Samba DC provisioning fails with Posix ACL enabled FFS

[Matthias Petermann <mp%petermann-it.de@localhost>]

Hello all,

has anyone tried provisioning a Samba DC on NetBSD current recently?

I managed to do this about half a year ago. Currently, however, there 
seems to be a problem that I can't quite figure out yet.

I use as storage for Samba / Sysvol a FFS with Posix ACLs enabled. I 
have enabled these with tunefs after formatting and also give them as 
mount options.

However, when trying to provision I get:

```
net# samba-tool domain provision --use-rfc2307 --interactive
Realm [LOCAL]:  MPNET.LOCAL 

Domain [MPNET]:
Server Role (dc, member, standalone) [dc]: 

DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) 
[SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) 
[127.0.0.1]:  192.168.2.254
Administrator password: 

Retype password:
...
INFO 2021-11-25 13:53:38,235 pid:1640 
/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py #1570: 
Setting up well known security principals
INFO 2021-11-25 13:53:38,260 pid:1640 
/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py #1584: 
Setting up sam.ldb users and groups
INFO 2021-11-25 13:53:38,351 pid:1640 
/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py #1592: 
Setting up self join
Repacking database from v1 to v2 format (first record 
CN=Print-Media-Ready,CN=Schema,CN=Configuration,DC=mpnet,DC=local)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
CN=msCOM-PartitionSet-Display,CN=411,CN=DisplaySpecifiers,CN=Configuration,DC=mpnet,DC=local)
Repacking database from v1 to v2 format (first record 
CN=Builtin,DC=mpnet,DC=local)
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter 
was passed to a service or function.')
  File "/usr/pkg/lib/python3.8/site-packages/samba/netcmd/__init__.py", 
line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/pkg/lib/python3.8/site-packages/samba/netcmd/domain.py", 
line 487, in run
    result = provision(self.logger,
  File 
"/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py", line 
2341, in provision
    provision_fill(samdb, secrets_ldb, logger, names, paths,
  File 
"/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py", line 
1979, in provision_fill
    setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
  File 
"/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py", line 
1764, in setsysvolacl
    _setntacl(os.path.join(root, name))
  File 
"/usr/pkg/lib/python3.8/site-packages/samba/provision/__init__.py", line 
1753, in _setntacl
    return setntacl(
  File "/usr/pkg/lib/python3.8/site-packages/samba/ntacls.py", line 
236, in setntacl
    smbd.set_nt_acl(
net#
```

I am using Samba 4.13.11 from pkgsrc-2021Q3 (compiled with acl-Option). 
The NetBSD version is: NetBSD net.local 9.99.92 NetBSD 9.99.92 
(XEN3_DOMU_CUSTOM) #0: Thu Nov 25 06:26:36 CET 2021 
mpeterma@sysbldr92.local:/home/mpeterma/netbsd-current/obj/sys/arch/amd64/compile/XEN3_DOMU_CUSTOM 
amd64

(yes, I am using a custom XEN3_DOMU kernel as the provided kernel conf 
lacks the UFS_ACL option)

Has anyone an idea what is wrong here?

Kind regards
Matthias