it just stuck but did not throw any error
and i try non interactive WARNING: Module [group_audit_log] not found - do you need to set LDB_MODULES_PATH? module samba_dsdb initialization failed : Operations error Unable to load modules for /var/db/samba4/private/sam.ldb: No such Base DN: @INDEXLIST ERROR(ldb): uncaught exception - No such Base DN: @INDEXLIST
Created attachment 205675 [details] plist-fix to install missing modules Proposed patch, not sure about the options that control if mdb.so is built, the two audit modules are only built for AD_DC.
This has hit me too. Pawel's patch is correct, but of course needs a PORTREVISION bump too.
Pawel patch works fine, thank you
samba-tool domain provision --domain=TEST --use-rfc2307 --realm=test.home --adminpass=1Passw@rD Whithout patch > INFO 2019-07-24 00:36:41,587 pid:2459 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1297: Pre-loading the Samba 4 and AD schema WARNING: Module [group_audit_log] not found - do you need to set LDB_MODULES_PATH? module samba_dsdb initialization failed : Operations error Unable to load modules for /var/db/samba4/private/sam.ldb: No such Base DN: @INDEXLIST ERROR(ldb): uncaught exception - No such Base DN: @INDEXLIST Whith patch > INFO 2019-07-24 01:15:59,293 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2087: Looking up IPv4 addresses WARNING 2019-07-24 01:15:59,294 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2093: More than one IPv4 address found. Using 192.168.56.25 INFO 2019-07-24 01:15:59,294 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2104: Looking up IPv6 addresses WARNING 2019-07-24 01:15:59,294 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2111: No IPv6 address will be assigned INFO 2019-07-24 01:15:59,544 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2277: Setting up share.ldb INFO 2019-07-24 01:15:59,556 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2281: Setting up secrets.ldb INFO 2019-07-24 01:15:59,565 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2287: Setting up the registry INFO 2019-07-24 01:15:59,591 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2290: Setting up the privileges database INFO 2019-07-24 01:15:59,605 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2293: Setting up idmap db INFO 2019-07-24 01:15:59,616 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2300: Setting up SAM db INFO 2019-07-24 01:15:59,622 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings INFO 2019-07-24 01:15:59,622 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE INFO 2019-07-24 01:15:59,624 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1297: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2019-07-24 01:15:59,639 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1374: Adding DomainDN: DC=test,DC=home INFO 2019-07-24 01:15:59,648 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1406: Adding configuration container INFO 2019-07-24 01:15:59,659 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1415: Setting up sam.ldb schema INFO 2019-07-24 01:16:00,896 pid:52505 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1435: Setting up sam.ldb configuration data ERROR(<class 'UnicodeDecodeError'>): uncaught exception - 'ascii' codec can't decode byte 0xe2 in position 513: ordinal not in range(128) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 536, in run backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2342, in provision backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1924, in provision_fill backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1473, in fill_samdb "INC2012": incl_2012, File "/usr/local/lib/python3.6/site-packages/samba/provision/common.py", line 54, in setup_add_ldif data = read_and_sub_file(ldif_path, subst_vars) File "/usr/local/lib/python3.6/site-packages/samba/__init__.py", line 283, in read_and_sub_file data = open(file_name, 'r').read() File "/usr/local/lib/python3.6/encodings/ascii.py", line 26, in decode return codecs.ascii_decode(input, self.errors)[0]
You need this patch https://gitlab.com/samba-team/samba/commit/d01c5bc9fbe316d2358ead6382f4e7e3bf5fc000
Hi Th you for help. Now i have other error ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') P.S. net/samba48 has same problems with samba-tool, but samba-tool from net/samba47 worked fine... root@vb-freebsd:~ # samba-tool domain provision --domain=OFFICE --use-rfc2307 --realm=office.test --adminpass=Passw@orD INFO 2019-07-26 11:06:32,636 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2087: Looking up IPv4 addresses WARNING 2019-07-26 11:06:32,636 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2093: More than one IPv4 address found. Using 192.168.56.25 INFO 2019-07-26 11:06:32,636 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2104: Looking up IPv6 addresses WARNING 2019-07-26 11:06:32,637 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2111: No IPv6 address will be assigned INFO 2019-07-26 11:06:32,912 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2277: Setting up share.ldb INFO 2019-07-26 11:06:32,925 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2281: Setting up secrets.ldb INFO 2019-07-26 11:06:32,936 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2287: Setting up the registry INFO 2019-07-26 11:06:32,959 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2290: Setting up the privileges database INFO 2019-07-26 11:06:32,971 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2293: Setting up idmap db INFO 2019-07-26 11:06:32,982 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2300: Setting up SAM db INFO 2019-07-26 11:06:32,987 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings INFO 2019-07-26 11:06:32,988 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE INFO 2019-07-26 11:06:32,990 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1297: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2019-07-26 11:06:33,009 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1374: Adding DomainDN: DC=office,DC=test INFO 2019-07-26 11:06:33,019 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1406: Adding configuration container INFO 2019-07-26 11:06:33,029 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1415: Setting up sam.ldb schema INFO 2019-07-26 11:06:34,241 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1435: Setting up sam.ldb configuration data INFO 2019-07-26 11:06:34,334 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1476: Setting up display specifiers INFO 2019-07-26 11:06:35,232 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1484: Modifying display specifiers and extended rights INFO 2019-07-26 11:06:35,254 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1491: Adding users container INFO 2019-07-26 11:06:35,255 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1497: Modifying users container INFO 2019-07-26 11:06:35,256 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1500: Adding computers container INFO 2019-07-26 11:06:35,257 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1506: Modifying computers container INFO 2019-07-26 11:06:35,258 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1510: Setting up sam.ldb data INFO 2019-07-26 11:06:35,347 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1540: Setting up well known security principals INFO 2019-07-26 11:06:35,366 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1554: Setting up sam.ldb users and groups INFO 2019-07-26 11:06:35,457 pid:786 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1562: Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 536, in run backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2342, in provision backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1946, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1726, in setsysvolacl _setntacl(sysvol) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1723, in _setntacl service=SYSVOL_SERVICE, session_info=session_info) File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 230, in setntacl service=service, session_info=session_info)
> * BUG 13828: samba-tool domain provision: Fix --interactive module in > python3. https://www.samba.org/samba/history/samba-4.10.6.html
This also hit me on an upgrade of a domain controller from 4.6 to 4.10, the server wouldn't start: [2019/08/05 13:22:00.865649, 0, effective(0, 0), real(0, 0)] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: WARNING: Module [group_audit_log] not found - do you need to set LDB_MODULES_PATH? [2019/08/05 13:22:00.865741, 0, effective(0, 0), real(0, 0)] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: module samba_dsdb initialization failed : Operations error [2019/08/05 13:22:00.865787, 0, effective(0, 0), real(0, 0)] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: Unable to load modules for /var/db/samba4/private/sam.ldb: (null) [2019/08/05 13:22:00.867065, 0, effective(0, 0), real(0, 0)] ../../lib/util/become_daemon.c:122(exit_daemon) exit_daemon: daemon failed to start: Samba failed to prime database, error code 22 After copying the 3 modules from the diff to /usr/local/lib/samba4/modules/ldb it works as expected, a recompile and reinstall after applying the diff didn't work for some reason (modules still weren't there).
