On Tue, May 12, 2020 09:46, Rowland penny wrote:
> One problem is that ZFS uses NFSv4ACLS and a Samba AD doesn't, it
> expects POSIX ACLS, there also is a possibility that xattr may be
> another problem.
>
> Try reading this:
>
> bugzilla.samba.org/show_bug.cgi?id=12912
>
I have worked with Timur on this very problem in the past. And he has produced
in Samba-4.10.15 a version that will provision an AD DC inside a FreeBSD jail
using native ZFS. FreeBSD Samba-4.10.15 DCs of this type may also be
successfully joined to the existing DOMAIN without error.
The problem I have is replication of the existing DC to the new ZFS based DCs.
If I can get the sysvol and user data transferred successfully then the FSMO
roles will be transferred to one of the new DCs and the old DC (4.3) demoted
and removed from service.
Now, something is coming across because I can see this on a ZFS based DC:
[root at samba-02 ~ (master)]# getfacl
/var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# file: /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# owner: root
# group: BUILTIN\administrators
group:BUILTIN\administrators:rwxpDdaARWcCo-:fd-----:allow
group:BUILTIN\users:r-x---a-R-c---:fd-----:allow
group:BUILTIN\guests:rwxpDdaARWcCo-:fd-----:allow
group:\everyone:r-x---a-R-c---:fd-----:allow
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
And the existing DC with the FSMO roles shows this:
[root at SAMBA-01 ~]# getfacl /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# file: /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# owner: root
# group: BUILTIN\administrators
user::rwx
user:root:rwx
user:BUILTIN\administrators:rwx
user:BUILTIN\server operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\administrators:rwx
group:BUILTIN\server operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
samba-01 (DC1) is the primary DC, for want of a better term, and runs
samba-4.3.13_2. samab-02 (DC2) and samba-03 (DC3) are the replacement DCs that
have been joined to the DOMAIN.
If I can be certain that everything need has indeed come across form DC1 to DC2
then I can start the process of moving the FSMOs. It may be that rsync is just
throwing a hissy fit over some non-essential flag. But I can hardly take that
chance on a live domain with only a single DC remaining.
Thank you for your time and attention.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3