FreeBSD-11 and Samba-4.6 as a DC

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
Would somebody take the time to briefly explain to me if there is a
technical reason why Samba-4.6.x will build, but will not provision as
a DC on FreeBSD-11.  Is it just me?  Is there something special about
the build process that I should do?


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Tue, 11 Jul 2017 09:33:49 -0400
"James B. Byrne via samba" <[hidden email]> wrote:

> Would somebody take the time to briefly explain to me if there is a
> technical reason why Samba-4.6.x will build, but will not provision as
> a DC on FreeBSD-11.  Is it just me?  Is there something special about
> the build process that I should do?
>
>

Two words 'NFSv4 ACLs'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Wed, 12 Jul 2017 13:36:01 +1000
Dewayne Geraghty <[hidden email]> wrote:

> Rowland, Are you saying that Samba46 won't provision on a file system
> that has NFSv4 ACL enabled, rather than POSIX.1e (or no additional
> ACL's, the usual default settings which allow only
> owner:group:other) ? I would've thought that Samba would more closely
> emulate Windows with the richer ACLs from NFSv4...

At present, a Samba AD DC must be provisioned on a filesystem that
supports the type of ACLs that ext4 supports, this unfortunately
doesn't include NFSv4 ACLs.

>
> James - I have FreeBSD11.1Prelease with AD provisioned. (no NFSv4).
> And contrary to Ref [1] below, Extended ACL's are enabled by default.

If Freebsd has modified Samba so that it will provision and run on
NFSv4 ACLs, then I would suggest they prepare patches and submit them
to the samba-technical mailing list. This is always provided they are
not just using the deprecated ntvfs server.

>
> Its seems that Samba *must* run a separate member server (or
> standalone) for both samba4 and nfsv4 to co-exist (and use nfsv4
> ACLs)?

Yes, running Samba as a Unix domain member will work, but it is
possible you will not be able to set ACLs from windows.

>
> Previously it has been very unclear (ref 3-Volker's comment) whether
> to use POSIX or nfsv4 ACL's.  Though the wiki is clearer now.  And
> for the reference, FreeBSD's getfacl and setfacl operate on POSIX and
> NFSv4 ACLs
>

At the moment, Samba, on a DC, has no concept of NFSv4 ACLs, so you
need to use a filesystem such as ext4. I have tried UFS and ZFS on
Freebsd and cannot get either to work with a Samba AD DC.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Wed, Jul 12, 2017 at 1:45 AM, Rowland Penny via samba <
[hidden email]> wrote:

> If Freebsd has modified Samba so that it will provision and run on
> NFSv4 ACLs, then I would suggest they prepare patches and submit them
> to the samba-technical mailing list. This is always provided they are
> not just using the deprecated ntvfs server.
>

I believe can see the current patches applied to the FreeBSD samba port by
running the following commands on a FreeBSD system
portsnap fetch
portsnap extract

The current FreeBSD 4.6 patches will be listed under
/usr/ports/net/samba46/files.


> > Its seems that Samba *must* run a separate member server (or
> > standalone) for both samba4 and nfsv4 to co-exist (and use nfsv4
> > ACLs)?
>
> Yes, running Samba as a Unix domain member will work, but it is
> possible you will not be able to set ACLs from windows.
>

When FreeBSD is joined to an AD domain as a member server, you will be able
to change permissions from a Windows client if you have 'zfsacl' enabled
(and the rest of samba is properly configured). Everything works as
expected. I've been running such a setup in production for a number of
years.

> Previously it has been very unclear (ref 3-Volker's comment) whether
> > to use POSIX or nfsv4 ACL's.  Though the wiki is clearer now.  And
> > for the reference, FreeBSD's getfacl and setfacl operate on POSIX and
> > NFSv4 ACLs
> >
>
> At the moment, Samba, on a DC, has no concept of NFSv4 ACLs, so you
> need to use a filesystem such as ext4. I have tried UFS and ZFS on
> Freebsd and cannot get either to work with a Samba AD DC.
>

Out of curiosity, have you tried it on a FreeNAS VM through the webui? I
believe that it works there, but I haven't found time to play around with
it.


> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Wed, 12 Jul 2017 15:48:57 -0500
Andrew Walker via samba <[hidden email]> wrote:

> On Wed, Jul 12, 2017 at 1:45 AM, Rowland Penny via samba <
> [hidden email]> wrote:
>
> > If Freebsd has modified Samba so that it will provision and run on
> > NFSv4 ACLs, then I would suggest they prepare patches and submit
> > them to the samba-technical mailing list. This is always provided
> > they are not just using the deprecated ntvfs server.
> >
>
> I believe can see the current patches applied to the FreeBSD samba
> port by running the following commands on a FreeBSD system
> portsnap fetch
> portsnap extract
>
> The current FreeBSD 4.6 patches will be listed under
> /usr/ports/net/samba46/files.

I repeat, if Freebsd has patches, then they should submit them to Samba.

> > Yes, running Samba as a Unix domain member will work, but it is
> > possible you will not be able to set ACLs from windows.
> >
>
> When FreeBSD is joined to an AD domain as a member server, you will
> be able to change permissions from a Windows client if you have
> 'zfsacl' enabled (and the rest of samba is properly configured).
> Everything works as expected. I've been running such a setup in
> production for a number of years.

I did say 'possible' ;-)

> > At the moment, Samba, on a DC, has no concept of NFSv4 ACLs, so you
> > need to use a filesystem such as ext4. I have tried UFS and ZFS on
> > Freebsd and cannot get either to work with a Samba AD DC.
> >
>
> Out of curiosity, have you tried it on a FreeNAS VM through the
> webui? I believe that it works there, but I haven't found time to
> play around with it.
>

No I haven't, to be honest I have no interest in a NAS, never seen the
point in them, by using one you are usually locked into whatever
platform they are designed for. I think you can probably get something
better if you build your own fileserver, you just will not have a GUI.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 14 Jul 2017 02:52:12 +1000
Dewayne Geraghty <[hidden email]> wrote:

>
> Rowland - you may have missed that I did say (no NFS).  There are no
> FreeBSD patches regarding NFSv*.

If Freebsd hasn't come up with some way to use NFSv4 ACLs, then it
isn't going to be possible to provision a Samba AD DC.

>
> James, Unfortunately I have a Samba AD but its 4.3.  (like you).  I
> use tunefs to assign posix ACL's to the disks, hence they are:
> ufs, local, noatime, soft-updates, acls
>
> So I thought ok - lets just build the latest samba46 (4.6.4) on a
> virgin platform Xeon, FreeBSD 11.1-Prerelease amd64.  All devices are
> gmirrored UFS with posix ACLs
>
> So I created a script that modelled as closely as possible
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> changing only:
>
> HOST=jupiter
> DOMAIN=hs
> REALM=HS1
> IPv4="10.0.5.198"
> PASSWD="abcdef_1A"
> # Note: SAMBA_ZONE and PRIMARY_DNS substitutions occur later
>
> and populating /etc/hosts appropriately.
>
> # samba-tool domain provision --use-rfc2307 --realm=$REALM
> --domain=$DOMAIN --server-role=dc --option="interfaces=lo blue"
> --option="bind interfaces only=yes" --dns-backend=BIND9_DLZ
> --adminpass="$PASSWD"
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> ...
> Setting up self join
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
> ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected
> information received')
>   File
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 471, in run nosync=ldap_backend_nosync,
> ldap_dryrun_mode=ldap_dryrun_mode) File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 2175, in provision
>     skip_sysvolacl=skip_sysvolacl)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1806, in provision_fill
>     names.domaindn, lp, use_ntvfs)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1593, in setsysvolacl
>     service=SYSVOL_SERVICE)
>   File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line
> 162, in setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
> #
>
> Is this your experience?