A commit references this bug: Author: timur Date: Mon Aug 19 22:22:35 UTC 2019 New revision: 509383 URL: https://svnweb.freebsd.org/changeset/ports/509383 Log: Upgrade samba410 port to 4.10.6 version. Fixed vfs_freebsd to match newer configure test. This release should fix provisioning on UFS2 systems, ZFS provisioning is still broken... PR: 239105 Changes: head/net/samba410/Makefile head/net/samba410/distinfo head/net/samba410/files/man/ldb.3 head/net/samba410/files/patch-lib_ldb_wscript head/net/samba410/files/patch-lib_tdb_wscript head/net/samba410/files/patch-listen-backlog head/net/samba410/files/patch-vfs_freebsd head/net/samba410/pkg-plist
Thanks! Add, plz, NONE to ZEROCONF section. This line mandatory ask me to use one: "OPTIONS_SINGLE= GSSAPI ZEROCONF".
Or this way: --- Makefile.orig +++ Makefile @@ -98,9 +98,9 @@ OPTIONS_SINGLE= GSSAPI ZEROCONF # GSSAPI_HEIMDAL OPTIONS_SINGLE_GSSAPI= GSSAPI_BUILTIN GSSAPI_MIT -OPTIONS_SINGLE_ZEROCONF= AVAHI MDNSRESPONDER -OPTIONS_RADIO= DNS +OPTIONS_RADIO= ZEROCONF DNS +OPTIONS_RADIO_ZEROCONF= AVAHI MDNSRESPONDER OPTIONS_RADIO_DNS= NSUPDATE BIND911 BIND914 ############################################################################## AD_DC_DESC= Active Directory Domain Controller
Also a related problem- databases/Makefile is missing ldb15 entry.
Weird - on amd64 12.0 and 11.3 build fine with my patch, but on i386 12.0 I got error: ===> Installing for samba410-4.10.6 ===> Checking if samba410 is already installed ===> Registering installation for samba410-4.10.6 pkg-static: Unable to access file /usr/obj/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/modules/ldb/mdb.so:No such file or directory *** Error code 74 Stop. make[1]: stopped in /usr/ports/net/samba410 *** Error code 1 # find /usr/obj/usr/ports/net/samba410/work/ -name mdb.so # grep -R /mdb.so /usr/ports/net/samba410 /usr/ports/net/samba410/pkg-plist:%%AD_DC%%%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/mdb.so
Just a quick note: this hit me when upgrading samba from 48 to 410 on a machine that was provisioned as ADDC with samba47. The patch attached here resolved the issue, so thanks for that! Please resolve remaining issues and commit this soon :) BR, Felix
(In reply to Felix Palmen from comment #15) What patch?
(In reply to VVD from comment #16) The one attached here. I'm on amd64...
(In reply to Felix Palmen from comment #17) This: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=205675&action=diff ? It's applied already - check net/samba410/pkg-plist file.
Thanks for solving this issue. Can this be pulled up to 2019Q3 branch?
(In reply to VVD from comment #14) I haven't applied any patches, but I got the same error today with Poudriere trying to build on i386 12.0-RELEASE-p8 =======================<phase: package >============================ ===> Building package for samba410-4.10.6 pkg-static: Unable to access file /wrkdirs/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/modules/ldb/mdb.so:No such file or directory *** Error code 1
samba 4.10.7 is out . What not move up that way and see if the problems go away.
Created attachment 206805 [details] Make ZEROCONF optional: SINGLE replaced on RADIO Build error on i386 gone after patch: https://svnweb.freebsd.org/ports?view=revision&revision=509598 But still can't build samba410 without ZEROCONF on any platform - patch attached.
Just updated and now I get Traceback (most recent call last): File "/usr/local/bin/samba-tool", line 33, in <module> from samba.netcmd.main import cmd_sambatool File "/usr/local/lib/python3.6/site-packages/samba/__init__.py", line 28, in <module> import ldb ImportError: /usr/local/lib/python3.6/site-packages/ldb.so: Undefined symbol "ldb_handler_copy"
Undefined symbol error happens because ldb is now "builtin" by default. I have reported a similar issue (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239480) for the net/samba48 port almost a month ago.
