ZFS Samba4 AD DC with ACLs [remains unsolved]

Hi,

I'm struggling around for one week with a new Samba4 installation under FreeBSD with ZFS and I need really help - it's a "totally disaster".

My Server has following settings/details:
  • Hardware: i5, 64GB RAM, 4x4 TB server disks
  • Storage: 4x4 TB via RAID Z2 (eff. 8 TB), zfs
  • FreeBSD 10.3 (because port samba42 only works under FreeBSD 10.3 properly and samba43 and up don't have --with-nfsacls option anymore built in :-( )
  • Samba 4.2.12 (via port samba42)
    • Installed/Setup: ACL_SUPPORT, ADS, AIO_SUPPORT, CUPS, DEBUG, DNSUPDATE, EXP MODULES, FAM_SUPPORT, LDAP, PAM_SMBPASS, PTHREADPOOL, QUOTAS, SYSLOG, UTMP, BIND910, AVAHI (and all of the default stuff)
    • Provisioned: /usr/local/bin/samba-tool domain provision --interactive [B]--use-ntvfs[/B] --use-rfc2307
      Code:
      Realm [MYDOMAIN.INTERN]: MYDOMAIN.INTERN
      Domain [MYDOMAIN]: MYDOMAIN
      Server Role (dc, member, standalone) [dc]: dc
      DNS backend(SAMBA_INTERNAL,BIND9_FLATFILE,BIND9_DLZ,NONE)[SAMBA_INTERNAL]:BIND9_DLZ
      Administrator password: ********
      Retype password: *******
I followed the instructions of Thread 47798, except the settings for Bind 910. For all about ZFS and ACLs I followed mainly Thread 47898 or I had my own knowledge.

I could install the Samba4 and provisioning it. All tests have been sucessfull.

A) Bind9 gives me for
host -t SRV _ldap._tcp.mydomain.intern.
Code:
_ldap._tcp.mydomain.intern has SRV record 0 100 389 pdc.mydomain.intern.

B) The update for samba's DNS works, the samba_dnsupdate --verbose - output has been ok, no errors or warnings occured.

C) Kerberos is OK, klist has following output:
Code:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@MYDOMAIN.INTERN
Issued              Expires             Principal
Aug 27 14:50:58 2014  Aug 28 00:50:58 2014  krbtgt/MYDOMAIN.INTERN@MYDOMAIN.INTERN

D) I set up my filesystem(root share), which will get used only by samba, as followed:
zfs create -o casesensitivity=insensitive zroot/data
zfs set mountpoint=/data zroot/data
zfs set aclmode=passthrough zroot/data
zfs set aclinherit=passthrough zroot/data

E) My /usr/local/etc/smb4.conf looks like:
Code:
[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.INTERN
        netbios name = PDC
        server role = active directory domain controller
        server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
        idmap_ldb:use rfc2307 = yes

        # diverses
        debug uid = yes
        debug hires timestamp = yes

        # ACL topics
        ea support =  yes
        acl check permissions = yes
        inherit acls = yes
        inherit owner = no
        csc policy = disable
        store dos attributes = yes
        dos filemode = no
        map read only = no

        # added to allow asynchronous I/O (make sure to load the kernel module aio)
        aio read size = 16384
        aio write size = 16384

        # added to enhance the network performance of samba
        socket options = TCP_NODELAY SO_SNDBUF=131072 SO_RCVBUF=131072

        log level = 5 #set back to 2 after testing

[netlogon]
        path = /var/db/samba4/sysvol/mydomain.intern/scripts
        read only = No


[sysvol]
        path = /var/db/samba4/sysvol
        read only = No


[public]
        path = /data/public
        read only = no
        browseable = yes

        vfs objects = zfsacl shadow_copy2
        ## Present the contents of the .zfs/snapshot directory as Volume Shadow
        ## copies. These will appear as Previous Versions to Windows clients.
        shadow: snapdir = .zfs/snapshot
        shadow: sort = desc
        shadow: format = %Y-%m-%d-%H%M
        ## Use nfsv4 acls => See README.nfs4acls.txt for more information
        ## Use OWNER@ and GROUP@ special IDs
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes
Samba starts, within the log I can not identify any problems, also bind is fine, so everthing "seems" to be OK. I can also join a client to the AD without any problems (but it lasts about 10 minutes). When it comes to the point, where I try to access the share /data/public with my Windows Client (Win7), I failed.

