On Sat, July 11, 2020 04:32, Andrea Venturoli wrote:> On 2020-07-10 14:47, James B. Byrne wrote: >> FreeBSD-12.1p6 IOCage thick jails on ZFS, samba-4.10.15: > > Can you post the smb.conf of both DCs? > > Just out of curiosity, are you also using vfs_zfsacl?Yes. smb.confs DC1 and DC2: /zroot/iocage/jails/smb4-1a/root/usr/local/etc/smb4.conf [root at vhost04 ~ (master)]# cat /zroot/iocage/jails/smb4-1/root/usr/local/etc/smb4.conf # Global parameters [global] bind interfaces only = Yes interfaces = localhost smb4-1 netbios name = SMB4-1 realm = BROCKLEY.HARTE-LYNE.CA workgroup = BROCKLEY server role = active directory domain controller server services = -nbt # use 'samba-tool testparm -v | grep services' to list active services idmap_ldb:use rfc2307 = yes vfs objects = dfs_samba4 zfsacl # DNS dns forwarder = 216.185.71.33 216.185.71.34 # Note diff: sbin vs. bin and _ vs. - and dns vs. ns dns update command = /usr/local/sbin/samba_dnsupdate ## samba_dnsupdate insists on finding rndc rndc command = /usr/bin/true ## For secure dns dynamic updates use these (but secure does not work): # 1 nsupdate command = /usr/local/bin/samba-nsupdate -g # 1 allow dns updates = secure only ## For insecure dynamic updates use these settings: nsupdate command = /usr/local/bin/samba-nsupdate allow dns updates = nonsecure # Logging log level = 1 #log file = /var/log/samba4/smbd.log.%m log file = /var/log/samba4/smbd.log max log size = 10000 debug timestamp = yes # Disable printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [sysvol] path = /var/db/samba4/sysvol read only = No [netlogon] path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts read only = No [PROFILES] path = /var/samba4/BROCKLEY/PROFILES/ read only = No [USERS] path = /var/samba4/BROCKLEY/USERS/ read only = No [root at vhost04 ~ (master)]# cat /zroot/iocage/jails/smb4-2/root/usr/local/etc/smb4.conf # Global parameters [global] bind interfaces only = Yes interfaces = localhost smb4-2 netbios name = SMB4-2 realm = BROCKLEY.HARTE-LYNE.CA server role = active directory domain controller server services = -nbt workgroup = BROCKLEY # DNS dns forwarder = 216.185.71.33 216.185.71.34 # Note diff: sbin vs. bin and _ vs. - and dns vs. ns dns update command = /usr/local/sbin/samba_dnsupdate # For secure DNS updates use the following: #nsupdate command = /usr/local/bin/samba-nsupdate -g #allow dns updates = secure only # However, we are unable to get secure dns updates to work with the internal DNS nsupdate command = /usr/local/bin/samba-nsupdate allow dns updates = nonsecure # rndc is not used with the internal DNS but unless set to true # samba-dnsupdate logs an error anyway rndc command = /usr/bin/true log level = 2 #log file = /var/log/samba4/smbd.log.%m log file = /var/log/samba4/smbd.log max log size = 10000 debug timestamp = yes # Disable printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [sysvol] path = /var/db/samba4/sysvol read only = No [netlogon] path = /var/db/samba4/sysvol/brockley.harte-lyne.ca/scripts read only = No -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.^^^ this typically indicates that Samba's trying to set the ACLs in an xattr (vfs_acl_xattr). FreeBSD lacks "security" and "trusted" xattr namespaces and so returns EINVAL on attempt to set an NT ACL xattr. You will need to use vfs_zfsacl. Is this the FreeBSD port / pkg version of samba?
On Mon, July 13, 2020 09:14, Andrew Walker wrote:>>> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. > > ^^^ this typically indicates that Samba's trying to set the ACLs in an > xattr (vfs_acl_xattr). FreeBSD lacks "security" and "trusted" xattr > namespaces and so returns EINVAL on attempt to set an NT ACL xattr. You > will need to use vfs_zfsacl. Is this the FreeBSD port / pkg version of > samba? >The is the FreeBSd-2.1p7 Samab410-4.10.15 package. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 2020-07-13 15:06, James B. Byrne wrote:>> Just out of curiosity, are you also using vfs_zfsacl? > > Yes.But only on DC1, AFAICT! I see no mention of it on DC2's smb.conf. That could be the reason why you have two different behaviour. bye av.
On Mon, Jul 13, 2020 at 10:24 AM Andrea Venturoli via samba < samba at lists.samba.org> wrote:> On 2020-07-13 15:06, James B. Byrne wrote: > > >> Just out of curiosity, are you also using vfs_zfsacl? > > > > Yes. > > But only on DC1, AFAICT! > I see no mention of it on DC2's smb.conf. > That could be the reason why you have two different behaviour. > > bye > av. > > > This is highly probable. Try setting vfs_zfsacl.In the absence of explicitly configured vfs objects samba will default to "vfs objects = dfs_samba4 acl_xattr" when the AD Domain Controller role is set. Unfortunately, this doesn't work as intended on FreeBSD due to differences in available xattr namespaces. This is particularly problematic for a DC in a jail because by default (and with good reason) jailed processes can't write into the system namespace [if we decide to write the ACL there instead of security]. It's theoretically possible to write the NT acl xattr into the user namespace, but it would be pretty horrible from a security standpoint. The result is that currently vfs_zfsacl is the only real option for jails.
On Mon, July 13, 2020 10:23, Andrea Venturoli wrote:> On 2020-07-13 15:06, James B. Byrne wrote: > >>> Just out of curiosity, are you also using vfs_zfsacl? >> >> Yes. > > But only on DC1, AFAICT! > I see no mention of it on DC2's smb.conf. > That could be the reason why you have two different behaviour. > > bye > av. >That appears to make no difference: [root at smb4-1 ~ (master)]# grep acl /usr/local/etc/smb4.conf vfs objects = dfs_samba4 zfsacl [root at smb4-1 ~ (master)]# service samba_server onestart Performing sanity check on Samba configuration: OK Starting samba. [root at smb4-1 ~ (master)]# getfacl /var/db/samba4/sysvol # file: /var/db/samba4/sysvol # owner: root # group: 3000000 group:3000000:rwxpDdaARWcCo-:fd-----:allow group:3000001:r-x---a-R-c---:fd-----:allow group:3000002:rwxpDdaARWcCo-:fd-----:allow group:3000003:r-x---a-R-c---:fd-----:allow [root at smb4-2 ~ (master)]# grep acl /usr/local/etc/smb4.conf vfs objects = dfs_samba4 zfsacl [root at smb4-2 ~ (master)]# service samba_server onestart Performing sanity check on Samba configuration: OK Starting samba. [root at smb4-2 ~ (master)]# getfacl /var/db/samba4/sysvol # file: /var/db/samba4/sysvol # owner: root # group: 3000000 owner@:rwxp----------:-------:deny owner@:------aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3