(In reply to doctor from comment #23) may I suggest that databases/ldb15 be a dependency on net/samba410 ?
Also I am trying to follow https://www.youtube.com/watch?v=riWQ1WZi5BM which seems to work for 10.1 but since some changes have been made , python failures are showing up. Is their any way to treat this as thought it needed to be fixed yesterday?
Still broken: --- snip --- [root@dc ~]# samba-tool domain provision --use-rfc2307 --interactive Realm [XXX.NET]: Domain [XXX]: XXX Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: Retype password: INFO 2019-09-07 20:58:55,561 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2096: Looking up IPv4 addresses INFO 2019-09-07 20:58:55,562 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2113: Looking up IPv6 addresses WARNING 2019-09-07 20:58:55,562 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2120: No IPv6 address will be assigned INFO 2019-09-07 20:58:56,284 pid:37356 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up share.ldb Unable to find backend for '/var/db/samba4/private/share.ldb' - do you need to set LDB_MODULES_PATH? ERROR(ldb): uncaught exception - None File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2287, in provision share_ldb = Ldb(paths.shareconf, session_info=session_info, lp=lp) File "/usr/local/lib/python3.6/site-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) [root@dc ~]# --- snip --- Also, I imagine this should probably be marked as affecting more than "only me", since I imagine a lot of people would like to use the Samba AD DC functionality.
Please fix the importance to 'affects everyone.' This has clearly been broken for months, and quite obviously breaks core functionality. A fix for what should be a simple problem is needed ASAP.
(In reply to tlb from comment #27) add this to your make.conf SAMBA4_BUNDLED_TALLOC= no SAMBA4_BUNDLED_TEVENT= no SAMBA4_BUNDLED_TDB= no SAMBA4_BUNDLED_LDB= no that work for me
(In reply to Vithushan Ka. from comment #29) No, your claimed fix does not fix anything. This breaks LMDB linking which results in a build that CANNOT be used as a domain controller. AD_DC requires both LDB and LMDB. This is what you get with 'SAMBA4_BUNDLED_LDB=no' Makefile: 474 # LMDB 475 SAMBA4_LMDB_DEPENDS= lmdb>=0.9.16:databases/lmdb 476 PLIST_FILES+= lib/samba4/private/libldb-mdb-int-samba4.so \ 477 ${SAMBA4_MODULEDIR}/ldb/mdb.so # pkg info -l samba410 | grep lmdb # # pkg info -l samba410 | grep libldb-mdb # # ls -l /usr/local/lib/samba4/private/libldb-mdb-int-samba4.so ls: /usr/local/lib/samba4/private/libldb-mdb-int-samba4.so: No such file or directory # ls -l /usr/local/lib/samba4/modules ls: /usr/local/lib/samba4/modules: No such file or directory
I gather that we can look forward to more months of this port being utterly broken and that fact ignored, then?
(In reply to tlb from comment #31) Feel free to send patches.
(In reply to Phillip R. Jaenke from comment #30) with the option I used I had to install ldb15 and it's good. provision works, user creation works, and GPOs too. in UFS it's ok but un ZFS is broken on the sysvol right, I think by putting the right the right nfsv4 manually the supply should work properly, it seems that Samba-tool is broken but not the smbd and the rest PS: Sorry, I'm French sorry for my English, I was not a fan of my English teacher who did not love English ...
I'm not sure if I understand this in full (after just a day of trying), but: it's my understanding that the problem resolves about the AD DC feature, when running on a ZFS system? The start script currently tries to launch /usr/local/sbin/samba which is only created IF you have the AD DC option configured. If this samba server is your AD DC, then right now you have a big problem. But, as far as I know, the majority of samba servers are NOT AD DC's. Is it possible to document the flags that would allow to only build the port for a file server - and make those the defaults. That would mean in the pkg's we have on the repos there would be a samba that works on ZFS systems, except for one (not enabled) case. Instead right now we have a Samba that does not work for anyone at all (on ZFS, but that's pretty much a given), while also not making it work for the people that use it for DC. So, in fact, we seem to default to the worst possible case? It gets complicated by the start script looking to start "samba" but that could be a problem in general since that tool is not built in all cases as far as I could see. Sorry, if I am stepping on any toes here. But it seems a hard to solve problem and maybe it would be easier to reduce it's impact.
(In reply to florian.heigl from comment #34) You've got it wrong. This only concerns AD DC setups. File server setups work just fine- I have quite a few of them running samba410 from the official repo, all running on ZFS, some joined to AD and some standalone... I do not currently experience any problems with any of them.
(In reply to Timur I. Bakeyev from comment #32) Sorry, replying late here. You rejected my last patch, because it went against portgmr's wishes. Unfortunately I can't find the email you referenced, because I'd like to reply to make a few comments to them- do you know which list it was on or have a link?
Hi, i have a strange situation, my hardware failed, after repaired I wanted to restore my samba dc, but the restore command fails: samba-tool domain backup restore --backup-file=/samba.online/samba-backup-domain.local-2020-01-02T02-01-25.719514.tar.bz2 --targetdir=/var/db/samba4/ --newservername=dc01.domain.local but the restore fails with this error: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain_backup.py", line 624, in run backup_restore(sysvol_tar, dest_sysvol_dir, samdb, smbconf) File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 604, in backup_restore ntacls_helper.setntacl(dst, ntacl_sddl_str) File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 460, in setntacl use_ntvfs=self.use_ntvfs) File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info) ====================================================================================== I tried to provision a new domain just for testing, but this fails as well and looks like in the same step: INFO 2020-01-02 09:58:01,640 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1411: Adding configuration container INFO 2020-01-02 09:58:01,673 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1426: Setting up sam.ldb schema INFO 2020-01-02 09:58:04,827 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1444: Setting up sam.ldb configuration data INFO 2020-01-02 09:58:05,078 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1485: Setting up display specifiers INFO 2020-01-02 09:58:07,856 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1493: Modifying display specifiers and extended rights INFO 2020-01-02 09:58:07,913 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1500: Adding users container INFO 2020-01-02 09:58:07,915 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1506: Modifying users container INFO 2020-01-02 09:58:07,916 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1509: Adding computers container INFO 2020-01-02 09:58:07,918 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1515: Modifying computers container INFO 2020-01-02 09:58:07,920 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1519: Setting up sam.ldb data INFO 2020-01-02 09:58:08,127 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1549: Setting up well known security principals INFO 2020-01-02 09:58:08,170 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1563: Setting up sam.ldb users and groups INFO 2020-01-02 09:58:08,345 pid:1775 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1571: Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2351, in provision backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1955, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl _setntacl(sysvol) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl service=SYSVOL_SERVICE, session_info=session_info) File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info) ====================================================================================== # uname FreeBSD 12.1-RELEASE-p1 GENERIC amd64 # samba -V Version 4.10.11
Today I did some more test with fresh installs: FreeBSD 12.1: samba410 and samba48 FreeBSD 12.0: samba410 and samba48 FreeBSD 11.3: samba410 and samba48 And all the test cases died on the same step: INFO 2020-01-02 14:16:37,583 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1379: Adding DomainDN: DC=domain,DC=intra INFO 2020-01-02 14:16:37,614 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1411: Adding configuration container INFO 2020-01-02 14:16:37,640 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1426: Setting up sam.ldb schema INFO 2020-01-02 14:16:40,974 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1444: Setting up sam.ldb configuration data INFO 2020-01-02 14:16:41,207 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1485: Setting up display specifiers INFO 2020-01-02 14:16:43,648 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1493: Modifying display specifiers and extended rights INFO 2020-01-02 14:16:43,748 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1500: Adding users container INFO 2020-01-02 14:16:43,752 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1506: Modifying users container INFO 2020-01-02 14:16:43,754 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1509: Adding computers container INFO 2020-01-02 14:16:43,758 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1515: Modifying computers container INFO 2020-01-02 14:16:43,760 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1519: Setting up sam.ldb data INFO 2020-01-02 14:16:44,080 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1549: Setting up well known security principals INFO 2020-01-02 14:16:44,136 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1563: Setting up sam.ldb users and groups INFO 2020-01-02 14:16:44,400 pid:52821 /usr/local/lib/python3.6/site-packages/samba/provision/__init__.py #1571: Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/samba/netcmd/domain.py", line 537, in run backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 2351, in provision backend_store=backend_store) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1955, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl _setntacl(sysvol) File "/usr/local/lib/python3.6/site-packages/samba/provision/__init__.py", line 1732, in _setntacl service=SYSVOL_SERVICE, session_info=session_info) File "/usr/local/lib/python3.6/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info)
I did one last test, until now the filesystem was ufs with ACL enabled (fstab: acls), now I tried with ZFS root, the same result!
(In reply to Zoltan from comment #38) FreeBSD 11.3 AMD64, tried both Samba 4.8 and 4.10 on UFS + acls Got same error
Domain provision was successfull with adding --option="vfs objects=freebsd" to samba-tool string on Samba 4.10 on UFS file system
Confirming the vfs objects works. But introduces a VERY strange new bug to rfc2307 domains which BADLY breaks the domain controller and has significant security implications. With a completely clean install, create a new domain. Configure nsswitch to use 'files winbind' for users and groups. Set 'winbind enum users = yes' and 'winbind enum groups = yes' in /usr/local/etc/smb4.conf (both settings must be present to actually enumerate fully.) Now do 'getent group |grep -i user' What you should see: MYDOMAIN\enterprise read-only domain controllers:x:3000037 MYDOMAIN\domain admins:x:3000004 MYDOMAIN\domain users:x:3000013 <--- well known SID 513 MYDOMAIN\domain guests:x:3000014 MYDOMAIN\domain computers:x:3000038 MYDOMAIN\domain controllers:x:3000039 MYDOMAIN\read-only domain controllers:x:3000040 What you will ACTUALLY get: MYDOMAIN\enterprise read-only domain controllers:x:3000037 MYDOMAIN\domain admins:x:3000004 MYDOMAIN\domain users:x:20 <--- BUG!! MYDOMAIN\domain guests:x:3000014 MYDOMAIN\domain computers:x:3000038 MYDOMAIN\domain controllers:x:3000039 MYDOMAIN\read-only domain controllers:x:3000040 For some insane reason, Samba is using the staff group. Unless you have a group named 'users' in which case, it takes that GID instead. (But not the group 'user'.) Even if an explicit GID is set via ADUC, e.g. 100513, _that explicit GID is ignored_. It continues to use GID 20. And because this data is propagated to all DC members in it's broken state, this is very severe breakage that also creates a security hole. Specifically in that users that only exist in 'domain users' will now be 'staff' which is not unlikely to be used to control access on local accounts.
Yup... turns out the whole provisioning scheme regardless of UFS2 or ZFS is completely broken and the gid issue is probably symptomatic. Attempting to join a machine to the FreeBSD DC results in an SID error; no users work and no machines can join. [root@mojache ~]# net ads join -U Administrator osName=$(uname) osVer=$(freebsd-version -u | cut -d - -f 1,2) Enter Administrator's password: Failed to join domain: failed to lookup DC info for domain 'CONTOSO.COM' over rpc: Indicates the SID structure is not valid. And on the DC side: /usr/local/sbin/smbd: Unable to convert first SID (S-1-5-21-2567504302-1893494875-3192355551-500) in user token to a UID. Conversion was returned as type 0, full token: /usr/local/sbin/smbd: Security token SIDs (14): /usr/local/sbin/smbd: SID[ 0]: S-1-5-21-2567504302-1893494875-3192355551-500 /usr/local/sbin/smbd: SID[ 1]: S-1-5-21-2567504302-1893494875-3192355551-513 /usr/local/sbin/smbd: SID[ 2]: S-1-5-21-2567504302-1893494875-3192355551-512 /usr/local/sbin/smbd: SID[ 3]: S-1-5-21-2567504302-1893494875-3192355551-572 /usr/local/sbin/smbd: SID[ 4]: S-1-5-21-2567504302-1893494875-3192355551-518 /usr/local/sbin/smbd: SID[ 5]: S-1-5-21-2567504302-1893494875-3192355551-519 /usr/local/sbin/smbd: SID[ 6]: S-1-5-21-2567504302-1893494875-3192355551-520 /usr/local/sbin/smbd: SID[ 7]: S-1-1-0 /usr/local/sbin/smbd: SID[ 8]: S-1-5-2 /usr/local/sbin/smbd: SID[ 9]: S-1-5-11 /usr/local/sbin/smbd: SID[ 10]: S-1-5-64-10 /usr/local/sbin/smbd: SID[ 11]: S-1-5-32-544 /usr/local/sbin/smbd: SID[ 12]: S-1-5-32-545 /usr/local/sbin/smbd: SID[ 13]: S-1-5-32-554 /usr/local/sbin/smbd: Privileges (0x 1FFFFF00): /usr/local/sbin/smbd: Privilege[ 0]: SeTakeOwnershipPrivilege /usr/local/sbin/smbd: Privilege[ 1]: SeBackupPrivilege /usr/local/sbin/smbd: Privilege[ 2]: SeRestorePrivilege /usr/local/sbin/smbd: Privilege[ 3]: SeRemoteShutdownPrivilege /usr/local/sbin/smbd: Privilege[ 4]: SeSecurityPrivilege /usr/local/sbin/smbd: Privilege[ 5]: SeSystemtimePrivilege /usr/local/sbin/smbd: Privilege[ 6]: SeShutdownPrivilege /usr/local/sbin/smbd: Privilege[ 7]: SeDebugPrivilege /usr/local/sbin/smbd: Privilege[ 8]: SeSystemEnvironmentPrivilege /usr/local/sbin/smbd: Privilege[ 9]: SeSystemProfilePrivilege /usr/local/sbin/smbd: Privilege[ 10]: SeProfileSingleProcessPrivilege /usr/local/sbin/smbd: Privilege[ 11]: SeIncreaseBasePriorityPrivilege /usr/local/sbin/smbd: Privilege[ 12]: SeLoadDriverPrivilege /usr/local/sbin/smbd: Privilege[ 13]: SeCreatePagefilePrivilege /usr/local/sbin/smbd: Privilege[ 14]: SeIncreaseQuotaPrivilege /usr/local/sbin/smbd: Privilege[ 15]: SeChangeNotifyPrivilege /usr/local/sbin/smbd: Privilege[ 16]: SeUndockPrivilege /usr/local/sbin/smbd: Privilege[ 17]: SeManageVolumePrivilege /usr/local/sbin/smbd: Privilege[ 18]: SeImpersonatePrivilege /usr/local/sbin/smbd: Privilege[ 19]: SeCreateGlobalPrivilege /usr/local/sbin/smbd: Privilege[ 20]: SeEnableDelegationPrivilege /usr/local/sbin/smbd: Rights (0x 403): /usr/local/sbin/smbd: Right[ 0]: SeInteractiveLogonRight /usr/local/sbin/smbd: Right[ 1]: SeNetworkLogonRight /usr/local/sbin/smbd: Right[ 2]: SeRemoteInteractiveLogonRight
Created attachment 210883 [details] Bump PORTREVISION, add upstream patch So I tracked the GID issue down to a confirmed and known upstream Samba bug dating back to 2017, with an upstream fix from Samba team. It wasn't applied because Andrew rejected it. This bug shows up in Linux and AIX on 4.10+ now as well, so that rejection was clearly in error. https://bugzilla.samba.org/show_bug.cgi?id=9837 https://lists.samba.org/archive/samba-technical/2017-December/124417.html The attached svn diff applies the Samba approved patch and bumps PORTREVISION. Testing has confirmed that this patch resolves the broken behavior fully, restores correct SID->GID behavior, and has no regressions.