So I tried to set the right things to the ACLs, but I could not access the groups and users available within the AD by setfacl. So I had a look on the thread Thread 57559. getfacl /data/public gives me following:
Code:
root@pdc:~ # getfacl /data/public
# file: /data/public
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:rwxp--a-R-c--s:-------:allow
So far, so good - that seems all to be ok. But when I try to setfacl -m g:'domain admins':full_set:fd----:allow /data/public I got following error:
Code:
root@pdc:~ # setfacl -m g:'domain admins':full_set:fd----:allow /data/public
setfacl: malformed ACL: unknown user or group name "domain admins"
setfacl: g:domain admins:full_set:fd----:allow: Invalid argument
Also setfacl -m u:Administrator:rwxpDdaARWcCo-:fd----:allow /data/public results in an error like the one above. It seems, that there is no mapping between the ACL functions and samba/winbind. So I also checked the /etc/nsswitch.conf, it contains:
Code:
group: compat
group_compat: nis winbind
#group: files nis winbind
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis winbind
#passwd: files nis winbind
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
If I disable the "group_compat" and replace it with the uncommented "#group: files nis winbind" I won't logon into FreeBSD any more. But maybe, that here is a failure within the config, I don't know?

Here are my questions:
  1. Do I have to create users and groups on my FreeBSD server in UNIX (like we did it under Samba 3 for a NT4 DC) and do I have to map them afterwards by using the net groupmap-commands with my domain users and groups? I do not thing so on a Samba4 AD DC, or?
  2. If my first question ist anserwed simply with "no", what is my issue? What I'm doing wrong? Why can I not set groups and users from my AD on my zfs volumes/shares? Why gives me Windows an error when accessing the share? (it says, that I've got no rights with my user who is also within the "Domain Admins" group.)
I searched the whole internet for help but could only finde some old threads in here and some other stuff concerning samba 3.x issues or no zfs filesystems or only stand alone fileservers within an AD. There is no really good tutorial about setting up a Samba4 AD DC under FreeBSD with ZFS and ACLs (and once again, I do not mean all the NT4 stuff. For that, there are tons of tutorials on the internet). And yes, I know, AD DC and shares on the same server, that is not a good idea but I've got no other options in the meantime.


Any help would be really appreciated, thanks a lot.


ps. some tutorials and threads I read additionally to the above ones:
 
Last edited:
Some further informations. After reading thread Thread 32714 I checked winbind via wbinfo -u and got following response ...
Code:
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users
My nsswitch.conf looks like now:
Code:
group: compat winbind
group_compat: nis
hosts: files dns
networks: files
passwd: compat winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
as mentioned in Thread 32714, but that seems not to be ok. After restarting samba I got
Code:
Feb 13 12:53:22 pdc vi: NSSWITCH(nsparser): /etc/nsswitch.conf line 5: 'compat' used with sources, other than 'cache'
Feb 13 12:53:22 pdc vi: NSSWITCH(nsparser): /etc/nsswitch.conf line 9: 'compat' used with sources, other than 'cache'
. wbinfo -u gives no error enymore, but has no output and breaks.
 
And if you do so in nsswitch.conf
Code:
group: files nis winbind
passwd: files nis winbind
hosts: files dns
networks: files
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
you can fetch your boot-cd/stick and repair nsswitch.conf (as happened right now :-( ) because the OS will not start correctly and you got no logon possibility.
 
The error seems to be a typo (corrected), the config is ok, thanks. If I use your config, my system won't start up (login not working anymore) as mentioned before.
 
