Bug 225676 - net/samba47: domain controller provision fails in a jail.
Summary: net/samba47: domain controller provision fails in a jail.
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Timur I. Bakeyev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-05 02:57 UTC by David Gilbert
Modified: 2019-08-19 10:01 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Gilbert 2018-02-05 02:57:25 UTC 
Test box is 11-STABLE on amd64, in a jail.  I turned on 'allow.chflags' in the jail in case that would help.

I'm trying to provision samba 4.7 in a jail.  Compile and install went well.  When I use "samba-tool domain provision --use-rfc2307 --interactive" ... I end up with:

Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2187, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1815, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1599, in setsysvolacl
    service=SYSVOL_SERVICE)
  File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
Comment 1 David Gilbert 2018-02-05 02:59:14 UTC 
I believed this, BTW, because https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209787 said that things with samba were fixed.
Comment 2 Timur I. Bakeyev freebsd_committer freebsd_triage 2018-02-05 16:00:18 UTC 
(In reply to dgilbert from comment #1)

The things worked fine till 4.7.3, but something had changed in 4.7.4 again and provisioning doesn't work even on a host system due the same reason :( I'm planning more comprehensive fix in mapping 'security' and 'system' name space into 'user' for jails.

Which is compromise in security, but extattr support in FreeBSD haven't changed since 5.0 :(
Comment 3 David Gilbert 2018-02-05 18:35:41 UTC 
Since this is failing in python code, is it the python rather than the samba code that changed?
Comment 4 Timur I. Bakeyev freebsd_committer freebsd_triage 2018-02-05 23:21:22 UTC 
(In reply to dgilbert from comment #3)

I've checked that and couldn't find anything related. Seems some code route has changed :(

Well, we need better solution than an attribute hack anyhow.
Comment 5 David Gilbert 2018-02-05 23:33:16 UTC 
Is there a way I can bypass this so I can get things going right now?
Comment 6 Timur I. Bakeyev freebsd_committer freebsd_triage 2018-02-05 23:41:18 UTC 
(In reply to dgilbert from comment #5)

I guess you can brute force it by changing in the Python code all:

smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

mentions of security.* to user.*.

But no hard promises obviously :)
Comment 7 David Gilbert 2018-02-14 21:28:51 UTC 
(In reply to Timur I. Bakeyev from comment #6)

... so changing to user., user is not a defined symbol.  security is imported from samba.dceprc, but there's no user to import from there.

Where would I import user. from, or where/how would I create it?
Comment 8 Felix Palmen freebsd_committer freebsd_triage 2018-05-14 17:36:28 UTC 
Did someone get the "attribute hack" to work again meanwhile? I see it's unclean, but I'd be happy with it ...
Comment 9 Rene Ladan freebsd_committer freebsd_triage 2019-08-19 10:01:07 UTC 
samba47 expired today, please use samba48 or samba410.