You want posix1e acls for samba. So "tunefs -p enable".
If the getfacl output looks like:
$ getfacl .
# file: .
# owner: christos
# group: christos
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
Then you have NFSv4 acls. The posix1e output looks like:
$ getfacl .
# file: .
# owner: christos
# group: christos
user::rwx
group::r-x
other::r-x
christos
> On Jul 20, 2020, at 11:47 AM, Matthias Petermann <mp%petermann-it.de@localhost> wrote:
>
> Hello everybody,
>
> A while ago, Christos Zoulas imported the ACL code for FFS. This opens the door for using NetBSD with Samba as a domain controller in a heterogeneous environment with Windows clients. I'm honest: that's one of the killer features for me and I'm very grateful that Christos did this job. That's why I set out to test this - first, provisioning a domain controller "from scratch". With Christos' clues I used the following method:
>
> 1) Adaptation of the options.mk from samba4 so that the acl build option is also valid for NetBSD
>
> SAMBA_ACL_OPSYS= AIX Darwin FreeBSD HPUX IRIX Linux NetBSD OSF1 SunOS
> .if !empty(SAMBA_ACL_OPSYS:M${OPSYS})
> PKG_SUPPORTED_OPTIONS+= acl
> .endif
>
> 2) Adapt the mk.conf with option acl for samba4
>
> PKG_OPTIONS.samba4=acl avahi ldap pam winbind
>
> 3) Build / Install of samba4 from pkgsrc (using 2020Q2)
>
> 4) tunefs -a enable /dev/dk0 (the only file system on the VM)
>
> 5) Add the acl mount option in the fstab for this file system
>
> 6) reboot (only for security, so that ACLs are actually used)
>
> 7) getfacl / (returns correct result as expected)
>
> 8) samba-tool domain provision --use-rfc2307 --interactive
>
> Following is the interactive input I made to samba-tool:
>
> -----------------------------------------------------------------------
> Realm: MPNET.LOCAL
> Domain [MPNET]:
> Server Role (dc, member, standalone) [dc]:
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
> DNS forwarder IP address (write 'none' to disable forwarding) [192.168.2.10]:
> Administrator password:
> Retype password:
> -----------------------------------------------------------------------
>
> After entering the password, it looks good at first. The tool then terminates with the following message:
>
> -----------------------------------------------------------------------
> ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.
> File "/usr/pkg/lib/python3.7/site-packages/samba/netcmd/domain.py", line 505, in run
> backend_store_size=backend_store_size)
> File "/usr/pkg/lib/python3.7/site-packages/samba/provision/init.py", line 2366, in provision
> backend_store_size=backend_store_size)
> File "/usr/pkg/lib/python3.7/site-packages/samba/provision/init.py", line 1992, in provision_fill
> names.domaindn, lp, use_ntvfs)
> File "/usr/pkg/lib/python3.7/site-packages/samba/provision/init.py", line 1710, in setsysvolacl
> raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. "
> -----------------------------------------------------------------------
>
> Output of testparm:
>
> -----------------------------------------------------------------------
> test10# testparm
> Load smb config files from /usr/pkg/etc/samba/smb.conf
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> dns forwarder = 192.168.2.10
> passdb backend = samba_dsdb
> realm = MPNET.LOCAL
> server role = active directory domain controller
> workgroup = MPNET
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> vfs objects = dfs_samba4 acl_xattr
>
>
> [sysvol]
> path = /var/run/sysvol
> read only = No
>
>
> [netlogon]
> path = /var/run/sysvol/mpnet.local/scripts
> read only = No
> -----------------------------------------------------------------------
>
> Output of mount:
>
> -----------------------------------------------------------------------
> test10# mount
> /dev/dk0 on / type ffs (acls, log, local)
> tmpfs on /tmp type tmpfs (local)
> kernfs on /kern type kernfs (local)
> ptyfs on /dev/pts type ptyfs (local)
> procfs on /proc type procfs (local)
> tmpfs on /var/shm type tmpfs (local)
> -----------------------------------------------------------------------
>
> Environment:
>
> -----------------------------------------------------------------------
> test10# uname -a
> NetBSD test10 9.99.69 NetBSD 9.99.69 (GENERIC) #0: Sat Jul 18 21:37:38 UTC 2020 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
> -----------------------------------------------------------------------
>
> What part of the puzzle am I missing? Please also let me know if I can add more detailed information. I would like to help make this feature ready for production on NetBSD.
>
> Kind regards
> Matthias
Attachment:
signature.asc
Description: Message signed with OpenPGP