Puh, it's really strange. Every combination I tried in nsswitch.conf led to strange behaviour of the shell and/or the winbindd. If I tried for example to edit the nsswitch.conf and I removed the entry "nis" from line "group:", my vi and shell stopped working. On the other hand, when winbindd chrashes, my shell reopenes again. Finaly no combination of "files", "nis", "compat" and "winbind" could achiev following needs:

1) windbind provides me with groups and users of the AD to set ACLs on/and manage my zfs shares
2) windbind works as usual to provide my UNIX root login (and shell)
 
Do you also use ZFS and ACLs on it? And do you use just one machine for AD DC and fileserver? How is your samba configured when installing (also: do you use Bind or builtin DNS?)

(Background: I can only use ZFS because I need the snapshots)
 
Right now I have
Code:
Samba: Version 4.4.8
11.0-RELEASE-p6 FreeBSD 11.0-RELEASE-p6 #1 r294083M:
I tried a new installation with exactly the same versions you have. It broke when it came to provisioning:
Code:
root@addc:/var/db/samba4/private # /usr/local/bin/samba-tool domain provision --interactive --use-rfc2307     Realm [MYDOMAIN.INTERN]:
 Domain [MYDOMAIN]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=kratzer,DC=intern
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Segmentation fault (core dumped)
root@addc:/var/db/samba4/private #
/var/log/messages gives me for that:
Code:
Feb 14 23:40:15 addc kernel: pid 540 (python2.7), uid 0: exited on signal 11 (core dumped)
 
This ZFS Samba4 stuff is stealing my time. Two weeks further, all tutorials on the internet read (wrong or outdatet information, like: https://glsan.com/community/samba4/ports/ - that is also prefered by the samba-team), approx. 20 installations further --> no solution. 7 Billion people on a planet and no one knows how to solve that stuff, strange. I'm realy sad:( and/or angry:mad: and thinking about changing to a Microsoft solution. This would be not expensive any more, because the costs for the "experiments" here have reached 4k$ ...
 
Have you tried asking on the samba forum?
I think, it's not a samba topic (all the other stuff, not the provisioning prob). It's more a Samba on FreeBSD and ZFS problem - or a package compatibility problem (in ubuntu I get py3, here I got py2.7 - whichs makes a core dump? For example, the nsswitch.conf prob is a pure FreeBSD prob, because Winbind has been ok but could not get addressed by chmod or setfacl, etc.

And I don't like to talk in several forums about the same problem. Maybe there are different points of view, but my time runs out very quickly.
 
No chance to get FreeBSD running as desired (not with Samba 4.4, 4.3 or 4.2). So I decided to use Ubuntu 16.04 as an AD DC (already set up and running) and FreeBSD with ZFS will be only a AD member providing the shares.
 
I just installed Samba44 from ports and successfully set it up as a secondary domain controller. I also see the "Segmentation fault (core dumped)" message when using various (but not all) 'samba tool' commands. From what I can tell it's an issue with Python27 (or more likely incompatible Samba scripts). For me it wasn't too much of an issue because I already had a working PDC to replicate domain config from.

If I were in your position I'd try installing an older version of Python from ports (it will probably complain about a security vulnerability but just ignore that to see whether the Samba scripts are compatible). I think the version I had when I first provisioned my server a few years back was 'python2-2_3' so maybe start with that one.

You could also try manually compiling Samba 45 from source but only as a last resort.


The other thing I would do is just verify what is actually working.

Use 'kinit administrator' to test whether Kerbros is working. It is working if it asks you for a password and completes without error. And then type "klist" to see whether a ticket has been issued for "Administrator"

Use this walkthrough to see whether the Samba DNS is running.
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

The other advice I'd give is to set up share permissions from a Windows client using the "Computer Management Console" this has always been the most reliable approach and have never gotten 'setfacl' to give me much satisfaction.
Details are here (bottom of the page)...
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs



Your ZFS settings seem fine. Although I read recently that 'casesensitive=insensitive' will hurt performance because Samba doesn't know how to cache directory names with this setting on. I don't think it matters much though if at all.

FYI these are my samba share settings which work fine with Windows clients. They may help.
path = /path
read only = No
browseable = yes
guest ok = no
delete readonly = yes
vfs objects = zfsacl shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y-%m-%d-%H%M
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
map acl inherit = yes
inherit permissions = yes
inherit acls = yes
inherit owner = yes
 
... it wasn't too much of an issue because I already had a working PDC to replicate domain config from.
. Yes, that's one topic, the running PDC. I could install a PDC with FreeBSD 10.3 and Samba 44 from ports, but provisioning doesn't work. I also could install a FreeBSD 11.0 and Samba 42 and everything works fine until it comes to getent passwd (there is a tricky windbind issue, something was not compiled into). Thank you for your help, but I already had to decide for a solution. Also I want a stable running system. This goal has been achieved now with a combination of two Ubuntu 16.04 LTS AD DCs (with no shares) and a FreeBSD 11.0 Samba 43 AD member server only, with ZFS and ACLs via zfsacl providing all shares. It's a really good and fast setup and it seems to be stable too (I'm using it in a production environment, ~50 users, huge file sizes, huge load/traffic)
 
Compile Samba from the source code from www.samba.org?

We are running a self-compiled Samba 4.7.3 joined to an AD domain on FreeBSD 11.1 with ZFS and ACLs (and previous versions/snapshots).

Samba requires a couple of patches to handle ZFS ACLs and snapshots well though. And a bit of tweaking to run well with ~500 concurrent users per server. One runs into all kinds of fun when attempting this - like Microsoft SCEP antivirus DOS-attacking our Samba servers from our student lab computers - apparently Samba doesn't really like seeing a couple of hundreds of new SMB Connections in a few seconds :)

Now if just could figure out why the smbd and winbinds processes are such #¤%&%#!" memory hogs - I'd rather use the RAM on the machine as ZFS ARC cache...
 
No chance to get FreeBSD running as desired (not with Samba 4.4, 4.3 or 4.2). So I decided to use Ubuntu 16.04 as an AD DC (already set up and running) and FreeBSD with ZFS will be only a AD member providing the shares.

I came to a similar conclusion. I chose Devuan over Debian/Ubuntu.
I like the UNIX philosophy of "doing one thing and doing it well" as pursued by the Devuan team.

I am running Devuan + Samba4 on minimalist hardware (APU3C4) as I required a small domain controller for a small environment.
 
[..]
We are running a self-compiled Samba 4.7.3 joined to an AD domain on FreeBSD 11.1 with ZFS and ACLs (and previous versions/snapshots).
[..]
Samba requires a couple of patches to handle ZFS ACLs and snapshots well though. And a bit of tweaking to run well with ~500 concurrent users per server.

Hello Peter, Thanks for your post. Could you share with us what kind of patches were required? Thanks.
 
Hello Peter, Thanks for your post. Could you share with us what kind of patches were required? Thanks.

Sure. Nowadays you can pretty much use a stock Samba. We have a couple we find we need though.
Currently we build our own Samba using a script "BUILD" that you can download from:

https://www.grebo.net/~peter/samba/freebsd/

Download the script and the Patches.tar.gz file. Unpack the Patches and modify the NCPU and ROOT variables in the script.
The run "./BUILD" and it should download, unpack, patch, configure and build Samba. "./BUILD install" to install it.

allow_write_on_attrib.patch
Fixes a group write access problem with ACLs on ZFS when you have "stripped" (just old-style Unix permissions) ACLs.

listen_backlog.patch
Increases the listen() backlogs in many places (and makes it configurable).

vfs_shadow_copy.patch
Makes it possible to access ZFS snapshots

These you probably don't need:
check_ntlm_password.patch
matchname.patch
liu_version.patch
 
Back
Top