This is what I get when I try to provision a DC on Freebsd.

>
> Take note of the line:
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1806, in provision_fill
>     names.domaindn, lp, use_ntvfs)
> as the default samba (FreeBSD port) build does not enable ntvfs as its
> deprecated.  Maybe a rebuild is in order?

If you want to enable 'ntvfs', you can, by using '--enable-selftest'
with ./configure. But, you should be aware that 'ntvfs' is deprecated
and is now only used in tests and could be removed at any time.

>
>
> For Timur, (the FreeBSD maintainer of the Samba ports):
> # smbd -b
> Build environment:
>    Built by:    [hidden email]
>    Built on:    Tue Jul 11 23:26:55 AEST 2017
>    Built using: gcc5
>    Build host:  FreeBSD b2.hs 11.1-PRERELEASE FreeBSD 11.1-PRERELEASE
> #0 r320703M: Thu Jul  6 22:35:19 AEST 2017
> root@hathor:/110007/D/K8/hqdev-amd64-smp-vga
> amd64
> SRCDIR:      /var/ports/usr/ports/net/samba46/work/samba-4.6.4/source3
> BUILDDIR:    /var/ports/usr/ports/net/samba46/work/samba-4.6.4/source3
>
> Paths:
>    SBINDIR: /usr/local/sbin
>    BINDIR: /usr/local/bin
>    CONFIGFILE: /usr/local/etc/smb4.conf
>    LOGFILEBASE: /var/log/samba4
>    LMHOSTSFILE: /usr/local/etc/lmhosts
>    LIBDIR: /usr/local/lib/samba4
>    MODULESDIR: /usr/local/lib/shared-modules
>    SHLIBEXT: so
>    LOCKDIR: /var/db/samba4
>    STATEDIR: /var/db/samba4
>    CACHEDIR: /var/db/samba4
>    PIDDIR: /var/run/samba4
>    SMB_PASSWD_FILE: /var/db/samba4-private/smbpasswd
>    PRIVATE_DIR: /var/db/samba4-private
> ...
> Builtin modules:
>    vfs_default vfs_posixacl auth_domain auth_builtin auth_sam
> auth_winbind pdb_wbc_sam auth_unix auth_wbc nss_info_template
> idmap_tdb idmap_passdb pdb_samba_dsdb auth_samba4 vfs_dfs_samba4
>
> Timur, I modified from standard the modules (as we were testing
> various settings, particularly authentication) but I doubt that's
> significant?
>
> If it is a requirement for Samba AD to use EXT4 formatted devices, as
> Rowland advises, then there is a serious problem.

I am not saying you have to use ext4, I am saying that Samba requires a
filesystem that understands the same ACLs that ext4 does. Either that or
patches to make Samba understand NFSv4 ACLs

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Fri, 14 Jul 2017 04:36:08 +1000
Dewayne Geraghty <[hidden email]> wrote:

> Thanks Rowland.  I think I've narrowed down the issue to being
> extended attributes, not posix ACL's as the cause.

I agree, run the provision with -d10 and out pops:

store_acl_blob_fsp: storing blob length 320 on file /usr/local/samba/var/locks/sysvol
store_acl_blob_fsp: setting attr failed for file /usr/local/samba/var/locks/sysvolwith error Invalid argument
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.

>
> To clarify
> 1. lets take NFS out of scope, as ufs with posix acl's does, I
> believe, achieve the same functionality regarding ACL's as ext4.  I
> have no interest in NFSv* except that it has a richer command set for
> ACL's and I "thought" that would be preferred.  It isn't preferred
> and its probably more to do with inconsistent implementation methods
> across OS'.

You are probably correct.

> 2. I didn't want to use ntvfs, only that it was
> something I recognised in the python traceback.  Having rebuilt a
> samba 4.6.6 with ntvfs, and still failed to provision, we can rule
> that out.  And I can remove the deprecated functionality out of my
> samba.

