Mandi! Andrew Bartlett via samba In chel di` si favelave...> There is a limitation for containers regarding xattrs as I understand > it, so you may need to go to a full DC....googling around seems to me that are ''old limitation'', now gone. I've also hitted: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html so seems that 'samba-tool domain provision' check xattr compliance and rever to to tdb ACL if not. This check it is ''safe'' (full check)? Or i could end in some ''gray'' area?! There's some more checks i can do? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 19 Sep 2017 14:37:46 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > There is a limitation for containers regarding xattrs as I > > understand it, so you may need to go to a full DC. > > ...googling around seems to me that are ''old limitation'', now gone. > > > I've also hitted: > > https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html > > so seems that 'samba-tool domain provision' check xattr compliance and > rever to to tdb ACL if not. > This check it is ''safe'' (full check)? Or i could end in some > ''gray'' area?! > There's some more checks i can do? > > > Thanks. >I have run test Samba AD DCs in a VirtualBox VM and everything works ok, so why not try it, if it doesn't work, then you haven't lost anything ;-) Rowland
> ...googling around seems to me that are ''old limitation'', now gone.No. root at vdcsv1:~# samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=AD.FVG.LNF.IT --domain=LNFFVG Administrator password will be set randomly! You are not root or your system do not support xattr, using tdb backend for attributes. not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs. Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=ad,DC=fvg,DC=lnf,DC=it Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join process_usershare_file: share name unknown service (snum == -1) contains invalid characters (any of %<>*?|/\+=;:",) xattr_tdb_removexattr() failed to get vfs_handle->data! process_usershare_file: share name unknown service (snum == -1) contains invalid characters (any of %<>*?|/\+=;:",) Security context active token stack underflow! PANIC (pid 13321): Security context active token stack underflow! BACKTRACE: 35 stack frames: #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f07ff93c85a] #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f07ff93c940] #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f0811f9bfcf] #3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(sec_ctx_active_token+0x6a) [0x7f07fda0821a] #4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(try_chown+0xa9) [0x7f07fda13ed9] #5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(set_nt_acl+0x155) [0x7f07fda14085] #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1ee161) [0x7f07fdadd161] #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+0x2d) [0x7f07fda0c5bd] #8 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x2699) [0x7f07ec4ff699] #9 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x5216) [0x7f07ec502216] #10 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+0x2d) [0x7f07fda0c5bd] #11 /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x27fb) [0x7f07fde417fb] #12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x4d79) [0x4cdbb9] #13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] #14 /usr/bin/python2.7(PyEval_EvalFrameEx+0x8bd) [0x4c96fd] #15 /usr/bin/python2.7(PyEval_EvalFrameEx+0xb2a) [0x4c996a] #16 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] #17 /usr/bin/python2.7(PyEval_EvalFrameEx+0x8bd) [0x4c96fd] #18 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] #19 /usr/bin/python2.7(PyEval_EvalFrameEx+0x8bd) [0x4c96fd] #20 /usr/bin/python2.7() [0x4e4518] #21 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] #22 /usr/bin/python2.7() [0x4e4518] #23 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] #24 /usr/bin/python2.7() [0x4e4518] #25 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] #26 /usr/bin/python2.7() [0x4e4518] #27 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] #28 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] #29 /usr/bin/python2.7() [0x50160f] #30 /usr/bin/python2.7(PyRun_FileExFlags+0x82) [0x4f6c32] #31 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x197) [0x4f5d37] #32 /usr/bin/python2.7(Py_Main+0x55d) [0x4981cd] #33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f08127d0b45] #34 /usr/bin/python2.7() [0x497b8b] Can not dump core: corepath not set up root at vdcsv1:~# OK, samba need a VM. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Am Dienstag, 19. September 2017, 17:25:37 CEST schrieb Marco Gaiarin via samba:> > ...googling around seems to me that are ''old limitation'', now gone. > > No. > > root at vdcsv1:~# samba-tool domain provision --server-role=dc --use-rfc2307 > --dns-backend=BIND9_DLZ --realm=AD.FVG.LNF.IT --domain=LNFFVG Administrator > password will be set randomly! > You are not root or your system do not support xattr, using tdb backend for > attributes. not using extended attributes to store ACLs and other metadata. > If you intend to use this provision in production, rerun the script as root > on a system supporting xattrs. Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=ad,DC=fvg,DC=lnf,DC=it > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > process_usershare_file: share name unknown service (snum == -1) contains > invalid characters (any of %<>*?|/\+=;:",) xattr_tdb_removexattr() failed > to get vfs_handle->data! > process_usershare_file: share name unknown service (snum == -1) contains > invalid characters (any of %<>*?