Created attachment 248305 [details] v0 It seems samba 4.17 started to use SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (its definition is in librpc/idl/security.idl) which is not handled by libsunacl Without this, provisioning a DC on top of zfs fails with this error: python3.9: acl_from_aces: a_type is 0x5 python3.9: aces_from_acl failed I'm not sure the fix is correct though.
I am having this same issue on samba419-4.19.4 Slightly more context but I can publish and test more: Repacking database from v1 to v2 format (first record CN=Meetings,CN=System,DC=mydomain,DC=mycompany,DC=local) python3.9: acl_from_aces: a_type is 0x5 python3.9: aces_from_acl failed set_nt_acl_conn: fset_nt_acl returned NT_STATUS_IO_DEVICE_ERROR. ERROR(runtime): uncaught exception - (3221225861, 'The I/O device reported an I/O error.') File "/usr/local/lib/python3.9/site-packages/samba/netcmd/__init__.py", line 279, in _run return self.run(*args, **kwargs) Any suggestions? ZFS properties to set? samba416 provisions fine.
Can you provide a libsunacl binary to try?
Also, provisioning samba416 and upgrading it to samba419 appears to work, for what it's worth.
(In reply to Michael Dexter from comment #2) If you want, what version / arch ?
AMD64. I confess I have not tried to spin up Samba on another architecture but I do hope that's being tested and I'll see what I can do.
(In reply to Michael Dexter from comment #5) http://mikael.urankar.free.fr/libsunacl.so.1 You'll probably have to make a symlink libsunacl.so -> libsunacl.so.1
(In reply to Mikael Urankar from comment #6) Your libsunacl.so.1 allowed for a successful AD provision on 14.0 AMD64. Hopefully that fixes it! I get the following output but will verify my paths: Running chmod 600 /var/db/samba4/private/tls/key.pem /var/db/samba4/private/tls/cert.pem signature is Could not open file or uri for loading certificate from cert.pem 002061A64D5A0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregi stered scheme:/usr/src/crypto/openssl/crypto/store/store_register.c:237:scheme=f ile 002061A64D5A0000:error:80000002:system library:file_open:No such file or directo ry:/usr/src/crypto/openssl/providers/implementations/storemgmt/file_store.c:267: calling stat(cert.pem) Unable to load certificate /var/db/samba4/private/tls/key.pem signature is Could not open file or uri for loading private key from key.pem 0020E13032350000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregi stered scheme:/usr/src/crypto/openssl/crypto/store/store_register.c:237:scheme=f ile 0020E13032350000:error:80000002:system library:file_open:No such file or directo ry:/usr/src/crypto/openssl/providers/implementations/storemgmt/file_store.c:267: calling stat(key.pem)
Any chance this can be comitted? As far as samba (and it is the only consumer, as far as i can see) goes, the patch works perfectly, and it would be nice not to have to patch each installation...
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6a6678eefe429ff40c7521ccdb93b5c4196f570f commit 6a6678eefe429ff40c7521ccdb93b5c4196f570f Author: Mikael Urankar <mikael@FreeBSD.org> AuthorDate: 2024-02-07 13:52:34 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2024-02-28 14:34:13 +0000 sysutils/libsunacl: Add missing ACEs definition needed by samba These are needed provision a domain controller on top of ZFS. PR: 276940 Approved by: maintainer timeout sysutils/libsunacl/Makefile | 1 + .../libsunacl/files/patch-opensolaris__acl.c (new) | 22 ++++++++++++++++++++++ sysutils/libsunacl/files/patch-sunacl.h (new) | 16 ++++++++++++++++ 3 files changed, 39 insertions(+)