Samba DC provisioning fails with ACL-enabled NetBSD-current

To: current-users%netbsd.org@localhost
Subject: Samba DC provisioning fails with ACL-enabled NetBSD-current
From: Matthias Petermann <mp%petermann-it.de@localhost>
Date: Mon, 20 Jul 2020 17:47:59 +0200

Hello everybody,

A while ago, Christos Zoulas imported the ACL code for FFS. This opensthe door for using NetBSD with Samba as a domain controller in aheterogeneous environment with Windows clients. I'm honest: that's oneof the killer features for me and I'm very grateful that Christos didthis job. That's why I set out to test this - first, provisioning adomain controller "from scratch". With Christos' clues I used thefollowing method:

1) Adaptation of the options.mk from samba4 so that the acl build optionis also valid for NetBSD

SAMBA_ACL_OPSYS= AIX Darwin FreeBSD HPUX IRIX Linux NetBSDOSF1 SunOS

    .if !empty(SAMBA_ACL_OPSYS:M${OPSYS})
    PKG_SUPPORTED_OPTIONS+= acl
    .endif

2) Adapt the mk.conf with option acl for samba4

    PKG_OPTIONS.samba4=acl avahi ldap pam winbind

3) Build / Install of samba4 from pkgsrc (using 2020Q2)

4) tunefs -a enable /dev/dk0 (the only file system on the VM)

5) Add the acl mount option in the fstab for this file system

6) reboot (only for security, so that ACLs are actually used)

7) getfacl / (returns correct result as expected)

8) samba-tool domain provision --use-rfc2307 --interactive

Following is the interactive input I made to samba-tool:

-----------------------------------------------------------------------
	Realm:  MPNET.LOCAL
	Domain [MPNET]:
	Server Role (dc, member, standalone) [dc]:

DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)[SAMBA_INTERNAL]:DNS forwarder IP address (write 'none' to disable forwarding)[192.168.2.10]:

	Administrator password:
	Retype password:
-----------------------------------------------------------------------

After entering the password, it looks good at first. The tool thenterminates with the following message:


-----------------------------------------------------------------------

ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed -ProvisioningError: Your filesystem or build does not support posix ACLs,which s3fs requires. Try the mounting the filesystem with the 'acl' option.File "/usr/pkg/lib/python3.7/site-packages/samba/netcmd/domain.py",line 505, in run

	backend_store_size=backend_store_size)

File "/usr/pkg/lib/python3.7/site-packages/samba/provision/init.py",line 2366, in provision

	backend_store_size=backend_store_size)

File "/usr/pkg/lib/python3.7/site-packages/samba/provision/init.py",line 1992, in provision_fill

	names.domaindn, lp, use_ntvfs)

File "/usr/pkg/lib/python3.7/site-packages/samba/provision/init.py",line 1710, in setsysvolaclraise ProvisioningError("Your filesystem or build does not supportposix ACLs, which s3fs requires. "

-----------------------------------------------------------------------

Output of testparm:

-----------------------------------------------------------------------
test10# testparm
Load smb config files from /usr/pkg/etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dns forwarder = 192.168.2.10
        passdb backend = samba_dsdb
        realm = MPNET.LOCAL
        server role = active directory domain controller
        workgroup = MPNET
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr


[sysvol]
        path = /var/run/sysvol
        read only = No


[netlogon]
        path = /var/run/sysvol/mpnet.local/scripts
        read only = No
-----------------------------------------------------------------------

Output of mount:

-----------------------------------------------------------------------
test10# mount
/dev/dk0 on / type ffs (acls, log, local)
tmpfs on /tmp type tmpfs (local)
kernfs on /kern type kernfs (local)
ptyfs on /dev/pts type ptyfs (local)
procfs on /proc type procfs (local)
tmpfs on /var/shm type tmpfs (local)
-----------------------------------------------------------------------

Environment:

-----------------------------------------------------------------------
test10# uname -a

NetBSD test10 9.99.69 NetBSD 9.99.69 (GENERIC) #0: Sat Jul 18 21:37:38UTC 2020mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64

-----------------------------------------------------------------------

What part of the puzzle am I missing? Please also let me know if I canadd more detailed information. I would like to help make this featureready for production on NetBSD.


Kind regards
Matthias

Follow-Ups:
- Re: Samba DC provisioning fails with ACL-enabled NetBSD-current
  - From: Christos Zoulas
- Re: Samba DC provisioning fails with ACL-enabled NetBSD-current
  - From: Patrick Welche

Prev by Date: Re: floating point exceptions
Next by Date: Re: Samba DC provisioning fails with ACL-enabled NetBSD-current
Previous by Thread: floating point exceptions
Next by Thread: Re: Samba DC provisioning fails with ACL-enabled NetBSD-current
Indexes:

Home | Main Index | Thread Index | Old Index