Bug 220844 - net/samba46 builds successfully unable to provision an AD instance within a jail
Summary: net/samba46 builds successfully unable to provision an AD instance within a jail
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Timur I. Bakeyev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-19 06:24 UTC by dewayne
Modified: 2018-03-22 23:04 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (timur)


Attachments
UNSAFE patch replacing SYSTEM with USER namespace (2.97 KB, text/x-csrc)
2017-07-19 06:24 UTC, dewayne
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description dewayne 2017-07-19 06:24:15 UTC
Created attachment 184488 [details]
UNSAFE patch replacing SYSTEM with USER namespace

SAMBA 4.5.12 successfully builds and installs an AD instance on FreeBSD 11.1 Prerelease (amd64).

SAMBA 4.6.6 builds and runs a standalone FS but NOT an AD instance on FreeBSD 11.1 Prerelease.

The fundamental reason is that sysvol is assigned "system" namespace extended attributes.  Within a jailed environment this is a show-stopper as use of a "system" namespace returns "Operation not permitted". 

To provision an AD within a jailed environment, you will need to apply the enclosed patch, prior to building net/samba46.

NOTE: 
1) Andrew Bartlett - SAMBA developer, Authentication: advises that replacing SYSTEM with USER namespaces is an UNSAFE approach.
2) This will reveal the binary content of the extended attribute of interest:
getextattr user NTACL /var/db/samba4/sysvol/hs|hd

---//---

Message received while provisioning an AD without the attached patch
...
Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected
information received')
  File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line
471, in run nosync=ldap_backend_nosync,
ldap_dryrun_mode=ldap_dryrun_mode) File
"/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File
"/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1806, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File
"/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1593, in setsysvolacl
    service=SYSVOL_SERVICE)
  File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line
162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd, service=service)
Comment 1 VVD 2017-08-16 11:26:51 UTC
Same bug at samba bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=12912

Any progress?
Comment 2 dewayne 2017-10-04 03:31:33 UTC
(In reply to vvd from comment #1)
It is unlikely to progress, except for a FreeBSD patch to our SAMBA4X ports.  I've applied the patch to AD and standalone SAMBA instances with 4.6.6 through to 4.6.8 and everything is fine.

I used Andrew Bartlett's term of "unsafe" in the title.  If the SAMBA people do NOT change the way that extended attributes are assigned/used on the volsys, then this patch is the way it has to be - when using SAMBA within a jail.  And given the size and complexity of SAMBA4 who wouldn't want it to be encased within a jail?  Perhaps it should be an option - running SAMBA4X in a jail - apply patch. :)
Comment 3 VVD 2017-10-05 10:10:22 UTC
Just tested with samba 4.6.8 from ports _WITHOUT JAIL_, error didn't changed:

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1806, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in setsysvolacl
    service=SYSVOL_SERVICE)
  File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
Comment 4 Timur I. Bakeyev freebsd_committer 2017-12-18 04:33:24 UTC
I think that with all the hacks and patches net/samba47 got this should work in the jails as well.

But, my question would be - why do you want to run AD inside a jail, which, besides more secure environment also puts quite a bunch of extra restrictions on the environment.
Comment 5 dewayne 2017-12-19 09:15:33 UTC
(In reply to Timur I. Bakeyev from comment #4)
Thanks Timur.
I've examined the file /usr/ports/net/samba47/work/samba-4.7.3/lib/replace/xattr.c and it looks like my earlier patch is still required.  It will be a few days before I can test.
There are a couple of reasons for deploying within a jail.  Samba AD doesn't provide full functionality when acting (also) as a fileserver.  So its necessary to have two SAMBA servers AD+fileserver (jails or VMs).  Security is a concern, particularly as SAMBA is complex software, from an engineering perspective, it's deemed that isolating the service has utility in terms of mitigating undiscovered vulnerabilities.  We also isolate GPL software so customers can access and modify only those particular elements that they are entitled.
Comment 6 Timur I. Bakeyev freebsd_committer 2017-12-19 10:10:13 UTC
(In reply to dewayne from comment #5)

> I've examined the file /usr/ports/net/samba47/work/samba-4.7.3/lib/replace/xattr.c and it looks like my earlier patch is still required.  It will be a few days before I can test.

Please, give it a try :) There are more than one way to skin a cat :)

I understand your concerns, but the same should apply to windows Server as well. In the days of VMs and docker jails could be a bit outdated alternative...

Well, give it a try anyhow, at least xattr problem shouldn't be there(but there could be others, due the limitations of jails).
Comment 7 VVD 2017-12-19 11:43:12 UTC
(In reply to Timur I. Bakeyev from comment #6)
> In the days of _containers_ _containers_ could be a bit outdated alternative...
Hm?…

"samba-tool domain provision --use-rfc2307 --interactive" work fine in net/samba47, thanks!
Comment 8 ANx 2018-03-22 09:14:23 UTC
(In reply to vvd from comment #7)

Hello vvp,

Sorry for returning to such old thread, but what you mean that it worked with net/samba47?

a) Simple installed net/samba47 from ports;

b) Installed from ports and applied this patch?

By the way, I’m facing the same issue, coming from pkg installation. I would also appreciate detailed instructions on applying this patch... new to FreeBSD.

Regards,
ANx
Comment 9 VVD 2018-03-22 09:21:59 UTC
(In reply to ANx from comment #8)
Hi!

I'm just installed net/samba47 from ports without custom patches and this error disappeared.
Comment 10 ANx 2018-03-22 09:27:32 UTC
(In reply to vvd from comment #9)

Thank you for the quick reply.
Comment 11 ANx 2018-03-22 14:42:19 UTC
(In reply to vvd from comment #9)

Got the same error, but please note that I'm also under jail environment... 

----------------------------------------------------------------

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2187, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1815, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1599, in setsysvolacl
    service=SYSVOL_SERVICE)
  File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
Comment 12 Timur I. Bakeyev freebsd_committer 2018-03-22 15:11:24 UTC
(In reply to ANx from comment #11)

What FS do you have in that jail? Behavior of Samba on UFS and ZFS is different in case of provisioning(well, in other aspects also).

For ZFS ATM you need to add `--option="vfs objects"="dfs_samba4 zfsacl"` to the list of parameters for `provision`.

For UFS the hack in samba47 should work OOTB.
Comment 13 ANx 2018-03-22 23:04:39 UTC
(In reply to Timur I. Bakeyev from comment #12)

Installed from pkg...

# pkg install samba47

Then added the pointed options to provision command 

# samba-tool domain provision --use-rfc2307 --interactive --option="vfs objects"="dfs_samba4 zfsacl"

IT WORKS!
Thanks in a million.