Bug 239105

Summary:

net/samba410: samba-tool domain provision --use-rfc2307 --interactive not working

Product:

Ports & Packages

Reporter:

rogn4r

Component:

Individual Port(s)

Assignee:

Timur I. Bakeyev <timur>

Status:

Closed Overcome By Events

Severity:

Affects Only Me

CC:

KOT, Marcel.Poetter, andrej, andriys, arrowd, basil, beckzg, byrnejb, crees, doctor, dweimer, florian.heigl, matthias, ml, mwashington, olgeni, paulo, pawel.worach, prj, rene, shakhmin, theron.bair, vince, vithushan, vvd, zirias

Priority:

---

Flags:

bugzilla: maintainer-feedback? (timur)

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
plist-fix to install missing modules	none
Make ZEROCONF optional: SINGLE replaced on RADIO	none
Bump PORTREVISION, add upstream patch	none
Correct internal configuration for frist provising	none
log from named -d 10 while run samba_dnsupdate --verbose --all-names	none

Description rogn4r 2019-07-10 09:20:29 UTC

it just stuck but did not throw any error

Comment 1 rogn4r 2019-07-10 09:59:11 UTC

and i try non interactive 

WARNING: Module [group_audit_log] not found - do you need to set LDB_MODULES_PATH?
module samba_dsdb initialization failed : Operations error
Unable to load modules for /var/db/samba4/private/sam.ldb: No such Base DN: @INDEXLIST
ERROR(ldb): uncaught exception - No such Base DN: @INDEXLIST

Comment 2 Pawel Worach 2019-07-10 21:45:20 UTC

Created attachment 205675 [details]
plist-fix to install missing modules

Proposed patch, not sure about the options that control if mdb.so is built, the two audit modules are only built for AD_DC.

Comment 3 Chris Rees freebsd_committer

2019-07-14 09:48:18 UTC

This has hit me too.

Pawel's patch is correct, but of course needs a PORTREVISION bump too.

Comment 4 rogn4r 2019-07-14 10:18:44 UTC

Pawel patch works fine, thank you

Comment 5 basil 2019-07-23 19:16:53 UTC

samba-tool domain provision --domain=TEST --use-rfc2307 --realm=test.home --adminpass=1Passw@rD


Whithout patch >

INFO 2019-07-24 00:36:41,587 pid:2459 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1297: Pre-loading the Samba 4 and AD schema
WARNING: Module [group_audit_log] not found - do you need to set LDB_MODULES_PATH?
module samba_dsdb initialization failed : Operations error
Unable to load modules for /var/db/samba4/private/sam.ldb: No such Base DN: @INDEXLIST
ERROR(ldb): uncaught exception - No such Base DN: @INDEXLIST



Whith patch >
INFO 2019-07-24 01:15:59,293 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2087: Looking up IPv4 addresses
WARNING 2019-07-24 01:15:59,294 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2093: More than one IPv4 address found. Using 192.168.56.25
INFO 2019-07-24 01:15:59,294 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2104: Looking up IPv6 addresses
WARNING 2019-07-24 01:15:59,294 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2111: No IPv6 address will be assigned
INFO 2019-07-24 01:15:59,544 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2277: Setting up share.ldb
INFO 2019-07-24 01:15:59,556 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2281: Setting up secrets.ldb
INFO 2019-07-24 01:15:59,565 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2287: Setting up the registry
INFO 2019-07-24 01:15:59,591 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2290: Setting up the privileges database
INFO 2019-07-24 01:15:59,605 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2293: Setting up idmap db
INFO 2019-07-24 01:15:59,616 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2300: Setting up SAM db
INFO 2019-07-24 01:15:59,622 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings
INFO 2019-07-24 01:15:59,622 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE
INFO 2019-07-24 01:15:59,624 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1297: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2019-07-24 01:15:59,639 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1374: Adding DomainDN: DC=test,DC=home
INFO 2019-07-24 01:15:59,648 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1406: Adding configuration container
INFO 2019-07-24 01:15:59,659 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1415: Setting up sam.ldb schema
INFO 2019-07-24 01:16:00,896 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1435: Setting up sam.ldb configuration data
ERROR(<class 'UnicodeDecodeError'>): uncaught exception - 'ascii' codec can't decode byte 0xe2 in position 513: ordinal not in range(128)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 536, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2342, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1924, in provision_fill
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1473, in fill_samdb
    "INC2012": incl_2012,
  File "/usr/local/lib/python3.6/site-packages/samba/provision/common.py", line 54, in setup_add_ldif
    data = read_and_sub_file(ldif_path, subst_vars)
  File "/usr/local/lib/python3.6/site-packages/samba/__init__.py", line 283, in read_and_sub_file
    data = open(file_name, 'r').read()
  File "/usr/local/lib/python3.6/encodings/ascii.py", line 26, in decode
    return codecs.ascii_decode(input, self.errors)[0]

Comment 6 Pawel Worach 2019-07-24 18:38:12 UTC

You need this patch
https://gitlab.com/samba-team/samba/commit/d01c5bc9fbe316d2358ead6382f4e7e3bf5fc000

Comment 7 basil 2019-07-26 05:11:28 UTC

Hi

Th you for help. Now i have other error
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')


P.S. net/samba48 has same problems with samba-tool, but samba-tool from net/samba47 worked fine...



