Bug 276940
| Summary: | sysutils/libsunacl: Add missing ACEs definition needed by Samba | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Mikael Urankar <mikael> | ||||
| Component: | Individual Port(s) | Assignee: | Timur I. Bakeyev <timur> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | andrej, cy, editor, michaelo | ||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(timur) |
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270383 | ||||||
| Attachments: |
|
||||||
I am having this same issue on samba419-4.19.4
Slightly more context but I can publish and test more:
Repacking database from v1 to v2 format (first record CN=Meetings,CN=System,DC=mydomain,DC=mycompany,DC=local)
python3.9: acl_from_aces: a_type is 0x5
python3.9: aces_from_acl failed
set_nt_acl_conn: fset_nt_acl returned NT_STATUS_IO_DEVICE_ERROR.
ERROR(runtime): uncaught exception - (3221225861, 'The I/O device reported an I/O error.')
File "/usr/local/lib/python3.9/site-packages/samba/netcmd/__init__.py", line 279, in _run
return self.run(*args, **kwargs)
Any suggestions? ZFS properties to set?
samba416 provisions fine.
Can you provide a libsunacl binary to try? Also, provisioning samba416 and upgrading it to samba419 appears to work, for what it's worth. (In reply to Michael Dexter from comment #2) If you want, what version / arch ? AMD64. I confess I have not tried to spin up Samba on another architecture but I do hope that's being tested and I'll see what I can do. (In reply to Michael Dexter from comment #5) http://mikael.urankar.free.fr/libsunacl.so.1 You'll probably have to make a symlink libsunacl.so -> libsunacl.so.1 (In reply to Mikael Urankar from comment #6) Your libsunacl.so.1 allowed for a successful AD provision on 14.0 AMD64. Hopefully that fixes it! I get the following output but will verify my paths: Running chmod 600 /var/db/samba4/private/tls/key.pem /var/db/samba4/private/tls/cert.pem signature is Could not open file or uri for loading certificate from cert.pem 002061A64D5A0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregi stered scheme:/usr/src/crypto/openssl/crypto/store/store_register.c:237:scheme=f ile 002061A64D5A0000:error:80000002:system library:file_open:No such file or directo ry:/usr/src/crypto/openssl/providers/implementations/storemgmt/file_store.c:267: calling stat(cert.pem) Unable to load certificate /var/db/samba4/private/tls/key.pem signature is Could not open file or uri for loading private key from key.pem 0020E13032350000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregi stered scheme:/usr/src/crypto/openssl/crypto/store/store_register.c:237:scheme=f ile 0020E13032350000:error:80000002:system library:file_open:No such file or directo ry:/usr/src/crypto/openssl/providers/implementations/storemgmt/file_store.c:267: calling stat(key.pem) Any chance this can be comitted? As far as samba (and it is the only consumer, as far as i can see) goes, the patch works perfectly, and it would be nice not to have to patch each installation... A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6a6678eefe429ff40c7521ccdb93b5c4196f570f commit 6a6678eefe429ff40c7521ccdb93b5c4196f570f Author: Mikael Urankar <mikael@FreeBSD.org> AuthorDate: 2024-02-07 13:52:34 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2024-02-28 14:34:13 +0000 sysutils/libsunacl: Add missing ACEs definition needed by samba These are needed provision a domain controller on top of ZFS. PR: 276940 Approved by: maintainer timeout sysutils/libsunacl/Makefile | 1 + .../libsunacl/files/patch-opensolaris__acl.c (new) | 22 ++++++++++++++++++++++ sysutils/libsunacl/files/patch-sunacl.h (new) | 16 ++++++++++++++++ 3 files changed, 39 insertions(+) |
Created attachment 248305 [details] v0 It seems samba 4.17 started to use SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (its definition is in librpc/idl/security.idl) which is not handled by libsunacl Without this, provisioning a DC on top of zfs fails with this error: python3.9: acl_from_aces: a_type is 0x5 python3.9: aces_from_acl failed I'm not sure the fix is correct though.