I only mentioned 'ntvfs' because using it seems to have been the only
way to get a Samba AD DC on Freebsd.

>
> I've lodged a PR with the FreeBSD folks that should assist James'
> issue regarding bhyve and samba provisioning.
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220712
>

I was just trying to provision Samba as usual, no jail or chroot and I
get the same problem.
The cause seems to be an incorrect blob size, no idea what size it
should be.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi

On 07/12/2017 02:45 PM, Rowland Penny via samba wrote:

> On Wed, 12 Jul 2017 13:36:01 +1000
> Dewayne Geraghty <[hidden email]> wrote:
>
>> Rowland, Are you saying that Samba46 won't provision on a file system
>> that has NFSv4 ACL enabled, rather than POSIX.1e (or no additional
>> ACL's, the usual default settings which allow only
>> owner:group:other) ? I would've thought that Samba would more closely
>> emulate Windows with the richer ACLs from NFSv4...
> At present, a Samba AD DC must be provisioned on a filesystem that
> supports the type of ACLs that ext4 supports, this unfortunately
> doesn't include NFSv4 ACLs.
>
>> James - I have FreeBSD11.1Prelease with AD provisioned. (no NFSv4).
>> And contrary to Ref [1] below, Extended ACL's are enabled by default.
> If Freebsd has modified Samba so that it will provision and run on
> NFSv4 ACLs, then I would suggest they prepare patches and submit them
> to the samba-technical mailing list. This is always provided they are
> not just using the deprecated ntvfs server.
>
>> Its seems that Samba *must* run a separate member server (or
>> standalone) for both samba4 and nfsv4 to co-exist (and use nfsv4
>> ACLs)?
> Yes, running Samba as a Unix domain member will work, but it is
> possible you will not be able to set ACLs from windows.
>
>> Previously it has been very unclear (ref 3-Volker's comment) whether
>> to use POSIX or nfsv4 ACL's.  Though the wiki is clearer now.  And
>> for the reference, FreeBSD's getfacl and setfacl operate on POSIX and
>> NFSv4 ACLs
>>
> At the moment, Samba, on a DC, has no concept of NFSv4 ACLs, so you
> need to use a filesystem such as ext4. I have tried UFS and ZFS on
> Freebsd and cannot get either to work with a Samba AD DC.
I was about to write about my success running samba 4.3.x on
freebsd....and I found this thread...this breaks my heart ;-)

this incompatibility with freeBSD appeared since 4.6 ?
what is the feature that caused this change ?
>
> Rowland
>
Thanks
DS


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Fri, 14 Jul 2017 17:31:46 +0800
David STIEVENARD <[hidden email]> wrote:

> I was about to write about my success running samba 4.3.x on
> freebsd....and I found this thread...this breaks my heart ;-)
>
> this incompatibility with freeBSD appeared since 4.6 ?
> what is the feature that caused this change ?

The building of 'ntvfs' by default was stopped when 4.4.0 came out.
As far as I can see, all howtos for a DC on Freebsd used 'ntvfs'.

You could still use the deprecated 'ntvfs' by building Samba yourself
and configuring with '--enable-selftest', but this is not supported by
Samba, you would be using code that hasn't been maintained and could be
removed without any real notice.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 16 Jul 2017 17:36:02 +1000
Dewayne Geraghty <[hidden email]> wrote:

> James, David,
> You will not be able to provision SAMBA 4.6 on FreeBSD.  Refer to:
> https://bugzilla.samba.org/show_bug.cgi?id=12730  2017-04-04 13:49:39
> UTC which is the same result that James and I are experiencing.
> Nothing to do with NFS and nothing to do with the deprecated and
> unused ntvfs.
>
> I am running SAMBA 4.6.6 Standalone on an i386 FreeBSD 11.1Prerelease
> and a SAMBA 4.5.12 AD on amd64 FreeBSD11.1 Prerelease.
>
> I spent a few hours trying to determine the problem but gave up.
> Someone with greater familiarity to the code and appreciate for Python
> will need to take up the reins.
>
> Admittedly I was distracted by a debug level 5 or higher as it
> complained of not being able to find the administrator, which led me
> to pam.d/login issues. Similarly the debug displayed use_ntvfs which
> was in fact a variable within the Python code, set to false.  A
> standard FreeBSD build is all that's required to provision a SAMBA
> 4.5.12 AD.
>

The problem seems to be with extended attributes not ACLs. I initially
thought it was an ACL problem, mainly because that was what the error
message seemed to show. What I cannot understand is, why does it work
on 4.5.x but not on 4.6.x, the only real difference between the code is
that the 'ntvfs' server is no longer built by default on 4.6.x.

As soon as I get chance, I will build the latest in the 4.5.x series
and see if I can get this to provision.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Sun, 16 Jul 2017 09:38:43 +0100
Rowland Penny via samba <[hidden email]> wrote:

> On Sun, 16 Jul 2017 17:36:02 +1000
> Dewayne Geraghty <[hidden email]> wrote:
>
> > James, David,
> > You will not be able to provision SAMBA 4.6 on FreeBSD.  Refer to:
> > https://bugzilla.samba.org/show_bug.cgi?id=12730  2017-04-04
> > 13:49:39 UTC which is the same result that James and I are
> > experiencing. Nothing to do with NFS and nothing to do with the
> > deprecated and unused ntvfs.
> >
> > I am running SAMBA 4.6.6 Standalone on an i386 FreeBSD
> > 11.1Prerelease and a SAMBA 4.5.12 AD on amd64 FreeBSD11.1
> > Prerelease.
> >
> > I spent a few hours trying to determine the problem but gave up.
> > Someone with greater familiarity to the code and appreciate for
> > Python will need to take up the reins.
> >
> > Admittedly I was distracted by a debug level 5 or higher as it
> > complained of not being able to find the administrator, which led me
> > to pam.d/login issues. Similarly the debug displayed use_ntvfs which
> > was in fact a variable within the Python code, set to false.  A
> > standard FreeBSD build is all that's required to provision a SAMBA
> > 4.5.12 AD.
> >
>
> The problem seems to be with extended attributes not ACLs. I initially
> thought it was an ACL problem, mainly because that was what the error
> message seemed to show. What I cannot understand is, why does it work
> on 4.5.x but not on 4.6.x, the only real difference between the code
> is that the 'ntvfs' server is no longer built by default on 4.6.x.
>
> As soon as I get chance, I will build the latest in the 4.5.x series
> and see if I can get this to provision.
>
> Rowland
>
>

OK, now built 4.5.12 on ghostbsd and it provisions and starts. I need
to sort out what changed between this and now.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Sun, 16 Jul 2017 22:19:07 +1000
Dewayne Geraghty <[hidden email]> wrote:


> If 4.6 uses the system namespace, then it will not build in a jailed
> environment, as only the "user" namespace is available.
>
> James was attempting to build within a bhyve environment which is free
> of that constraint.

I am just building the Samba tarballs in the same way as I do on Linux,
into /usr/local/samba

>
> From what a python novice could make of the code, it seems that the
> "use_ntvfs" variable is set to false. Interestingly for all previous
> SAMBA4x builds, building with ntvfs was not selected as a build
> option, so it doesn't seem to have had a role to play.

ntvfs was built by default, this was change to be only built when the
test environment is also built.

>
> I appreciate that this may only be of interest from a tracking down
> changes perspective, though I'm sure that samba gits are a more
> productive use of your time. :)

I (as a test) copied domain.py from 4.5.12 over the domain.py from
4.6.5 and it provisioned and ran. I am now try to track down what
changed between the two version, but I am struggling at the moment.

>
> Aside: I don't know if you saw in one of my emails, but it seems that
> rsync doesn't copy extended attributes on FreeBSD even when used as
> (rsync -x).

If you are going to have more than one DC, this will need to be sorted.

>
> It has been a long frustrating day, your help with this problem is
> greatly appreciated.
>

No problem.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
In reply to this post by Samba - General mailing list

On Sun, July 16, 2017 03:36, Dewayne Geraghty wrote:
> James, David,
> You will not be able to provision SAMBA 4.6 on FreeBSD.  Refer to:
> https://bugzilla.samba.org/show_bug.cgi?id=12730  2017-04-04 13:49:39
> UTC which is the same result that James and I are experiencing.
> Nothing to do with NFS and nothing to do with the deprecated and
> unused ntvfs.
>

Just a WAG but might not this problem be related to changes made to
the Kerberos component?  Previous Samba incidents involving the
NT_STATUS_INVALID_PARAMETER message seem to be related to
authentication issues.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Sun, 16 Jul 2017 14:36:58 -0400
"James B. Byrne" <[hidden email]> wrote:

>
> On Sun, July 16, 2017 03:36, Dewayne Geraghty wrote:
> > James, David,
> > You will not be able to provision SAMBA 4.6 on FreeBSD.  Refer to:
> > https://bugzilla.samba.org/show_bug.cgi?id=12730  2017-04-04
> > 13:49:39 UTC which is the same result that James and I are
> > experiencing. Nothing to do with NFS and nothing to do with the
> > deprecated and unused ntvfs.
> >
>
> Just a WAG but might not this problem be related to changes made to
> the Kerberos component?  Previous Samba incidents involving the
> NT_STATUS_INVALID_PARAMETER message seem to be related to
> authentication issues.
>

No, I don't think it is, if I try to provision 4.6.5 on Freebsd, I get
the reported error message, but if I use 'domain.py' from 4.5.12, it
seems to provision, but if I look at the provision output, I find this:

Setting up sam.ldb users and groups
Setting up self join
xattr_tdb_removexattr() failed to get vfs_handle->data!
Adding DNS accounts

From this, and what I found earlier, I am now convinced it is an extend
attrs problem and as it works on Linux, it is a Freebsd extended attrs
problem.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Mon, 17 Jul 2017 13:55:26 +1000
Dewayne Geraghty <[hidden email]> wrote:

>
> Perhaps but I suspect that the problem actually lies somewhere in
> source3/utils/mvxattr.c
> most likely handling of a NULL?

Then why does it work on Linux ?
I am not dismissing this idea out of hand, but it seems most likely
that the problem lies on Freebsd and the way it deals with extended
attrs.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Mon, 2017-07-17 at 07:54 +0100, Rowland Penny via samba wrote:

> On Mon, 17 Jul 2017 13:55:26 +1000
> Dewayne Geraghty <[hidden email]> wrote:
>
> >
> > Perhaps but I suspect that the problem actually lies somewhere in
> > source3/utils/mvxattr.c
> > most likely handling of a NULL?
>
> Then why does it work on Linux ?
> I am not dismissing this idea out of hand, but it seems most likely
> that the problem lies on Freebsd and the way it deals with extended
> attrs.
>
> Rowland

https://bugzilla.samba.org/show_bug.cgi?id=12912 seems relevant.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD-11 and Samba-4.6 as a DC

Samba - General mailing list
On Mon, 2017-07-17 at 19:18 +1000, Dewayne Geraghty wrote:
> Thanks for the pointer.  Yes it makes sense as there is no "security"
> namespace in FreeBSD and remapping the extended attribute into "user"
> namespace should work.

To be clear, that would not be safe.  I've commented on the bug.

I think we need those to be root-only, because we need to trust the
contents, as we sometimes override the underlying ACL based on the NT
ACL, to get semantics correct.

It is on the right track, but this one looks like it will take a little
longer.

Sorry,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...