root@vb-freebsd:~ # samba-tool domain provision --domain=OFFICE --use-rfc2307 --realm=office.test --adminpass=Passw@orD
INFO 2019-07-26 11:06:32,636 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2087: Looking up IPv4 addresses
WARNING 2019-07-26 11:06:32,636 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2093: More than one IPv4 address found. Using 192.168.56.25
INFO 2019-07-26 11:06:32,636 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2104: Looking up IPv6 addresses
WARNING 2019-07-26 11:06:32,637 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2111: No IPv6 address will be assigned
INFO 2019-07-26 11:06:32,912 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2277: Setting up share.ldb
INFO 2019-07-26 11:06:32,925 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2281: Setting up secrets.ldb
INFO 2019-07-26 11:06:32,936 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2287: Setting up the registry
INFO 2019-07-26 11:06:32,959 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2290: Setting up the privileges database
INFO 2019-07-26 11:06:32,971 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2293: Setting up idmap db
INFO 2019-07-26 11:06:32,982 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2300: Setting up SAM db
INFO 2019-07-26 11:06:32,987 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings
INFO 2019-07-26 11:06:32,988 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE
INFO 2019-07-26 11:06:32,990 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1297: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2019-07-26 11:06:33,009 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1374: Adding DomainDN: DC=office,DC=test
INFO 2019-07-26 11:06:33,019 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1406: Adding configuration container
INFO 2019-07-26 11:06:33,029 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1415: Setting up sam.ldb schema
INFO 2019-07-26 11:06:34,241 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1435: Setting up sam.ldb configuration data
INFO 2019-07-26 11:06:34,334 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1476: Setting up display specifiers
INFO 2019-07-26 11:06:35,232 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1484: Modifying display specifiers and extended rights
INFO 2019-07-26 11:06:35,254 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1491: Adding users container
INFO 2019-07-26 11:06:35,255 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1497: Modifying users container
INFO 2019-07-26 11:06:35,256 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1500: Adding computers container
INFO 2019-07-26 11:06:35,257 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1506: Modifying computers container
INFO 2019-07-26 11:06:35,258 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1510: Setting up sam.ldb data
INFO 2019-07-26 11:06:35,347 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1540: Setting up well known security principals
INFO 2019-07-26 11:06:35,366 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1554: Setting up sam.ldb users and groups
INFO 2019-07-26 11:06:35,457 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1562: Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 536, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2342, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1946, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1726, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1723, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 230, in setntacl
    service=service, session_info=session_info)

Comment 8 Vladimir Druzenko freebsd_committer

2019-07-29 23:57:44 UTC

>    * BUG 13828: samba-tool domain provision: Fix --interactive module in
>     python3.
https://www.samba.org/samba/history/samba-4.10.6.html

Comment 9 Andrej Ebert 2019-08-05 12:13:45 UTC

This also hit me on an upgrade of a domain controller from 4.6 to 4.10, the server wouldn't start:
[2019/08/05 13:22:00.865649,  0, effective(0, 0), real(0, 0)] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: WARNING: Module [group_audit_log] not found - do you need to set LDB_MODULES_PATH?
[2019/08/05 13:22:00.865741,  0, effective(0, 0), real(0, 0)] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: module samba_dsdb initialization failed : Operations error
[2019/08/05 13:22:00.865787,  0, effective(0, 0), real(0, 0)] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: Unable to load modules for /var/db/samba4/private/sam.ldb: (null)
[2019/08/05 13:22:00.867065,  0, effective(0, 0), real(0, 0)] ../../lib/util/become_daemon.c:122(exit_daemon)
  exit_daemon: daemon failed to start: Samba failed to prime database, error code 22

After copying the 3 modules from the diff to /usr/local/lib/samba4/modules/ldb it works as expected, a recompile and reinstall after applying the diff didn't work for some reason (modules still weren't there).

Comment 10 commit-hook freebsd_committer

2019-08-19 22:23:11 UTC

A commit references this bug:

Author: timur
Date: Mon Aug 19 22:22:35 UTC 2019
New revision: 509383
URL: https://svnweb.freebsd.org/changeset/ports/509383

Log:
  Upgrade samba410 port to 4.10.6 version. Fixed vfs_freebsd to match newer
  configure test. This release should fix provisioning on UFS2 systems, ZFS
  provisioning is still broken...

  PR:		239105

Changes:
  head/net/samba410/Makefile
  head/net/samba410/distinfo
  head/net/samba410/files/man/ldb.3
  head/net/samba410/files/patch-lib_ldb_wscript
  head/net/samba410/files/patch-lib_tdb_wscript
  head/net/samba410/files/patch-listen-backlog
  head/net/samba410/files/patch-vfs_freebsd
  head/net/samba410/pkg-plist

Comment 11 Vladimir Druzenko freebsd_committer

2019-08-20 00:00:00 UTC

Thanks!
Add, plz, NONE to ZEROCONF section.
This line mandatory ask me to use one: "OPTIONS_SINGLE= GSSAPI ZEROCONF".

Comment 12 Vladimir Druzenko freebsd_committer

2019-08-20 00:05:48 UTC

Or this way:

--- Makefile.orig
+++ Makefile
@@ -98,9 +98,9 @@
 OPTIONS_SINGLE=                        GSSAPI ZEROCONF
 # GSSAPI_HEIMDAL
 OPTIONS_SINGLE_GSSAPI=         GSSAPI_BUILTIN GSSAPI_MIT
-OPTIONS_SINGLE_ZEROCONF=       AVAHI MDNSRESPONDER

-OPTIONS_RADIO=                 DNS
+OPTIONS_RADIO=                 ZEROCONF DNS
+OPTIONS_RADIO_ZEROCONF=                AVAHI MDNSRESPONDER
 OPTIONS_RADIO_DNS=             NSUPDATE BIND911 BIND914
 ##############################################################################
 AD_DC_DESC=                    Active Directory Domain Controller

Comment 13 andriys 2019-08-20 02:27:57 UTC

Also a related problem- databases/Makefile is missing ldb15 entry.

Comment 14 Vladimir Druzenko freebsd_committer

2019-08-20 11:20:02 UTC

Weird - on amd64 12.0 and 11.3 build fine with my patch, but on i386 12.0 I got error:

===>  Installing for samba410-4.10.6
===>  Checking if samba410 is already installed
===>   Registering installation for samba410-4.10.6
pkg-static: Unable to access file /usr/obj/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/modules/ldb/mdb.so:No such file or directory
*** Error code 74

Stop.
make[1]: stopped in /usr/ports/net/samba410
*** Error code 1

# find /usr/obj/usr/ports/net/samba410/work/ -name mdb.so
# grep -R /mdb.so /usr/ports/net/samba410
/usr/ports/net/samba410/pkg-plist:%%AD_DC%%%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/mdb.so

Comment 15 Felix Palmen freebsd_committer

2019-08-20 19:26:59 UTC

Just a quick note: this hit me when upgrading samba from 48 to 410 on a machine that was provisioned as ADDC with samba47. The patch attached here resolved the issue, so thanks for that! Please resolve remaining issues and commit this soon :)

BR, Felix

Comment 16 Vladimir Druzenko freebsd_committer

2019-08-20 19:33:37 UTC

(In reply to Felix Palmen from comment #15)
What patch?

Comment 17 Felix Palmen freebsd_committer

2019-08-20 20:37:04 UTC

(In reply to VVD from comment #16)
The one attached here. I'm on amd64...

Comment 18 Vladimir Druzenko freebsd_committer

2019-08-20 21:20:16 UTC

(In reply to Felix Palmen from comment #17)
This: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=205675&action=diff ?
It's applied already - check net/samba410/pkg-plist file.