|/\+=;:",) Security context active token > stack underflow! > PANIC (pid 13321): Security context active token stack underflow! > BACKTRACE: 35 stack frames: > #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) > [0x7f07ff93c85a] #1 > /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) > [0x7f07ff93c940] #2 > /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) > [0x7f0811f9bfcf] #3 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(sec_ctx_active_token+0x6a > ) [0x7f07fda0821a] #4 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(try_chown+0xa9) > [0x7f07fda13ed9] #5 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(set_nt_acl+0x155) > [0x7f07fda14085] #6 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1ee161) > [0x7f07fdadd161] #7 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+ > 0x2d) [0x7f07fda0c5bd] #8 > /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x2699) [0x7f07ec4ff699] > #9 /usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so(+0x5216) > [0x7f07ec502216] #10 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smb_vfs_call_fset_nt_acl+ > 0x2d) [0x7f07fda0c5bd] #11 > /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x2 > 7fb) [0x7f07fde417fb] #12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x4d79) > [0x4cdbb9] > #13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] > #14 /usr/bin/python2.7(PyEval_EvalFrameEx+0x8bd) [0x4c96fd] > #15 /usr/bin/python2.7(PyEval_EvalFrameEx+0xb2a) [0x4c996a] > #16 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] > #17 /usr/bin/python2.7(PyEval_EvalFrameEx+0x8bd) [0x4c96fd] > #18 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] > #19 /usr/bin/python2.7(PyEval_EvalFrameEx+0x8bd) [0x4c96fd] > #20 /usr/bin/python2.7() [0x4e4518] > #21 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] > #22 /usr/bin/python2.7() [0x4e4518] > #23 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] > #24 /usr/bin/python2.7() [0x4e4518] > #25 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] > #26 /usr/bin/python2.7() [0x4e4518] > #27 /usr/bin/python2.7(PyEval_EvalFrameEx+0x3ec9) [0x4ccd09] > #28 /usr/bin/python2.7(PyEval_EvalCodeEx+0x3c9) [0x4c7a59] > #29 /usr/bin/python2.7() [0x50160f] > #30 /usr/bin/python2.7(PyRun_FileExFlags+0x82) [0x4f6c32] > #31 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x197) [0x4f5d37] > #32 /usr/bin/python2.7(Py_Main+0x55d) [0x4981cd] > #33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) > [0x7f08127d0b45] #34 /usr/bin/python2.7() [0x497b8b] > Can not dump core: corepath not set up > root at vdcsv1:~# > > > OK, samba need a VM. ;-)Hi, for me samba-ad in an proxmox based lxc-container seems to work fine. Have you tried a privileged container? And...what filesystem? Greetings Markus
2017-09-19 17:25 GMT+02:00 Marco Gaiarin via samba <samba at lists.samba.org>:> > > ...googling around seems to me that are ''old limitation'', now gone. > > No. > >For me Samba AD DC is running without any problem in an Ubuntu privileged LXC container. Best regards, Marcel
On Tue, 2017-09-19 at 14:37 +0200, Marco Gaiarin via samba wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > There is a limitation for containers regarding xattrs as I understand > > it, so you may need to go to a full DC. > > ...googling around seems to me that are ''old limitation'', now gone. > > > I've also hitted: > > https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-November/012789.html > > so seems that 'samba-tool domain provision' check xattr compliance and > rever to to tdb ACL if not. > This check it is ''safe'' (full check)? Or i could end in some ''gray'' > area?! > There's some more checks i can do?tdb ACLs are a good idea for production use. I really should make this more clear. The TDB approach creates a dev/inode indexed DB, rather than using the file system. This is prone to inode re-use issues, and while we have defences for the ACL side of that (we hash the POSIX ACL on the file), there is no such defence for other extended attributes that might also be stored there. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Mandi! Andrew Bartlett via samba In chel di` si favelave...> tdb ACLs are a good idea for production use. I really should make > this more clear. > The TDB approach creates a dev/inode indexed DB, rather than using the > file system. This is prone to inode re-use issues, and while we have > defences for the ACL side of that (we hash the POSIX ACL on the file), > there is no such defence for other extended attributes that might also > be stored there.?! samba-tools does not seem to agree with you, print: You are not root or your system do not support xattr, using tdb backend for attributes. not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai marco, Is the vm running on ZFS. Then you could try this : https://morph027.gitlab.io/post/zfs-on-linux-and-samba4-acl/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 20 september 2017 12:54 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [OT?] VM or Container for an AD DC? > > Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > tdb ACLs are a good idea for production use. I really should make > > this more clear. > > The TDB approach creates a dev/inode indexed DB, rather > than using the > > file system. This is prone to inode re-use issues, and > while we have > > defences for the ACL side of that (we hash the POSIX ACL on > the file), > > there is no such defence for other extended attributes that > might also > > be stored there. > > ?! samba-tools does not seem to agree with you, print: > > You are not root or your system do not support xattr, using > tdb backend for attributes. > not using extended attributes to store ACLs and other > metadata. If you intend to use this provision in production, > rerun the script as root on a system supporting xattrs. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >