samba - Feb 2014 - Problems building FreeBSD file server

I have Googled my brains out without success, and I'm hoping that someone
here can give me some tips.  I'm trying to build a new file server, and
I've concluded that ZFS is the technology that I want to use.  After doing
some research I settled on FreeBSD 10 as the platform to provide it.

I have an existing AD domain (two Samba 4.1.4 DCs running on Debian) and
the file server will be a member server.

Requirements:

   - Use AD for authentication
   - Full Windows ACL support with the ability to manage permissions from
   Windows
   - All shares will be on ZFS


I have spent a great deal of time trying to set this up using the samba41
package, and I've had numerous problems, which don't even seem to be
consistent.  When you install the package it informs you that it is still
considered experimental, so perhaps I have nobody to blame but myself.

I decided to try the samba36 package, but when I installed it, it said that
it was compiled without ADS support and that I would need to build from
source if I wanted that functionality.  Building from source isn't out of
the question, but I'd prefer not to if I don't have to.

So, the big question:  Is what I want realistic?  Is this doable and stable?

What version of Samba should I use?  Where should I get it from?

I should stress that I am building a new server that will be used for file
serving and nothing else.  I'm not hung up on the Samba version, so long as
I get what I need.  I'm not hung up on version 10 of FreeBSD if 9 is a
better choice.  I'm not even hung up on using FreeBSD if there is a better
choice.  I briefly considered Solaris, but it doesn't seem to be supported
as a Hyper-V VM.

Any advice, experience or tips would be much appreciated.  Thanks folks.

Doug

On 02/25/2014 12:48, Doug Meredith wrote:
> I have Googled my brains out without success, and I'm hoping that
someone
> here can give me some tips.  I'm trying to build a new file server, and
> I've concluded that ZFS is the technology that I want to use.  After
doing
> some research I settled on FreeBSD 10 as the platform to provide it.
>
> I have an existing AD domain (two Samba 4.1.4 DCs running on Debian) and
> the file server will be a member server.
>
> Requirements:
>
>     - Use AD for authentication
>     - Full Windows ACL support with the ability to manage permissions from
>     Windows
>     - All shares will be on ZFS
>
>
> I have spent a great deal of time trying to set this up using the samba41
> package, and I've had numerous problems, which don't even seem to
be
> consistent.  When you install the package it informs you that it is still
> considered experimental, so perhaps I have nobody to blame but myself.
>
> I decided to try the samba36 package, but when I installed it, it said that
> it was compiled without ADS support and that I would need to build from
> source if I wanted that functionality.  Building from source isn't out
of
> the question, but I'd prefer not to if I don't have to.
>
> So, the big question:  Is what I want realistic?  Is this doable and
stable?
>
> What version of Samba should I use?  Where should I get it from?
>
> I should stress that I am building a new server that will be used for file
> serving and nothing else.  I'm not hung up on the Samba version, so
long as
> I get what I need.  I'm not hung up on version 10 of FreeBSD if 9 is a
> better choice.  I'm not even hung up on using FreeBSD if there is a
better
> choice.  I briefly considered Solaris, but it doesn't seem to be
supported
> as a Hyper-V VM.
Have you considered FreeNAS? http://www.freenas.org

It is FreeBSD 9 based and includes samba 4.

- John
>
> Any advice, experience or tips would be much appreciated.  Thanks folks.
>
> Doug

On Tue, Feb 25, 2014 at 04:48:51PM -0400, Doug Meredith
wrote:
> I have Googled my brains out without success, and I'm hoping that
someone
> here can give me some tips.  I'm trying to build a new file server, and
> I've concluded that ZFS is the technology that I want to use.  After
doing
> some research I settled on FreeBSD 10 as the platform to provide it.
> 
> I have an existing AD domain (two Samba 4.1.4 DCs running on Debian) and
> the file server will be a member server.
> 
> Requirements:
> 
>    - Use AD for authentication
>    - Full Windows ACL support with the ability to manage permissions from
>    Windows
>    - All shares will be on ZFS
> 
> 
> I have spent a great deal of time trying to set this up using the samba41
> package, and I've had numerous problems, which don't even seem to
be
> consistent.  When you install the package it informs you that it is still
> considered experimental, so perhaps I have nobody to blame but myself.
> 
> I decided to try the samba36 package, but when I installed it, it said that
> it was compiled without ADS support and that I would need to build from
> source if I wanted that functionality.  Building from source isn't out
of
> the question, but I'd prefer not to if I don't have to.
> 
> So, the big question:  Is what I want realistic?  Is this doable and
stable?
> 
> What version of Samba should I use?  Where should I get it from?
> 
> I should stress that I am building a new server that will be used for file
> serving and nothing else.  I'm not hung up on the Samba version, so
long as
> I get what I need.  I'm not hung up on version 10 of FreeBSD if 9 is a
> better choice.  I'm not even hung up on using FreeBSD if there is a
better
> choice.  I briefly considered Solaris, but it doesn't seem to be
supported
> as a Hyper-V VM.
> 
> Any advice, experience or tips would be much appreciated.  Thanks folks.
If all you want is a FreeBSD/ZFS file server have you looked at FreeNAS ?

https://http://www.freenas.org/

Jeremy.

Here's something I learned when working with the FreeNAS folks :

ZFS can be configured to be case insensitive when
you create the filesystem (NOTE - cannot be altered
*after* the filesystem is created).

zfs create -o casesensitivity=insensitive filesystem

https://www.freebsd.org/cgi/man.cgi?query=zfs&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html

Once you've done this set the following in the
share definition in your smb.conf :

[ZFSSHARE]
	path = /foo
	case sensitive = true

and Samba will go *much* faster for
directories with large numbers of files
(we don't have to scan the directory on
every cache miss) !

This should also work with ZFS on Linux:

https://zfsonlinux.org/

Jeremy.

On 25.02.2014 21:48, Doug Meredith wrote:
> I have an existing AD domain (two Samba 4.1.4 DCs running on Debian) and
> Building from source isn't out of
> the question, but I'd prefer not to if I don't have to.
I resisted building from source for a long time, but finally gave in, 
and now it seems to work. For some magic reason whenever samba4 is 
packaged by a distributor, it acts up. Compile it yourself, and it 
works. Have seen this mentioned here several times, and now experienced 
it myself, so I start to believe it. Only complete systems like Sernet 
and FreeNAS also simply work out of the box.

On 26 Feb 2014, at 7:18, Doug Meredith <doug.meredith at skyridge.com>
wrote:
> I have spent a great deal of time trying to set this up using the samba41
> package, and I've had numerous problems, which don't even seem to
be
> consistent.  When you install the package it informs you that it is still
> considered experimental, so perhaps I have nobody to blame but myself.
> 
> I decided to try the samba36 package, but when I installed it, it said that
> it was compiled without ADS support and that I would need to build from
> source if I wanted that functionality.  Building from source isn't out
of
> the question, but I'd prefer not to if I don't have to.
I think you are under a bit of a misapprehension about FreeBSD :)

If you build it using the ports tree you can configure it quite heavily. This is
not really the same as what most people consider 'building from source'
even though it is building from source..

If you use the ports tree it IS supported and it IS the normal way on FreeBSD.
> So, the big question:  Is what I want realistic?  Is this doable and
stable?
> 
> What version of Samba should I use?  Where should I get it from?
> 
> I should stress that I am building a new server that will be used for file
> serving and nothing else.  I'm not hung up on the Samba version, so
long as
> I get what I need.  I'm not hung up on version 10 of FreeBSD if 9 is a
> better choice.  I'm not even hung up on using FreeBSD if there is a
better
> choice.  I briefly considered Solaris, but it doesn't seem to be
supported
> as a Hyper-V VM.
I used to run Samba 3.6 (from ports) and had it act as an NT4 PDC, I have
recently switched to Samba 4 (also from ports) and have it acting as an ADS.

I suggest you do this
cd /usr/ports/net/samba4
sudo make config
[set EXP_MODULES]
sudo make install

Then provision your system
sudo samba-tool domain provision --realm=MY.REALM.HERE --domain=MY
--dns-backend=BIND9_FLATFILE --use-xattrs=no --use-ntvfs --use-rfc2307

I used the Bind9 flat file stuff since I wanted to merge it with my existing
domain records, but if you want samba to manage it all then you can use
BIND9_DLZ instead. You will also need to modify your bind configuration.

Then modify your /usr/local/etc/smb4.conf so it looks like..
# Global parameters
[global]
        #log level = 3
        # Need these 2 otherwise it complains something is already bound to :137
        bind interfaces only = yes
        interfaces = 10.0.2.1
        nsupdate command = samba-nsupdate -g

        workgroup = MY
        realm = MY.REALM.HERE
        netbios name = MYSERVER
        server role = active directory domain controller
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver, winreg, srvsvc
        idmap_ldb:use rfc2307 = yes
        posix:eadb = /var/db/samba4/private/eadb.tdb

[netlogon]
        vfs objects = zfsacl
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = yes
        path = /var/db/samba4/sysvol/my.realm.here/scripts
        read only = No


[sysvol]
        vfs objects = zfsacl
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = yes
        path = /var/db/samba4/sysvol
        read only = No

[profiles]
        vfs objects = zfsacl shadow_copy2
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = yes
        path = /tank/profiles
        read only = no

# homes appears broken -
https://lists.samba.org/archive/samba/2014-January/178029.html
[home]
        vfs objects = zfsacl shadow_copy2
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = yes
        comment = Home Directories
        read only = No
        path = /home

[storage]
        vfs objects = zfsacl shadow_copy2
        nfs4:mode = simple
        nfs4:acedup = merge
        nfs4:chown = yes
        comment = Archives
        path = /storage
        read only = No
        guest ok = Yes

Note that all my Samba facing ZFS file systems have aclmode=passthrough and
aclinherit=passthrough set.

eg I ran something like..
sudo zfs create -o aclmode=passthrough -o aclinherit=passthrough -o
mountpoint=/var/db/samba4 tank/samba4db
to create them.
(or you can set them after the fact)

Or alternatively you can use FreeNAS which has done most of the work for you :)

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C







-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20140226/a8f042fc/attachment.pgp>