12.1-p2 amd64, samba410-4.10.13 # mount | grep acl /dev/da0p3 on /var (ufs, local, journaled soft-updates, acls) /dev/da0p5 on /usr (ufs, local, journaled soft-updates, acls) OPTIONS_FILE_SET+=ADS OPTIONS_FILE_SET+=AD_DC OPTIONS_FILE_SET+=AESNI OPTIONS_FILE_SET+=CLUSTER OPTIONS_FILE_SET+=CUPS OPTIONS_FILE_UNSET+=DEBUG OPTIONS_FILE_UNSET+=DEVELOPER OPTIONS_FILE_UNSET+=DOCS OPTIONS_FILE_SET+=FAM OPTIONS_FILE_UNSET+=GPGME OPTIONS_FILE_SET+=LDAP OPTIONS_FILE_UNSET+=MANDOC OPTIONS_FILE_UNSET+=NTVFS OPTIONS_FILE_SET+=PROFILE OPTIONS_FILE_SET+=QUOTAS OPTIONS_FILE_UNSET+=SPOTLIGHT OPTIONS_FILE_SET+=SYSLOG OPTIONS_FILE_SET+=UTMP OPTIONS_FILE_SET+=GSSAPI_BUILTIN OPTIONS_FILE_UNSET+=GSSAPI_MIT OPTIONS_FILE_SET+=ZEROCONF_NONE OPTIONS_FILE_UNSET+=AVAHI OPTIONS_FILE_UNSET+=MDNSRESPONDER OPTIONS_FILE_UNSET+=NSUPDATE OPTIONS_FILE_UNSET+=BIND911 OPTIONS_FILE_SET+=BIND914 OPTIONS_FILE_UNSET+=FRUIT OPTIONS_FILE_UNSET+=GLUSTERFS # samba-tool domain provision --use-rfc2307 --realm MYDOMAIN.LOCAL --domain MYDOMAIN --server-role dc --dns-backend BIND9_DLZ --adminpass pASSW0Rd INFO 2020-02-11 05:04:51,818 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2096: Looking up IPv4 addresses INFO 2020-02-11 05:04:51,821 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2113: Looking up IPv6 addresses WARNING 2020-02-11 05:04:51,821 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2120: No IPv6 address will be assigned INFO 2020-02-11 05:04:52,373 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2286: Setting up share.ldb INFO 2020-02-11 05:04:52,418 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2290: Setting up secrets.ldb INFO 2020-02-11 05:04:52,459 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2296: Setting up the registry INFO 2020-02-11 05:04:52,539 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2299: Setting up the privileges database INFO 2020-02-11 05:04:52,584 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2302: Setting up idmap db INFO 2020-02-11 05:04:52,626 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2309: Setting up SAM db INFO 2020-02-11 05:04:52,649 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #882: Setting up sam.ldb partitions and settings INFO 2020-02-11 05:04:52,651 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #894: Setting up sam.ldb rootDSE INFO 2020-02-11 05:04:52,655 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1302: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2020-02-11 05:04:52,758 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1379: Adding DomainDN: DC=mydomain,DC=local INFO 2020-02-11 05:04:52,799 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1411: Adding configuration container INFO 2020-02-11 05:04:52,846 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1426: Setting up sam.ldb schema INFO 2020-02-11 05:04:55,486 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1444: Setting up sam.ldb configuration data INFO 2020-02-11 05:04:55,711 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1485: Setting up display specifiers INFO 2020-02-11 05:04:57,704 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1493: Modifying display specifiers and extended rights INFO 2020-02-11 05:04:57,750 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1500: Adding users container INFO 2020-02-11 05:04:57,754 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1506: Modifying users container INFO 2020-02-11 05:04:57,755 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1509: Adding computers container INFO 2020-02-11 05:04:57,757 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1515: Modifying computers container INFO 2020-02-11 05:04:57,758 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1519: Setting up sam.ldb data INFO 2020-02-11 05:04:57,946 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1549: Setting up well known security principals INFO 2020-02-11 05:04:57,991 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1563: Setting up sam.ldb users and groups INFO 2020-02-11 05:04:58,143 pid:55360 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1571: Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 537, in run backend_store=backend_store) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 2351, in provision backend_store=backend_store) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1955, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1735, in setsysvolacl _setntacl(sysvol) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1732, in _setntacl service=SYSVOL_SERVICE, session_info=session_info) File "/usr/local/lib/python3.7/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info)
Hi, all! New to the forum and to Samba, but I am running in to the same issue. I am trying to get Samba running in a jail, using UFS (with ACLs), but continually run into the set_nt_acl_no_snum() error. I recently read about using the VFS option when provisioning using samba-tool, but that appears to be an issue if the SYSVOL resource is ZFS. Do I still need to use that (or a similar) option for UFS? I changed from `pkg install` to get the binary package to building from source (especially since I wanted CUPS and BIND914). I still ran into the same issue. In searching for a solution, I discovered an old patch from user dewayne (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844) that I was able to apply and successfully provision my domain. This patch is marked as "UNSAFE" and applies to Samba 4.6, so it obviously isn't the ideal solution. I have not yet run into issues with this patch, but again I am new to Samba and likely ignorant of what/how I should test (and am deploying it in a home environment to explore). I'm hoping that somewhere in this jumble of information is something helpful to correct this problem. Thank you! -- Host: $ uname -a FreeBSD HOSTPC 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC amd64 $ sudo mount | grep acl /dev/da0p2 on / (ufs, local, journaled soft-updates, acls) Jail: # uname -a FreeBSD ADJAIL 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC amd64 # mount | grep acl /dev/da0p2 on / (ufs, local, journaled soft-updates, acls) Build options: OPTIONS_FILE_SET+=ADS OPTIONS_FILE_SET+=AD_DC OPTIONS_FILE_SET+=AESNI OPTIONS_FILE_UNSET+=CLUSTER OPTIONS_FILE_SET+=CUPS OPTIONS_FILE_SET+=DEBUG OPTIONS_FILE_UNSET+=DEVELOPER OPTIONS_FILE_SET+=DOCS OPTIONS_FILE_SET+=FAM OPTIONS_FILE_UNSET+=GPGME OPTIONS_FILE_SET+=LDAP OPTIONS_FILE_UNSET+=MANDOC OPTIONS_FILE_UNSET+=NTVFS OPTIONS_FILE_SET+=PROFILE OPTIONS_FILE_SET+=QUOTAS OPTIONS_FILE_UNSET+=SPOTLIGHT OPTIONS_FILE_SET+=SYSLOG OPTIONS_FILE_SET+=UTMP OPTIONS_FILE_SET+=GSSAPI_BUILTIN OPTIONS_FILE_UNSET+=GSSAPI_MIT OPTIONS_FILE_UNSET+=ZEROCONF_NONE OPTIONS_FILE_SET+=AVAHI OPTIONS_FILE_UNSET+=MDNSRESPONDER OPTIONS_FILE_UNSET+=NSUPDATE OPTIONS_FILE_UNSET+=BIND911 OPTIONS_FILE_SET+=BIND914 OPTIONS_FILE_UNSET+=FRUIT OPTIONS_FILE_UNSET+=GLUSTERFS
This problem can be solved using same solution adopted in FreeNAS but inside ports: cat << __EOF__ > /usr/ports/net/samba410/files/patch-bfs-provisioning --- source3/param/loadparm.c.orig 2020-03-11 07:17:30.827605000 -0300 +++ source3/param/loadparm.c 2020-03-11 07:20:28.867874000 -0300 @@ -2742,6 +2742,13 @@ if (!vfs_objects || !vfs_objects[0]) { if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) { lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb"); + /* + * By default, the samba sysvol is located in the statedir. Provisioning will fail in setntacl + * unless we have zfacl enabled. Unfortunately, at this point the smb.conf has not been generated. + * This workaround is freebsd-specific. + */ + } else if (pathconf(get_dyn_STATEDIR(), _PC_ACL_NFS4) == 1){ + lp_do_parameter(-1, "vfs objects", "dfs_samba4 zfsacl"); } else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) { lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr posix_eadb"); } else { __EOF__ and cd /usr/ports/net/samba410 make reinstall clean With a little bit more time can found an equivalent solution for UFS with ACLS It isn't a FreeBSD problema how we can found at internet. Thanks, Paulo Fragoso.
Created attachment 212346 [details] Correct internal configuration for frist provising Corrects ACLs for ZFS case by ports patches files
(In reply to paulo from comment #47) This worked for me as well on FreeBSD 12.1-RELEASE-p3, and samba 4.10
Hi, fix for ZFS runs perfectly. Is there any chance this will be fixed for UFS also?
(In reply to paulo from comment #47) It's works for me too... Please apply this patch into ports tree
(In reply to paulo from comment #47) Tried your patch on 4.11 on UFS: samba-tool domain provision --use-rfc2307 --realm MYDOMAIN.LOCAL --domain MYDOMAIN --server-role dc --dns-backend BIND9_DLZ --adminpass … … set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 542, in run backend_store_size=backend_store_size) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 2395, in provision backend_store_size=backend_store_size) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1995, in provision_fill names.domaindn, lp, use_ntvfs) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1773, in setsysvolacl _setntacl(sysvol) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1770, in _setntacl service=SYSVOL_SERVICE, session_info=session_info) File "/usr/local/lib/python3.7/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info)
(In reply to VVD from comment #52) Adding --option="vfs objects"="freebsd" to samba-tool domain provision --use-rfc2307 fixed this error! Where is this written in the documentation?
Samba 410 and 411 both still have Python error on UFS: /usr/local/bin/samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/ntacl.py", line 425, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1773, in setsysvolacl _setntacl(sysvol) File "/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py", line 1770, in _setntacl service=SYSVOL_SERVICE, session_info=session_info) File "/usr/local/lib/python3.7/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info) samba-tool domain schemaupgrade ERROR(<class 'ModuleNotFoundError'>): uncaught exception - No module named 'markdown' File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 4154, in run from samba.ms_schema_markdown import read_ms_markdown File "/usr/local/lib/python3.7/site-packages/samba/ms_schema_markdown.py", line 26, in <module> import markdown
(In reply to NetBLOKS from comment #54) > Samba 410 and 411 both still have Python error on UFS: > /usr/local/bin/samba-tool ntacl sysvolreset Do you have "vfs objects = freebsd" in /usr/local/etc/smb4.conf in [general] section?
(In reply to VVD from comment #55) Thanks a lot, /usr/local/bin/samba-tool ntacl sysvolreset works flawlessly with ufs and zfs now. Still got the schemaupgrade error (needed for Samba 411) samba-tool domain schemaupgrade ERROR(<class 'ModuleNotFoundError'>): uncaught exception - No module named 'markdown' File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 4154, in run from samba.ms_schema_markdown import read_ms_markdown File "/usr/local/lib/python3.7/site-packages/samba/ms_schema_markdown.py", line 26, in <module> import markdown