Comment 19 Matthias Petermann 2019-08-21 09:04:34 UTC

Thanks for solving this issue. Can this be pulled up to 2019Q3 branch?

Comment 20 Vincent Bentley 2019-08-21 09:47:42 UTC

(In reply to VVD from comment #14)
I haven't applied any patches, but I got the same error today with Poudriere trying to build on i386 12.0-RELEASE-p8

=======================<phase: package        >============================
===>  Building package for samba410-4.10.6
pkg-static: Unable to access file /wrkdirs/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/modules/ldb/mdb.so:No such file or directory
*** Error code 1

Comment 21 doctor 2019-08-22 20:11:26 UTC

samba 4.10.7 is out .  What not move up that way and see if the problems go away.

Comment 22 Vladimir Druzenko freebsd_committer

2019-08-22 23:23:50 UTC

Created attachment 206805 [details]
Make ZEROCONF optional: SINGLE replaced on RADIO

Build error on i386 gone after patch: https://svnweb.freebsd.org/ports?view=revision&revision=509598

But still can't build samba410 without ZEROCONF on any platform - patch attached.

Comment 23 doctor 2019-08-23 14:07:28 UTC

Just updated and now I get 

Traceback (most recent call last):
  File "/usr/local/bin/samba-tool", line 33, in <module>
    from samba.netcmd.main import cmd_sambatool
  File "/usr/local/lib/python3.6/site-packages/samba/__init__.py", line 28, in <module>
    import ldb
ImportError: /usr/local/lib/python3.6/site-packages/ldb.so: Undefined symbol "ldb_handler_copy"

Comment 24 andriys 2019-08-23 14:22:49 UTC

Undefined symbol error happens because ldb is now "builtin" by default. I have reported a similar issue (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239480) for the net/samba48 port almost a month ago.

Comment 25 doctor 2019-08-23 14:44:59 UTC

(In reply to doctor from comment #23)
may I suggest that databases/ldb15 be a dependency on net/samba410 ?

Comment 26 doctor 2019-08-23 23:42:24 UTC

Also I am trying to follow https://www.youtube.com/watch?v=riWQ1WZi5BM which seems to work for 10.1 but since some changes have been made , python failures are showing up.  Is their any way to treat this as thought it needed to be fixed yesterday?

Comment 27 tlb 2019-09-08 05:05:07 UTC

Still broken:

--- snip ---

[root@dc ~]# samba-tool domain provision --use-rfc2307 --interactive
Realm [XXX.NET]:
Domain [XXX]:  XXX
Server Role (dc, member, standalone) [dc]:  dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  BIND9_DLZ
Administrator password:
Retype password:
INFO 2019-09-07 20:58:55,561 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2096: Looking up IPv4 addresses
INFO 2019-09-07 20:58:55,562 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2113: Looking up IPv6 addresses
WARNING 2019-09-07 20:58:55,562 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2120: No IPv6 address will be assigned
INFO 2019-09-07 20:58:56,284 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up share.ldb
Unable to find backend for '/var/db/samba4/private/share.ldb' - do you need to set LDB_MODULES_PATH?
ERROR(ldb): uncaught exception - None
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2287, in provision
    share_ldb = Ldb(paths.shareconf, session_info=session_info, lp=lp)
  File "/usr/local/lib/python3.6/site-packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
[root@dc ~]#
--- snip ---

Also, I imagine this should probably be marked as affecting more than "only me", since I imagine a lot of people would like to use the Samba AD DC functionality.

Comment 28 Phillip R. Jaenke 2019-09-14 21:55:32 UTC

Please fix the importance to 'affects everyone.' This has clearly been broken for months, and quite obviously breaks core functionality. A fix for what should be a simple problem is needed ASAP.

Comment 29 Vithushan Ka. 2019-09-14 23:31:22 UTC

(In reply to tlb from comment #27)

add this to your make.conf

SAMBA4_BUNDLED_TALLOC=          no
SAMBA4_BUNDLED_TEVENT=          no
SAMBA4_BUNDLED_TDB=             no
SAMBA4_BUNDLED_LDB=             no

that work for me

Comment 30 Phillip R. Jaenke 2019-09-15 02:40:32 UTC

(In reply to Vithushan Ka. from comment #29)

No, your claimed fix does not fix anything. This breaks LMDB linking which results in a build that CANNOT be used as a domain controller. AD_DC requires both LDB and LMDB. This is what you get with 'SAMBA4_BUNDLED_LDB=no'

Makefile:
474 # LMDB
475 SAMBA4_LMDB_DEPENDS=        lmdb>=0.9.16:databases/lmdb
476 PLIST_FILES+=           lib/samba4/private/libldb-mdb-int-samba4.so \
477                 ${SAMBA4_MODULEDIR}/ldb/mdb.so

# pkg info -l samba410 | grep lmdb
#
# pkg info -l samba410 | grep libldb-mdb
#
# ls -l /usr/local/lib/samba4/private/libldb-mdb-int-samba4.so
ls: /usr/local/lib/samba4/private/libldb-mdb-int-samba4.so: No such file or directory
# ls -l /usr/local/lib/samba4/modules
ls: /usr/local/lib/samba4/modules: No such file or directory

Comment 31 tlb 2019-09-19 19:33:56 UTC

I gather that we can look forward to more months of this port being utterly broken and that fact ignored, then?

Comment 32 Timur I. Bakeyev freebsd_committer

2019-09-19 22:29:21 UTC

(In reply to tlb from comment #31)

Feel free to send patches.

Comment 33 Vithushan Ka. 2019-09-20 15:38:45 UTC

(In reply to Phillip R. Jaenke from comment #30)


with the option I used I had to install ldb15 and it's good.  provision works, user creation works, and GPOs too.  in UFS it's ok but un ZFS is broken on the sysvol right, I think by putting the right the right nfsv4 manually the supply should work properly, it seems that Samba-tool is broken but not the smbd and the rest

PS: Sorry, I'm French sorry for my English, I was not a fan of my English teacher who did not love English ...

Comment 34 florian.heigl 2019-10-10 18:44:56 UTC

I'm not sure if I understand this in full (after just a day of trying), but:
it's my understanding that the problem resolves about the AD DC feature, when running on a ZFS system?

The start script currently tries to launch /usr/local/sbin/samba which is only created IF you have the AD DC option configured.

If this samba server is your AD DC, then right now you have a big problem.
But, as far as I know, the majority of samba servers are NOT AD DC's.

