Samba4 errors

[luckylinux]

I installed FreeBSD 9.1 with ZFS on root on my NAS and I updated all packages and ports via the portupgrade utility. I just installed Samba4 via ports (Samba 4.0.4_1) but I'm getting a weird error when trying to set it up.

ACLs should have been enabled on / since

$ zfs get aclmode zroot
NAME   PROPERTY  VALUE        SOURCE
zroot  aclmode   passthrough  local

$ zfs get aclinherit zroot
NAME   PROPERTY    VALUE          SOURCE
zroot  aclinherit  passthrough    local

And yet it seems Samba4 expects something more:

$ sudo samba-tool domain provision
Realm [TEST.COM]:
 Domain [TEST]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.1.50
Looking up IPv6 addresses
No IPv6 address will be assigned
set_nt_acl_no_snum: fset_nt_acl returned zero.
ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
    use_rfc2307=use_rfc2307, skip_sysvolacl=False)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2043, in provision
    raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")

I'm not sure if I should configure some other mount points (of the same pool) to support ACL? Could this be the cause? Like doing

zfs set aclmode=passthrough zroot/usr
zfs set aclinherit=passthrough zroot/usr

When starting the Samba4 daemon no error is shown but the daemon doesn't really start:

$ cat /var/log/samba4/log.samba
[2013/05/04 19:14:47,  0] ../source4/smbd/server.c:369(binary_smbd_main)
  samba version 4.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/05/04 19:14:48,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2013/05/04 19:14:48,  0] ../source4/nbt_server/interfaces.c:205(nbtd_add_socket)
  Failed to bind to 192.168.1.255:137 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/05/04 19:14:48,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [nbtd failed to setup interfaces]
[2013/05/04 19:14:48,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE
  ]
[2013/05/04 19:14:48,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [kdc: krb5_init_context samdb RODC connect failed]
[2013/05/04 19:14:48,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [Cannot start Winbind (domain controller): Failed to find record for HOMELAN in /var/db/samba4/private/secrets.ldb: No such object: (null): Have you provisioned the HOMELAN domain?]
[2013/05/04 19:14:48,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [kccsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE
  ]
[2013/05/04 19:14:48,  0] ../source4/smbd/server.c:210(samba_terminate)
  samba_terminate: nbtd failed to setup interfaces
[2013/05/04 19:14:48,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [Failed to obtain server credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
  ]

NTP has been started (but maybe not configured correctly) and is running. For now I'd be happy enough to share a folder with a workgroup like I've been doing with Samba3 on GNU/Linux in the past. Since this is a home network there is no need (at least for now) for Domain Controller. When setting it up as standalone I get the same error though.

I tried to configure it manually using the /usr/local/etc/smb4.conf file but without any success: the daemon shuts down immediately.

Does anyone have any suggestion or I'd be better off with Samba3 (at least for the moment)?

Thank you very much in advance.

 

[kpa]

ZFS ACLs are little bit different than the ACLs on Linux or on the UFS2 filesystem of FreeBSD. They are what is called NFSv4 ACLs and the error message indicates that net/samba4 expects POSIX ACLs on the filesystem. Not knowing more about net/samba4 I can only suggest looking at the configuration if there's anything that could be changed to use NFSv4 ACLs instead.

 

[acheron]

You have to pass the --use-ntvfs flag to the samba-tool command if you want to use ZFS.

 

[luckylinux]

You have to pass the --use-ntvfs flag to the samba-tool command if you want to use ZFS.

Thank you. This fixes a part of the problem. However another one appeared:

$ cat /var/log/samba4/log.samba
[2013/05/06 18:53:34,  0] ../source4/smbd/server.c:369(binary_smbd_main)
  samba version 4.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/05/06 18:53:34,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2013/05/06 18:53:34,  0] ../source4/nbt_server/interfaces.c:228(nbtd_add_socket)
  Failed to bind to 0.0.0.0:137 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/05/06 18:53:34,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [nbtd failed to setup interfaces]
[2013/05/06 18:53:34,  0] ../source4/smbd/server.c:210(samba_terminate)
  samba_terminate: nbtd failed to setup interfaces
[2013/05/06 18:53:34,  0] ../source4/smbd/service_stream.c:342(stream_setup_socket)
  Failed to listen on 0.0.0.0:445 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/05/06 18:53:34,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [Failed to startup smb server task]

Not sure if additional configuration is required. Authenticating to Kerberos doesn't work (following the tutorial at http://frednotes.wordpress.com/2012/09/27/samba-4-as-a-domain-controller/).

$ sudo smbclient //localhost/netlogon -Uadministrator%'<mypassword>' -c 'ls'
session setup failed: NT_STATUS_LOGON_FAILURE

I can't inspect using the host command either as documented here: http://www.whitneytechnologies.com/?p=422.

