Created attachment 184488 [details] UNSAFE patch replacing SYSTEM with USER namespace SAMBA 4.5.12 successfully builds and installs an AD instance on FreeBSD 11.1 Prerelease (amd64). SAMBA 4.6.6 builds and runs a standalone FS but NOT an AD instance on FreeBSD 11.1 Prerelease. The fundamental reason is that sysvol is assigned "system" namespace extended attributes. Within a jailed environment this is a show-stopper as use of a "system" namespace returns "Operation not permitted". To provision an AD within a jailed environment, you will need to apply the enclosed patch, prior to building net/samba46. NOTE: 1) Andrew Bartlett - SAMBA developer, Authentication: advises that replacing SYSTEM with USER namespaces is an UNSAFE approach. 2) This will reveal the binary content of the extended attribute of interest: getextattr user NTACL /var/db/samba4/sysvol/hs|hd ---//--- Message received while provisioning an AD without the attached patch ... Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received') File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1806, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in setsysvolacl service=SYSVOL_SERVICE) File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
Same bug at samba bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=12912 Any progress?
(In reply to vvd from comment #1) It is unlikely to progress, except for a FreeBSD patch to our SAMBA4X ports. I've applied the patch to AD and standalone SAMBA instances with 4.6.6 through to 4.6.8 and everything is fine. I used Andrew Bartlett's term of "unsafe" in the title. If the SAMBA people do NOT change the way that extended attributes are assigned/used on the volsys, then this patch is the way it has to be - when using SAMBA within a jail. And given the size and complexity of SAMBA4 who wouldn't want it to be encased within a jail? Perhaps it should be an option - running SAMBA4X in a jail - apply patch. :)
Just tested with samba 4.6.8 from ports _WITHOUT JAIL_, error didn't changed: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received') File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1806, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in setsysvolacl service=SYSVOL_SERVICE) File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
I think that with all the hacks and patches net/samba47 got this should work in the jails as well. But, my question would be - why do you want to run AD inside a jail, which, besides more secure environment also puts quite a bunch of extra restrictions on the environment.
(In reply to Timur I. Bakeyev from comment #4) Thanks Timur. I've examined the file /usr/ports/net/samba47/work/samba-4.7.3/lib/replace/xattr.c and it looks like my earlier patch is still required. It will be a few days before I can test. There are a couple of reasons for deploying within a jail. Samba AD doesn't provide full functionality when acting (also) as a fileserver. So its necessary to have two SAMBA servers AD+fileserver (jails or VMs). Security is a concern, particularly as SAMBA is complex software, from an engineering perspective, it's deemed that isolating the service has utility in terms of mitigating undiscovered vulnerabilities. We also isolate GPL software so customers can access and modify only those particular elements that they are entitled.
(In reply to dewayne from comment #5) > I've examined the file /usr/ports/net/samba47/work/samba-4.7.3/lib/replace/xattr.c and it looks like my earlier patch is still required. It will be a few days before I can test. Please, give it a try :) There are more than one way to skin a cat :) I understand your concerns, but the same should apply to windows Server as well. In the days of VMs and docker jails could be a bit outdated alternative... Well, give it a try anyhow, at least xattr problem shouldn't be there(but there could be others, due the limitations of jails).
(In reply to Timur I. Bakeyev from comment #6) > In the days of _containers_ _containers_ could be a bit outdated alternative... Hm?… "samba-tool domain provision --use-rfc2307 --interactive" work fine in net/samba47, thanks!
(In reply to vvd from comment #7) Hello vvp, Sorry for returning to such old thread, but what you mean that it worked with net/samba47? a) Simple installed net/samba47 from ports; b) Installed from ports and applied this patch? By the way, I’m facing the same issue, coming from pkg installation. I would also appreciate detailed instructions on applying this patch... new to FreeBSD. Regards, ANx
(In reply to ANx from comment #8) Hi! I'm just installed net/samba47 from ports without custom patches and this error disappeared.
(In reply to vvd from comment #9) Thank you for the quick reply.
(In reply to vvd from comment #9) Got the same error, but please note that I'm also under jail environment... ---------------------------------------------------------------- set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2187, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1815, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1599, in setsysvolacl service=SYSVOL_SERVICE) File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
(In reply to ANx from comment #11) What FS do you have in that jail? Behavior of Samba on UFS and ZFS is different in case of provisioning(well, in other aspects also). For ZFS ATM you need to add `--option="vfs objects"="dfs_samba4 zfsacl"` to the list of parameters for `provision`. For UFS the hack in samba47 should work OOTB.
(In reply to Timur I. Bakeyev from comment #12) Installed from pkg... # pkg install samba47 Then added the pointed options to provision command # samba-tool domain provision --use-rfc2307 --interactive --option="vfs objects"="dfs_samba4 zfsacl" IT WORKS! Thanks in a million.