Is it possible to document the flags that would allow to only build the port for a file server - and make those the defaults.
That would mean in the pkg's we have on the repos there would be a samba that works on ZFS systems, except for one (not enabled) case. Instead right now we have a Samba that does not work for anyone at all (on ZFS, but that's pretty much a given), while also not making it work for the people that use it for DC. So, in fact, we seem to default to the worst possible case?

It gets complicated by the start script looking to start "samba" but that could be a problem in general since that tool is not built in all cases as far as I could see.

Sorry, if I am stepping on any toes here. But it seems a hard to solve problem and maybe it would be easier to reduce it's impact.

Comment 35 andriys 2019-10-11 10:55:18 UTC

(In reply to florian.heigl from comment #34)

You've got it wrong. This only concerns AD DC setups. File server setups work just fine- I have quite a few of them running samba410 from the official repo, all running on ZFS, some joined to AD and some standalone... I do not currently experience any problems with any of them.

Comment 36 Chris Rees freebsd_committer

2019-10-11 19:15:00 UTC

(In reply to Timur I. Bakeyev from comment #32)

Sorry, replying late here.

You rejected my last patch, because it went against portgmr's wishes.  Unfortunately I can't find the email you referenced, because I'd like to reply to make a few comments to them- do you know which list it was on or have a link?

Comment 37 Zoltan 2020-01-02 09:00:26 UTC

Hi,

i have a strange situation, my hardware failed, after repaired I wanted to restore my samba dc, but the restore command fails:

samba-tool domain backup restore --backup-file=/samba.online/samba-backup-domain.local-2020-01-02T02-01-25.719514.tar.bz2 --targetdir=/var/db/samba4/ --newservername=dc01.domain.local

but the restore fails with this error:

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain_backup.py", line 624, in run
    backup_restore(sysvol_tar, dest_sysvol_dir, samdb, smbconf)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 604, in backup_restore
    ntacls_helper.setntacl(dst, ntacl_sddl_str)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 460, in setntacl
    use_ntvfs=self.use_ntvfs)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)

======================================================================================

I tried to provision a new domain just for testing, but this fails as well and looks like in the same step:

INFO 2020-01-02 09:58:01,640 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1411: Adding configuration container
INFO 2020-01-02 09:58:01,673 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1426: Setting up sam.ldb schema
INFO 2020-01-02 09:58:04,827 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1444: Setting up sam.ldb configuration data
INFO 2020-01-02 09:58:05,078 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1485: Setting up display specifiers
INFO 2020-01-02 09:58:07,856 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1493: Modifying display specifiers and extended rights
INFO 2020-01-02 09:58:07,913 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1500: Adding users container
INFO 2020-01-02 09:58:07,915 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1506: Modifying users container
INFO 2020-01-02 09:58:07,916 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1509: Adding computers container
INFO 2020-01-02 09:58:07,918 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1515: Modifying computers container
INFO 2020-01-02 09:58:07,920 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1519: Setting up sam.ldb data
INFO 2020-01-02 09:58:08,127 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1549: Setting up well known security principals
INFO 2020-01-02 09:58:08,170 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1563: Setting up sam.ldb users and groups
INFO 2020-01-02 09:58:08,345 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1571: Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2351, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1955, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)

======================================================================================
# uname
FreeBSD 12.1-RELEASE-p1 GENERIC  amd64
# samba -V
Version 4.10.11

Comment 38 Zoltan 2020-01-02 13:20:05 UTC

Today I did some more test with fresh installs:

FreeBSD 12.1: samba410 and samba48
FreeBSD 12.0: samba410 and samba48
FreeBSD 11.3: samba410 and samba48

And all the test cases died on the same step:

INFO 2020-01-02 14:16:37,583 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1379: Adding DomainDN: DC=domain,DC=intra
INFO 2020-01-02 14:16:37,614 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1411: Adding configuration container
INFO 2020-01-02 14:16:37,640 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1426: Setting up sam.ldb schema
INFO 2020-01-02 14:16:40,974 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1444: Setting up sam.ldb configuration data
INFO 2020-01-02 14:16:41,207 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1485: Setting up display specifiers
INFO 2020-01-02 14:16:43,648 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1493: Modifying display specifiers and extended rights
INFO 2020-01-02 14:16:43,748 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1500: Adding users container
INFO 2020-01-02 14:16:43,752 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1506: Modifying users container
INFO 2020-01-02 14:16:43,754 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1509: Adding computers container
INFO 2020-01-02 14:16:43,758 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1515: Modifying computers container
INFO 2020-01-02 14:16:43,760 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1519: Setting up sam.ldb data
INFO 2020-01-02 14:16:44,080 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1549: Setting up well known security principals
INFO 2020-01-02 14:16:44,136 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1563: Setting up sam.ldb users and groups
INFO 2020-01-02 14:16:44,400 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1571: Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2351, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1955, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)

Comment 39 Zoltan 2020-01-02 13:50:13 UTC

I did one last test, until now the filesystem was ufs with ACL enabled (fstab: acls), now I tried with ZFS root, the same result!

Comment 40 Ruslan 2020-01-09 09:36:22 UTC

(In reply to Zoltan from comment #38)
FreeBSD 11.3 AMD64, tried both Samba 4.8 and 4.10 on UFS + acls
Got same error

Comment 41 Ruslan 2020-01-17 12:12:19 UTC

Domain provision was successfull with adding --option="vfs objects=freebsd" to samba-tool string on Samba 4.10 on UFS file system

Comment 42 Phillip R. Jaenke 2020-01-18 04:12:57 UTC

Confirming the vfs objects works. But introduces a VERY strange new bug to rfc2307 domains which BADLY breaks the domain controller and has significant security implications.

With a completely clean install, create a new domain. Configure nsswitch to use 'files winbind' for users and groups. Set 'winbind enum users = yes' and 'winbind enum groups = yes' in /usr/local/etc/smb4.conf (both settings must be present to actually enumerate fully.)

Now do 'getent group |grep -i user'
What you should see:
MYDOMAIN\enterprise read-only domain controllers:x:3000037
MYDOMAIN\domain admins:x:3000004
MYDOMAIN\domain users:x:3000013 <--- well known SID 513
MYDOMAIN\domain guests:x:3000014
MYDOMAIN\domain computers:x:3000038
MYDOMAIN\domain controllers:x:3000039
MYDOMAIN\read-only domain controllers:x:3000040

What you will ACTUALLY get:
MYDOMAIN\enterprise read-only domain controllers:x:3000037
MYDOMAIN\domain admins:x:3000004
MYDOMAIN\domain users:x:20 <--- BUG!!
MYDOMAIN\domain guests:x:3000014
MYDOMAIN\domain computers:x:3000038
MYDOMAIN\domain controllers:x:3000039
MYDOMAIN\read-only domain controllers:x:3000040

For some insane reason, Samba is using the staff group. Unless you have a group named 'users' in which case, it takes that GID instead. (But not the group 'user'.) Even if an explicit GID is set via ADUC, e.g. 100513, _that explicit GID is ignored_. It continues to use GID 20. And because this data is propagated to all DC members in it's broken state, this is very severe breakage that also creates a security hole. Specifically in that users that only exist in 'domain users' will now be 'staff' which is not unlikely to be used to control access on local accounts.

Comment 43 Phillip R. Jaenke 2020-01-18 15:59:07 UTC

Yup... turns out the whole provisioning scheme regardless of UFS2 or ZFS is completely broken and the gid issue is probably symptomatic. Attempting to join a machine to the FreeBSD DC results in an SID error; no users work and no machines can join.

[root@mojache ~]# net ads join -U Administrator osName=$(uname) osVer=$(freebsd-version -u | cut -d - -f 1,2)
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain 'CONTOSO.COM' over rpc: Indicates the SID structure is not valid.

And on the DC side:

/usr/local/sbin/smbd: Unable to convert first SID (S-1-5-21-2567504302-1893494875-3192355551-500) in user token to a UID.  Conversion was returned as type 0, full token:
/usr/local/sbin/smbd: Security token SIDs (14):
/usr/local/sbin/smbd:   SID[  0]: S-1-5-21-2567504302-1893494875-3192355551-500
/usr/local/sbin/smbd:   SID[  1]: S-1-5-21-2567504302-1893494875-3192355551-513
/usr/local/sbin/smbd:   SID[  2]: S-1-5-21-2567504302-1893494875-3192355551-512
/usr/local/sbin/smbd:   SID[  3]: S-1-5-21-2567504302-1893494875-3192355551-572
/usr/local/sbin/smbd:   SID[  4]: S-1-5-21-2567504302-1893494875-3192355551-518
/usr/local/sbin/smbd:   SID[  5]: S-1-5-21-2567504302-1893494875-3192355551-519
/usr/local/sbin/smbd:   SID[  6]: S-1-5-21-2567504302-1893494875-3192355551-520
/usr/local/sbin/smbd:   SID[  7]: S-1-1-0
/usr/local/sbin/smbd:   SID[  8]: S-1-5-2
/usr/local/sbin/smbd:   SID[  9]: S-1-5-11
/usr/local/sbin/smbd:   SID[ 10]: S-1-5-64-10
/usr/local/sbin/smbd:   SID[ 11]: S-1-5-32-544
/usr/local/sbin/smbd:   SID[ 12]: S-1-5-32-545
/usr/local/sbin/smbd:   SID[ 13]: S-1-5-32-554
/usr/local/sbin/smbd:  Privileges (0x        1FFFFF00):
/usr/local/sbin/smbd:   Privilege[  0]: SeTakeOwnershipPrivilege
/usr/local/sbin/smbd:   Privilege[  1]: SeBackupPrivilege
/usr/local/sbin/smbd:   Privilege[  2]: SeRestorePrivilege
/usr/local/sbin/smbd:   Privilege[  3]: SeRemoteShutdownPrivilege
/usr/local/sbin/smbd:   Privilege[  4]: SeSecurityPrivilege
/usr/local/sbin/smbd:   Privilege[  5]: SeSystemtimePrivilege
/usr/local/sbin/smbd:   Privilege[  6]: SeShutdownPrivilege
/usr/local/sbin/smbd:   Privilege[  7]: SeDebugPrivilege
/usr/local/sbin/smbd:   Privilege[  8]: SeSystemEnvironmentPrivilege
/usr/local/sbin/smbd:   Privilege[  9]: SeSystemProfilePrivilege
/usr/local/sbin/smbd:   Privilege[ 10]: SeProfileSingleProcessPrivilege
/usr/local/sbin/smbd:   Privilege[ 11]: SeIncreaseBasePriorityPrivilege
/usr/local/sbin/smbd:   Privilege[ 12]: SeLoadDriverPrivilege
/usr/local/sbin/smbd:   Privilege[ 13]: SeCreatePagefilePrivilege
/usr/local/sbin/smbd:   Privilege[ 14]: SeIncreaseQuotaPrivilege
/usr/local/sbin/smbd:   Privilege[ 15]: SeChangeNotifyPrivilege
/usr/local/sbin/smbd:   Privilege[ 16]: SeUndockPrivilege
/usr/local/sbin/smbd:   Privilege[ 17]: SeManageVolumePrivilege
/usr/local/sbin/smbd:   Privilege[ 18]: SeImpersonatePrivilege
/usr/local/sbin/smbd:   Privilege[ 19]: SeCreateGlobalPrivilege
/usr/local/sbin/smbd:   Privilege[ 20]: SeEnableDelegationPrivilege
/usr/local/sbin/smbd:  Rights (0x             403):
/usr/local/sbin/smbd:   Right[  0]: SeInteractiveLogonRight
/usr/local/sbin/smbd:   Right[  1]: SeNetworkLogonRight
/usr/local/sbin/smbd:   Right[  2]: SeRemoteInteractiveLogonRight

Comment 44 Phillip R. Jaenke 2020-01-20 01:47:54 UTC

Created attachment 210883 [details]
Bump PORTREVISION, add upstream patch

So I tracked the GID issue down to a confirmed and known upstream Samba bug dating back to 2017, with an upstream fix from Samba team. It wasn't applied because Andrew rejected it. This bug shows up in Linux and AIX on 4.10+ now as well, so that rejection was clearly in error.

https://bugzilla.samba.org/show_bug.cgi?id=9837
https://lists.samba.org/archive/samba-technical/2017-December/124417.html

The attached svn diff applies the Samba approved patch and bumps PORTREVISION. Testing has confirmed that this patch resolves the broken behavior fully, restores correct SID->GID behavior, and has no regressions.

Comment 45 Vladimir Druzenko freebsd_committer

2020-02-11 02:14:35 UTC

12.1-p2 amd64, samba410-4.10.13

# mount | grep acl
/dev/da0p3 on /var (ufs, local, journaled soft-updates, acls)
/dev/da0p5 on /usr (ufs, local, journaled soft-updates, acls)

OPTIONS_FILE_SET+=ADS
OPTIONS_FILE_SET+=AD_DC
OPTIONS_FILE_SET+=AESNI
OPTIONS_FILE_SET+=CLUSTER
OPTIONS_FILE_SET+=CUPS
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DEVELOPER
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_SET+=FAM
OPTIONS_FILE_UNSET+=GPGME
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=MANDOC
OPTIONS_FILE_UNSET+=NTVFS
OPTIONS_FILE_SET+=PROFILE
OPTIONS_FILE_SET+=QUOTAS
OPTIONS_FILE_UNSET+=SPOTLIGHT
OPTIONS_FILE_SET+=SYSLOG
OPTIONS_FILE_SET+=UTMP
OPTIONS_FILE_SET+=GSSAPI_BUILTIN
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_SET+=ZEROCONF_NONE
OPTIONS_FILE_UNSET+=AVAHI
OPTIONS_FILE_UNSET+=MDNSRESPONDER
OPTIONS_FILE_UNSET+=NSUPDATE
OPTIONS_FILE_UNSET+=BIND911
OPTIONS_FILE_SET+=BIND914
OPTIONS_FILE_UNSET+=FRUIT
OPTIONS_FILE_UNSET+=GLUSTERFS

# samba-tool domain provision --use-rfc2307 --realm MYDOMAIN.LOCAL --domain MYDOMAIN --server-role dc --dns-backend BIND9_DLZ --adminpass pASSW0Rd
INFO 2020-02-11 05:04:51,818 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2096: Looking up IPv4 addresses
INFO 2020-02-11 05:04:51,821 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2113: Looking up IPv6 addresses
WARNING 2020-02-11 05:04:51,821 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2120: No IPv6 address will be assigned
INFO 2020-02-11 05:04:52,373 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2286: Setting up share.ldb
INFO 2020-02-11 05:04:52,418 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2290: Setting up secrets.ldb
INFO 2020-02-11 05:04:52,459 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2296: Setting up the registry
INFO 2020-02-11 05:04:52,539 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2299: Setting up the privileges database
INFO 2020-02-11 05:04:52,584 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2302: Setting up idmap db
INFO 2020-02-11 05:04:52,626 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2309: Setting up SAM db
INFO 2020-02-11 05:04:52,649 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings
INFO 2020-02-11 05:04:52,651 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE
INFO 2020-02-11 05:04:52,655 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1302: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2020-02-11 05:04:52,758 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1379: Adding DomainDN: DC=mydomain,DC=local
INFO 2020-02-11 05:04:52,799 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1411: Adding configuration container
INFO 2020-02-11 05:04:52,846 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1426: Setting up sam.ldb schema
INFO 2020-02-11 05:04:55,486 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1444: Setting up sam.ldb configuration data
INFO 2020-02-11 05:04:55,711 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1485: Setting up display specifiers
INFO 2020-02-11 05:04:57,704 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1493: Modifying display specifiers and extended rights
INFO 2020-02-11 05:04:57,750 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1500: Adding users container
INFO 2020-02-11 05:04:57,754 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1506: Modifying users container
INFO 2020-02-11 05:04:57,755 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1509: Adding computers container
INFO 2020-02-11 05:04:57,757 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1515: Modifying computers container
INFO 2020-02-11 05:04:57,758 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1519: Setting up sam.ldb data
INFO 2020-02-11 05:04:57,946 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1549: Setting up well known security principals
INFO 2020-02-11 05:04:57,991 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1563: Setting up sam.ldb users and groups
INFO 2020-02-11 05:04:58,143 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1571: Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 537, in run
    backend_store=backend_store)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 2351, in provision
    backend_store=backend_store)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1955, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1732, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.7/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)

Comment 46 Matt 2020-02-14 20:10:51 UTC

Hi, all!  New to the forum and to Samba, but I am running in to the same issue.  I am trying to get Samba running in a jail, using UFS (with ACLs), but continually run into the set_nt_acl_no_snum() error.  I recently read about using the VFS option when provisioning using samba-tool, but that appears to be an issue if the SYSVOL resource is ZFS.  Do I still need to use that (or a similar) option for UFS?

I changed from `pkg install` to get the binary package to building from source (especially since I wanted CUPS and BIND914).  I still ran into the same issue.

In searching for a solution, I discovered an old patch from user dewayne (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844) that I was able to apply and successfully provision my domain.  This patch is marked as "UNSAFE" and applies to Samba 4.6, so it obviously isn't the ideal solution.  I have not yet run into issues with this patch, but again I am new to Samba and likely ignorant of what/how I should test (and am deploying it in a home environment to explore).  I'm hoping that somewhere in this jumble of information is something helpful to correct this problem.  Thank you!

--
Host: $ uname -a
      FreeBSD HOSTPC 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC  amd64
      $ sudo mount | grep acl
      /dev/da0p2 on / (ufs, local, journaled soft-updates, acls)

Jail: # uname -a
      FreeBSD ADJAIL 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC  amd64
      # mount | grep acl
      /dev/da0p2 on / (ufs, local, journaled soft-updates, acls)

Build options:
      OPTIONS_FILE_SET+=ADS
      OPTIONS_FILE_SET+=AD_DC
      OPTIONS_FILE_SET+=AESNI
      OPTIONS_FILE_UNSET+=CLUSTER
      OPTIONS_FILE_SET+=CUPS
      OPTIONS_FILE_SET+=DEBUG
      OPTIONS_FILE_UNSET+=DEVELOPER
      OPTIONS_FILE_SET+=DOCS
      OPTIONS_FILE_SET+=FAM
      OPTIONS_FILE_UNSET+=GPGME
      OPTIONS_FILE_SET+=LDAP
      OPTIONS_FILE_UNSET+=MANDOC
      OPTIONS_FILE_UNSET+=NTVFS
      OPTIONS_FILE_SET+=PROFILE
      OPTIONS_FILE_SET+=QUOTAS
      OPTIONS_FILE_UNSET+=SPOTLIGHT
      OPTIONS_FILE_SET+=SYSLOG
      OPTIONS_FILE_SET+=UTMP
      OPTIONS_FILE_SET+=GSSAPI_BUILTIN
      OPTIONS_FILE_UNSET+=GSSAPI_MIT
      OPTIONS_FILE_UNSET+=ZEROCONF_NONE
      OPTIONS_FILE_SET+=AVAHI
      OPTIONS_FILE_UNSET+=MDNSRESPONDER
      OPTIONS_FILE_UNSET+=NSUPDATE
      OPTIONS_FILE_UNSET+=BIND911
      OPTIONS_FILE_SET+=BIND914
      OPTIONS_FILE_UNSET+=FRUIT
      OPTIONS_FILE_UNSET+=GLUSTERFS

Comment 47 paulo 2020-03-11 11:00:16 UTC

This problem can be solved using same solution adopted in FreeNAS but inside ports:

cat << __EOF__ > /usr/ports/net/samba410/files/patch-bfs-provisioning
--- source3/param/loadparm.c.orig	2020-03-11 07:17:30.827605000 -0300
+++ source3/param/loadparm.c	2020-03-11 07:20:28.867874000 -0300
@@ -2742,6 +2742,13 @@
 		if (!vfs_objects || !vfs_objects[0]) {
 			if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) {
 				lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb");
+	/*
+ 	 * By default, the samba sysvol is located in the statedir. Provisioning will fail in setntacl
+ 	 * unless we have zfacl enabled. Unfortunately, at this point the smb.conf has not been generated.
+ 	 * This workaround is freebsd-specific.
+ 	 */
+			} else if (pathconf(get_dyn_STATEDIR(), _PC_ACL_NFS4) == 1){
+				lp_do_parameter(-1, "vfs objects", "dfs_samba4 zfsacl");
 			} else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) {
 				lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr posix_eadb");
 			} else {
__EOF__

and 
cd /usr/ports/net/samba410
make reinstall clean

With a little bit more time can found an equivalent solution for UFS with ACLS

It isn't a FreeBSD problema how we can found at internet.

Thanks,
Paulo Fragoso.

Comment 48 paulo 2020-03-12 09:35:35 UTC

Created attachment 212346 [details]
Correct internal configuration for frist provising

Corrects ACLs for ZFS case by ports patches files

Comment 49 Dean E. Weimer 2020-03-28 19:37:02 UTC

(In reply to paulo from comment #47)
This worked for me as well on FreeBSD 12.1-RELEASE-p3, and samba 4.10

Comment 50 NetBLOKS 2020-04-20 13:07:29 UTC

Hi,

fix for ZFS runs perfectly.
Is there any chance this will be fixed for UFS also?

Comment 51 Dmitry Afanasiev 2020-04-20 14:12:59 UTC

(In reply to paulo from comment #47)
It's works for me too...
Please apply this patch into ports tree

Comment 52 Vladimir Druzenko freebsd_committer

2020-04-22 17:49:00 UTC

(In reply to paulo from comment #47)
Tried your patch on 4.11 on UFS:
samba-tool domain provision --use-rfc2307 --realm MYDOMAIN.LOCAL --domain MYDOMAIN --server-role dc --dns-backend BIND9_DLZ --adminpass …
…
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 542, in run
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 2395, in provision
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1995, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1773, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1770, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.7/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)

Comment 53 Vladimir Druzenko freebsd_committer

2020-04-23 00:16:08 UTC

(In reply to VVD from comment #52)
Adding --option="vfs objects"="freebsd" to samba-tool domain provision --use-rfc2307 fixed this error!

Where is this written in the documentation?

Comment 54 NetBLOKS 2020-04-23 08:06:32 UTC

Samba 410 and 411 both still have Python error on UFS:

/usr/local/bin/samba-tool ntacl sysvolreset

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/ntacl.py", line 425, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1773, in setsysvolacl
    _setntacl(sysvol)
  File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1770, in _setntacl
    service=SYSVOL_SERVICE, session_info=session_info)
  File "/usr/local/lib/python3.7/site-packages/samba/ntacls.py", line 232, in setntacl
    service=service, session_info=session_info)


samba-tool domain schemaupgrade

ERROR(<class 'ModuleNotFoundError'>): uncaught exception - No module named 'markdown'
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 4154, in run
    from samba.ms_schema_markdown import read_ms_markdown
  File "/usr/local/lib/python3.7/site-packages/samba/ms_schema_markdown.py", line 26, in <module>
    import markdown

Comment 55 Vladimir Druzenko freebsd_committer

2020-04-23 11:43:43 UTC

(In reply to NetBLOKS from comment #54)
> Samba 410 and 411 both still have Python error on UFS:
> /usr/local/bin/samba-tool ntacl sysvolreset
Do you have "vfs objects = freebsd" in /usr/local/etc/smb4.conf in [general] section?

Comment 56 NetBLOKS 2020-04-23 14:42:59 UTC

(In reply to VVD from comment #55)
Thanks a lot,
/usr/local/bin/samba-tool ntacl sysvolreset
works flawlessly with ufs and zfs now.


Still got the schemaupgrade error (needed for Samba 411)
samba-tool domain schemaupgrade
ERROR(<class 'ModuleNotFoundError'>): uncaught exception - No module named 'markdown'
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 4154, in run
    from samba.ms_schema_markdown import read_ms_markdown
  File "/usr/local/lib/python3.7/site-packages/samba/ms_schema_markdown.py", line 26, in <module>
    import markdown

Comment 57 Vladimir Druzenko freebsd_committer

2020-04-23 16:38:28 UTC

I have other problem - can't update hosts via nsupdate with BIND9 DLZ DNS back end.
==================================
# samba_dnsupdate --verbose --all-names
IPs: ['10.0.2.1']
force update: A dc1.domain.intranet 10.0.2.1
force update: CNAME 09205e67-dba9-40bb-80ee-77eece72145c._msdcs.domain.intranet dc1.domain.intranet
force update: NS domain.intranet dc1.domain.intranet
force update: NS _msdcs.domain.intranet dc1.domain.intranet
force update: A domain.intranet 10.0.2.1
force update: SRV _ldap._tcp.domain.intranet dc1.domain.intranet 389
force update: SRV _ldap._tcp.dc._msdcs.domain.intranet dc1.domain.intranet 389
force update: SRV _ldap._tcp.df2e02db-0264-4b9f-b7e8-4748c7b7084e.domains._msdcs.domain.intranet dc1.domain.intranet 389
force update: SRV _kerberos._tcp.domain.intranet dc1.domain.intranet 88
force update: SRV _kerberos._udp.domain.intranet dc1.domain.intranet 88
force update: SRV _kerberos._tcp.dc._msdcs.domain.intranet dc1.domain.intranet 88
force update: SRV _kpasswd._tcp.domain.intranet dc1.domain.intranet 464
force update: SRV _kpasswd._udp.domain.intranet dc1.domain.intranet 464
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.domain.intranet dc1.domain.intranet 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.intranet dc1.domain.intranet 389
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.domain.intranet dc1.domain.intranet 88
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.intranet dc1.domain.intranet 88
force update: SRV _ldap._tcp.pdc._msdcs.domain.intranet dc1.domain.intranet 389
force update: A gc._msdcs.domain.intranet 10.0.2.1
force update: SRV _gc._tcp.domain.intranet dc1.domain.intranet 3268
force update: SRV _ldap._tcp.gc._msdcs.domain.intranet dc1.domain.intranet 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.domain.intranet dc1.domain.intranet 3268
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.intranet dc1.domain.intranet 3268
force update: A DomainDnsZones.domain.intranet 10.0.2.1
force update: SRV _ldap._tcp.DomainDnsZones.domain.intranet dc1.domain.intranet 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.domain.intranet dc1.domain.intranet 389
force update: A ForestDnsZones.domain.intranet 10.0.2.1
force update: SRV _ldap._tcp.ForestDnsZones.domain.intranet dc1.domain.intranet 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.domain.intranet dc1.domain.intranet 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc1.domain.intranet as DC1$
update(nsupdate): A dc1.domain.intranet 10.0.2.1
Calling nsupdate for A dc1.domain.intranet 10.0.2.1 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domain.intranet as DC1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc1.domain.intranet.  900     IN      A       10.0.2.1

; Communication with 10.0.2.1#53 failed: timed out
Failed nsupdate: 2
update(nsupdate): CNAME 09205e67-dba9-40bb-80ee-77eece72145c._msdcs.domain.intranet dc1.domain.intranet
Calling nsupdate for CNAME 09205e67-dba9-40bb-80ee-77eece72145c._msdcs.domain.intranet dc1.domain.intranet (add)
Traceback (most recent call last):
  File "/usr/local/sbin/samba_dnsupdate", line 944, in <module>
    call_nsupdate(d)
  File "/usr/local/sbin/samba_dnsupdate", line 470, in call_nsupdate
    server = get_krb5_rw_dns_server(creds, zone)
  File "/usr/local/sbin/samba_dnsupdate", line 158, in get_krb5_rw_dns_server
    (client_finished, client_to_server) = gensec_client.update(server_to_client)
samba.NTSTATUSError: (3221225485, 'An invalid parameter was passed to a service or function.')
==================================
After line "dc1.domain.intranet.  900     IN      A       10.0.2.1" it freezes for serveral minutes. Then bind can't reslove nothing for few minutes more.

Output from this freeze look like this:
# /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -f -g -d 10
…
23-Apr-2020 19:32:40.621 clientmgr @0x801805fc8 attach: 17
23-Apr-2020 19:32:40.622 client @0x8041ecf68 (no-peer): allocate new client
23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: TCP request
23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: using view '_default'
23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: request is not signed
23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: recursion available
23-Apr-2020 19:34:36.375 gss cred: "host/dc1.domain.intranet@DOMAIN.INTRANET", GSS_C_ACCEPT, 4294967295
23-Apr-2020 19:34:36.376 gss-api source name (accept) is DC1$@DOMAIN.INTRANET
23-Apr-2020 19:34:36.377 process_gsstkey(): dns_tsigerror_noerror
23-Apr-2020 19:34:36.377 client @0x8041ecf68 10.0.2.1#46293 (1451130240.sig-dc1.domain.intranet): reset client
23-Apr-2020 19:34:36.377 client @0x804136368 127.0.0.1#35315: UDP request
23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315: using view '_default'
23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315: request is not signed
23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315: recursion available
23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315 (_kerberos._udp.DOMAIN.INTRANET): query '_kerberos._udp.DOMAIN.INTRANET/SRV/IN' approved
==================================
It wait ~2 minutes! Why?

Comment 58 Vladimir Druzenko freebsd_committer

2020-04-23 22:07:57 UTC

Created attachment 213731 [details]
log from named -d 10 while run samba_dnsupdate --verbose --all-names

In one consoles run:
/usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -f -g -d 10 2>&1 | tee bind.log

In other:
samba_dnsupdate --verbose --all-names

bind.log in attach - 134630 lines.
Named started at 00:32:11.
samba_dnsupdate started at 00:34:05.378 and named freezed at 00:34:06.833.
Named unfreezed at 00:39:53.479.

Comment 59 James B. Byrne 2020-05-04 17:54:24 UTC

On a FreeBSD 2.1p4 jail I am trying to provision an ADDC using samba410.

I have applied the patch given above to samba410-4.10.15, rebuilt it without error using poudriere,  and attempted to provision an AD using:

samba-tool domain provision \
  --adminpass=INstall66 \
  --dns-backend=BIND9_DLZ \
  --dnspass=INstall66 \
  --domain=BROCKLEY-2016 \
  --host-name=SAMBA-02.BROCKLEY-2016.HARTE-LYNE.CA \
  --host-ip=192.168.8.66 \
  --option="bind interfaces only=yes" \
  --option="interfaces=lo eth0" \
  --option="vfs objects"="freebsd" \
  --realm=BROCKLEY-2016.HARTE-LYNE.CA \
  --server-role=dc   --use-rfc2307



which results in:

INFO 2020-05-04 13:52:14,339 pid:59290 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1571: Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.')

and this in the smb4.conf

# Global parameters
  
[global]
  bind interfaces only = Yes
  interfaces = lo eth0
  netbios name = SAMBA-02
  realm = BROCKLEY-2016.HARTE-LYNE.CA
  server role = active directory domain controller
  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
  workgroup = BROCKLEY-2016
  idmap_ldb:use rfc2307 = yes

[sysvol]
  path = /var/db/samba4/sysvol
  read only = No

[netlogon]
  path = /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca/scripts
  read only = No


Is there anything that I am missing in the configuration or options that is preventing this from working?  Other people have reported provisioning to work on FreeBSD after applying the patch.

Comment 60 James B. Byrne 2020-05-04 18:15:37 UTC

Comment 59 refers to an IOCage jail on top of ZFS.

Comment 61 James B. Byrne 2020-05-05 15:18:17 UTC

Bizarrely, I rebuilt samba410 without the patch, due to a typo in make.conf, and the resulting package provisioned without error.

Comment 62 NetBLOKS 2020-05-12 09:39:01 UTC

(In reply to NetBLOKS from comment #56)

In regards to Schema-Upgrade:
just install
pkg install py37-markdown
and it will work.

Comment 63 Rene Ladan freebsd_committer

2020-11-08 10:36:58 UTC

net/samba410 expired today, please use Samba 4.11 or later.