$ host -t SRV _kerberos._udp.<mydomain.com>
Host _kerberos._udp.<mydomain.com> not found: 3(NXDOMAIN)

Not sure what is going on here. How to generate a basic /etc/krb5.conf file? Thank you very much again for your help.

EDIT: after a reboot I get

$ cat /var/log/samba4/log.samba
[2013/05/06 20:59:27,  0] ../source4/smbd/server.c:369(binary_smbd_main)
  samba version 4.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/05/06 20:59:27,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2013/05/06 20:59:27,  0] ../source4/nbt_server/interfaces.c:205(nbtd_add_socket)
  Failed to bind to 192.168.1.255:137 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
[2013/05/06 20:59:27,  0] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [nbtd failed to setup interfaces]
[2013/05/06 20:59:27,  0] ../source4/smbd/server.c:210(samba_terminate)
  samba_terminate: nbtd failed to setup interfaces

Additional information:

$ cat /usr/local/etc/smb4.conf
/usr/local/etc/smb4.conf        /usr/local/etc/smb4.conf.backup /usr/local/etc/smb4.conf.edited /usr/local/etc/smb4.conf.newer
$ cat /usr/local/etc/smb4.conf
# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = mydomain.com
        netbios name = NAS
        server role = active directory domain controller
        dns forwarder = 192.168.1.1 # ROUTER IP ADRESS
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc

[netlogon]
        path = /var/db/samba4/sysvol/mydomain.com/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No
$ sudo /usr/local/etc/rc.d/samba4 restart
Performing sanity check on Samba configuration: OK
samba4 not running? (check /var/run/samba4/samba.pid).
Starting samba4.

 

[acheron]

In my configuration file I don't have server services and dcerpc endpoint servers parameters.

krb5.conf is generated automatically when you provision your domain and can be found in /var/db/samba4/private/krb5.conf, you just have to copy it to /etc/krb5.conf.

The error message

NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

means that you already have Samba running.

 

[luckylinux]

In my configuration file I don't have server services and dcerpc endpoint servers parameters.

krb5.conf is generated automatically when you provision your domain and can be found in /var/db/samba4/private/krb5.conf, you just have to copy it to /etc/krb5.conf.

The error message

NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

means that you already have Samba running.

Are you running AD with DC? I think I don't need domain controller (I can't connect my Windows 7 Premium laptop to a domain anyway). For a home network, I just need a way to (with ACL support if possible) authenticate my users for the file shares. Maybe Active Directory with ACL permissions suffices. Any opinions on this?

Samba is not running as far as I know:

$ sudo /usr/local/etc/rc.d/samba4 restart
Performing sanity check on Samba configuration: OK
[B]samba4 not running? (check /var/run/samba4/samba.pid).[/B]
Starting samba4.

Even after a reboot the problem isn't solved. What should I put in /etc/resolv.conf for nameserver? The local IP address of the server running Samba AD DC or the router's IP address? I suppose it's the former but I'm not sure at this point.

Checking with netstat doesn't show anything running on port 137 neither.
Good to know the files are in /var/db/samba4/private/, since the majority of tutorial suppose it in /usr/local/samba4/private/ which I couldn't find.

Thank you again for your help acheron.

 

[acheron]

Yes I'm testing AD with DC. If you don't need all the AD stuffs stick with net/samba36 or use only the smbd and nmbd part of samba4.
My /etc/resolv.conf contains

nameserver 127.0.0.1

 

[luckylinux]

Yes I'm testing AD with DC. If you don't need all the AD stuffs stick with net/samba36 or use only the smbd and nmbd part of samba4.
My /etc/resolv.conf contains

nameserver 127.0.0.1

Thank you for your reply, acheron.

Could you please post your smb4.conf file so that I might find what other differences exist?
Beside smb4.conf, krb5.conf and resolv.conf, are there other file that should've been edited? Any special command you had to run?

These Samba error messages don't make any sense to me. Even worse: when I tried smbclient to connect to localhost it tried to connect to another machine (on another IP address) and listed the shares on that machine :S

I wonder though if I can setup AD for all my network and the computers that don't support it can still connect to it as if it was a WORKGROUP ...

 

[luckylinux]

Small update.

I got Samba 4 working but somehow wasn't really satisfied. Active Directory may be nice, but I should set it up on a 24/7 server rather than an ad-hoc powered one. I couldn't really understand how to get the standalone configuration to work.

Therefore I went back to Samba 3.6 series which works very well. ACLs permissions seem to also be well supported (user was set up using setfacl on FreeBSD then all permissions were granted from a Windows machine under the "Security" tab). I still have to understand in detail how the setfacland getfacl commands work though.

I can finally access the NAS using one login with password. If someone tries to connect to it without password no access is granted, which should provide basic security.

I think it may be nice to use Active Directory at a later time but I think I'll wait for Samba 4 to be more mature and robust. Samba 3.6 can join AD anyway so that shouldn't be a problem. I'll try in a VM first before anyway

Thank you all for your help.