = yes
debug hires timestamp = yes
# ACL topics
ea support = yes
acl check permissions = yes
inherit acls = yes
inherit owner = no
csc policy = disable
store dos attributes = yes
dos filemode = no
map read only = no
# added to allow asynchronous I/O (make sure to load the kernel module aio)
aio read size = 16384
aio write size = 16384
# added to enhance the network performance of samba
socket options = TCP_NODELAY SO_SNDBUF=131072 SO_RCVBUF=131072
log level = 5 #set back to 2 after testing
[netlogon]
path = /var/db/samba4/sysvol/mydomain.intern/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[public]
path = /data/public
read only = no
browseable = yes
vfs objects = zfsacl shadow_copy2
## Present the contents of the .zfs/snapshot directory as Volume Shadow
## copies. These will appear as Previous Versions to Windows clients.
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y-%m-%d-%H%M
## Use nfsv4 acls => See README.nfs4acls.txt for more information
## Use OWNER@ and GROUP@ special IDs
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
/data/public
with my Windows Client (Win7), I failed.So I tried to set the right things to the ACLs, but I could not access the groups and users available within the AD by
setfacl
. So I had a look on the thread Thread 57559. getfacl /data/public
gives me following:
Code:
root@pdc:~ # getfacl /data/public
# file: /data/public
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:rwxp--a-R-c--s:-------:allow
setfacl -m g:'domain admins':full_set:fd----:allow /data/public
I got following error:
Code:
root@pdc:~ # setfacl -m g:'domain admins':full_set:fd----:allow /data/public
setfacl: malformed ACL: unknown user or group name "domain admins"
setfacl: g:domain admins:full_set:fd----:allow: Invalid argument
setfacl -m u:Administrator:rwxpDdaARWcCo-:fd----:allow /data/public
results in an error like the one above. It seems, that there is no mapping between the ACL functions and samba/winbind. So I also checked the /etc/nsswitch.conf, it contains:
Code:
group: compat
group_compat: nis winbind
#group: files nis winbind
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis winbind
#passwd: files nis winbind
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Here are my questions:
- Do I have to create users and groups on my FreeBSD server in UNIX (like we did it under Samba 3 for a NT4 DC) and do I have to map them afterwards by using the
net groupmap
-commands with my domain users and groups? I do not thing so on a Samba4 AD DC, or? - If my first question ist anserwed simply with "no", what is my issue? What I'm doing wrong? Why can I not set groups and users from my AD on my zfs volumes/shares? Why gives me Windows an error when accessing the share? (it says, that I've got no rights with my user who is also within the "Domain Admins" group.)
Any help would be really appreciated, thanks a lot.
ps. some tutorials and threads I read additionally to the above ones:
- Thread 33552
- http://network-howtos.blogspot.co.at/2015/05/samba4-setup-and-configure-file-shares.html ... nice, but not handling ZFS
- https://glsan.com/community/samba4/ports/ ... nice, but nsswitch.conf setting (wrong) there brings you in big trouble when you try logon the next time
- https://gist.github.com/raspi/9986175 ... ok, but only a smb4.conf
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213345 ... also had a look on this, because Samba 4.3 and up have no "--with-nfsacl" option for provisioning anymore ("that's great" :-( )
- https://daniel.washburn.at/howtos/freebsd-samba4-zfs-recipe ... very short
- https://wiki.samba.org/index.php/Main_Page ... read it up and down, including all sub chapters, several times
- http://superuser.com/questions/888880/freebsd-samba4-ignoring-zfs-acls ... yeah, but S3FS won't work, ...
Last edited: