2

I want to set up a Samba domain controller on a FreeBSD hosts that uses ZFS for file storage.

When I try to run samba-tool domain provision as documented on the Samba Wiki article on setting up a domain controller, I get an error telling me that I need POSIX ACLs enabled. According to FreeBSD's page on ZFS, ZFS on FreeBSD only supports NFSv4-style ACLs, which by now is fully implemented, but incompatible with POSIX-style ACLs.

Then I came along an unofficial guide for setting up a Samba domain controller on FreeBSD, where the solution is to simply provide the --use-ntvfs flag when calling samba-tool, which I can confirm works. However, according to the feature status of AD DC on Samba, the NTVFS-feature has been deprecated in 2010, which doesn't look promising.

Now i'm at a crossroads. I can think of two ways to set up this DC, namely by using --use-ntvfs or by creating a volume and formatting it with UFS. But I am unable to forsee the pros and cons of these solutions.

What are the consequences of using --use-ntvfs? Is it something that can be changed afterwards, or am I stuck with the choice until I provision an entirely new domain?

jornane
  • 1,166
  • 1
  • 9
  • 26
  • why don't you just use the nfsv4 acls? And why would you like to use a DC as a file server? At the very least separate those roles eventually using jails in the freebsd host. – natxo asenjo Feb 17 '16 at 10:23
  • @natxoasenjo thanks! I actually do use nfsv4 acls, but `samba-tool domain provision` doesn't seem to support those - it crashes with a python exception telling me to enable ACLs. The DC is not going to be a fileserver, but it must serve the sysvol volume, which is why ACLs are important (I presume, guesswork on my end). – jornane Feb 17 '16 at 10:40
  • aha. That's a bug in the tool, I would take it up upstream (samba project). In fact, it would be much better for samba to support those ace's out of the box, they are much more like Windows ace's – natxo asenjo Feb 17 '16 at 11:07
  • As you found, --use-ntvfs is long gone, so I wouldn't even consider using it. As I recall from my initial testing of Samba 4.0, ntvfs didn't work well. – Ward - Trying Codidact Feb 17 '16 at 11:09
  • @Ward: It looks like the port actually recommends `--use-ntvfs`. https://svnweb.freebsd.org/ports/head/net/samba44/files/README.FreeBSD.in?view=markup – jornane Jul 17 '16 at 15:56

2 Answers2

1

If you don't mind the work, you cloud give this a try: https://sourceforge.net/projects/libsunacl/

That would involve some compiling i guess. You can find more informations here: https://wiki.freebsd.org/NFSv4_ACLs

embedded
  • 466
  • 2
  • 6
  • 19
1

Forget about POSIX.1e ACLs with Samba - they just don't make sense, as Windows uses ACL model that is totally different from POSIX.1e, and it's impossible to properly convert between the two (which doesn't prevent some folks, particularly in the Linux kenrel community, from trying - but it just cannot work well for design reasons). Use NFSv4 ACLs, they are pretty much the same as what Windows uses.

As for compiling - actually, Samba port and package are built with ACL support by default. Just make sure to always have "aclmode=passthrough" and "aclinherit=passthrough" ZFS properties set; otherwise the inheritance simply won't work.

Edward Tomasz Napierala
  • 206
  • 1
  • 4
  • It looks like the port actually recommends `--use-ntvfs`. https://svnweb.freebsd.org/ports/head/net/samba44/files/README.FreeBSD.in?view=markup – jornane Jul 17 '16 at 15:55