|Summary:||net/samba47: domain controller provision fails in a jail.|
|Product:||Ports & Packages||Reporter:||dgilbert|
|Component:||Individual Port(s)||Assignee:||Timur I. Bakeyev <timur>|
|Status:||Closed Overcome By Events|
|Severity:||Affects Some People||CC:||felix, rene|
Description dgilbert 2018-02-05 02:57:25 UTC
Test box is 11-STABLE on amd64, in a jail. I turned on 'allow.chflags' in the jail in case that would help. I'm trying to provision samba 4.7 in a jail. Compile and install went well. When I use "samba-tool domain provision --use-rfc2307 --interactive" ... I end up with: Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2187, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1815, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1599, in setsysvolacl service=SYSVOL_SERVICE) File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
Comment 1 dgilbert 2018-02-05 02:59:14 UTC
I believed this, BTW, because https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209787 said that things with samba were fixed.
Comment 2 Timur I. Bakeyev 2018-02-05 16:00:18 UTC
(In reply to dgilbert from comment #1) The things worked fine till 4.7.3, but something had changed in 4.7.4 again and provisioning doesn't work even on a host system due the same reason :( I'm planning more comprehensive fix in mapping 'security' and 'system' name space into 'user' for jails. Which is compromise in security, but extattr support in FreeBSD haven't changed since 5.0 :(
Comment 3 dgilbert 2018-02-05 18:35:41 UTC
Since this is failing in python code, is it the python rather than the samba code that changed?
Comment 4 Timur I. Bakeyev 2018-02-05 23:21:22 UTC
(In reply to dgilbert from comment #3) I've checked that and couldn't find anything related. Seems some code route has changed :( Well, we need better solution than an attribute hack anyhow.
Comment 5 dgilbert 2018-02-05 23:33:16 UTC
Is there a way I can bypass this so I can get things going right now?
Comment 6 Timur I. Bakeyev 2018-02-05 23:41:18 UTC
(In reply to dgilbert from comment #5) I guess you can brute force it by changing in the Python code all: smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service) mentions of security.* to user.*. But no hard promises obviously :)
Comment 7 dgilbert 2018-02-14 21:28:51 UTC
(In reply to Timur I. Bakeyev from comment #6) ... so changing to user., user is not a defined symbol. security is imported from samba.dceprc, but there's no user to import from there. Where would I import user. from, or where/how would I create it?
Comment 8 Felix Palmen 2018-05-14 17:36:28 UTC
Did someone get the "attribute hack" to work again meanwhile? I see it's unclean, but I'd be happy with it ...
Comment 9 Rene Ladan 2019-08-19 10:01:07 UTC
samba47 expired today, please use samba48 or samba410.