I have other problem - can't update hosts via nsupdate with BIND9 DLZ DNS back end. ================================== # samba_dnsupdate --verbose --all-names IPs: ['10.0.2.1'] force update: A dc1.domain.intranet 10.0.2.1 force update: CNAME 09205e67-dba9-40bb-80ee-77eece72145c._msdcs.domain.intranet dc1.domain.intranet force update: NS domain.intranet dc1.domain.intranet force update: NS _msdcs.domain.intranet dc1.domain.intranet force update: A domain.intranet 10.0.2.1 force update: SRV _ldap._tcp.domain.intranet dc1.domain.intranet 389 force update: SRV _ldap._tcp.dc._msdcs.domain.intranet dc1.domain.intranet 389 force update: SRV _ldap._tcp.df2e02db-0264-4b9f-b7e8-4748c7b7084e.domains._msdcs.domain.intranet dc1.domain.intranet 389 force update: SRV _kerberos._tcp.domain.intranet dc1.domain.intranet 88 force update: SRV _kerberos._udp.domain.intranet dc1.domain.intranet 88 force update: SRV _kerberos._tcp.dc._msdcs.domain.intranet dc1.domain.intranet 88 force update: SRV _kpasswd._tcp.domain.intranet dc1.domain.intranet 464 force update: SRV _kpasswd._udp.domain.intranet dc1.domain.intranet 464 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.domain.intranet dc1.domain.intranet 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.intranet dc1.domain.intranet 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.domain.intranet dc1.domain.intranet 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.intranet dc1.domain.intranet 88 force update: SRV _ldap._tcp.pdc._msdcs.domain.intranet dc1.domain.intranet 389 force update: A gc._msdcs.domain.intranet 10.0.2.1 force update: SRV _gc._tcp.domain.intranet dc1.domain.intranet 3268 force update: SRV _ldap._tcp.gc._msdcs.domain.intranet dc1.domain.intranet 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.domain.intranet dc1.domain.intranet 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.intranet dc1.domain.intranet 3268 force update: A DomainDnsZones.domain.intranet 10.0.2.1 force update: SRV _ldap._tcp.DomainDnsZones.domain.intranet dc1.domain.intranet 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.domain.intranet dc1.domain.intranet 389 force update: A ForestDnsZones.domain.intranet 10.0.2.1 force update: SRV _ldap._tcp.ForestDnsZones.domain.intranet dc1.domain.intranet 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.domain.intranet dc1.domain.intranet 389 29 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc1.domain.intranet as DC1$ update(nsupdate): A dc1.domain.intranet 10.0.2.1 Calling nsupdate for A dc1.domain.intranet 10.0.2.1 (add) Successfully obtained Kerberos ticket to DNS/dc1.domain.intranet as DC1$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: dc1.domain.intranet. 900 IN A 10.0.2.1 ; Communication with 10.0.2.1#53 failed: timed out Failed nsupdate: 2 update(nsupdate): CNAME 09205e67-dba9-40bb-80ee-77eece72145c._msdcs.domain.intranet dc1.domain.intranet Calling nsupdate for CNAME 09205e67-dba9-40bb-80ee-77eece72145c._msdcs.domain.intranet dc1.domain.intranet (add) Traceback (most recent call last): File "/usr/local/sbin/samba_dnsupdate", line 944, in <module> call_nsupdate(d) File "/usr/local/sbin/samba_dnsupdate", line 470, in call_nsupdate server = get_krb5_rw_dns_server(creds, zone) File "/usr/local/sbin/samba_dnsupdate", line 158, in get_krb5_rw_dns_server (client_finished, client_to_server) = gensec_client.update(server_to_client) samba.NTSTATUSError: (3221225485, 'An invalid parameter was passed to a service or function.') ================================== After line "dc1.domain.intranet. 900 IN A 10.0.2.1" it freezes for serveral minutes. Then bind can't reslove nothing for few minutes more. Output from this freeze look like this: # /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -f -g -d 10 … 23-Apr-2020 19:32:40.621 clientmgr @0x801805fc8 attach: 17 23-Apr-2020 19:32:40.622 client @0x8041ecf68 (no-peer): allocate new client 23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: TCP request 23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: using view '_default' 23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: request is not signed 23-Apr-2020 19:32:40.622 client @0x8041ecf68 10.0.2.1#46293: recursion available 23-Apr-2020 19:34:36.375 gss cred: "host/dc1.domain.intranet@DOMAIN.INTRANET", GSS_C_ACCEPT, 4294967295 23-Apr-2020 19:34:36.376 gss-api source name (accept) is DC1$@DOMAIN.INTRANET 23-Apr-2020 19:34:36.377 process_gsstkey(): dns_tsigerror_noerror 23-Apr-2020 19:34:36.377 client @0x8041ecf68 10.0.2.1#46293 (1451130240.sig-dc1.domain.intranet): reset client 23-Apr-2020 19:34:36.377 client @0x804136368 127.0.0.1#35315: UDP request 23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315: using view '_default' 23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315: request is not signed 23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315: recursion available 23-Apr-2020 19:34:36.378 client @0x804136368 127.0.0.1#35315 (_kerberos._udp.DOMAIN.INTRANET): query '_kerberos._udp.DOMAIN.INTRANET/SRV/IN' approved ================================== It wait ~2 minutes! Why?
Created attachment 213731 [details] log from named -d 10 while run samba_dnsupdate --verbose --all-names In one consoles run: /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -f -g -d 10 2>&1 | tee bind.log In other: samba_dnsupdate --verbose --all-names bind.log in attach - 134630 lines. Named started at 00:32:11. samba_dnsupdate started at 00:34:05.378 and named freezed at 00:34:06.833. Named unfreezed at 00:39:53.479.
On a FreeBSD 2.1p4 jail I am trying to provision an ADDC using samba410. I have applied the patch given above to samba410-4.10.15, rebuilt it without error using poudriere, and attempted to provision an AD using: samba-tool domain provision \ --adminpass=INstall66 \ --dns-backend=BIND9_DLZ \ --dnspass=INstall66 \ --domain=BROCKLEY-2016 \ --host-name=SAMBA-02.BROCKLEY-2016.HARTE-LYNE.CA \ --host-ip=192.168.8.66 \ --option="bind interfaces only=yes" \ --option="interfaces=lo eth0" \ --option="vfs objects"="freebsd" \ --realm=BROCKLEY-2016.HARTE-LYNE.CA \ --server-role=dc --use-rfc2307 which results in: INFO 2020-05-04 13:52:14,339 pid:59290 /usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1571: Setting up self join set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER. ERROR(runtime): uncaught exception - (3221225485, 'An invalid parameter was passed to a service or function.') and this in the smb4.conf # Global parameters [global] bind interfaces only = Yes interfaces = lo eth0 netbios name = SAMBA-02 realm = BROCKLEY-2016.HARTE-LYNE.CA server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = BROCKLEY-2016 idmap_ldb:use rfc2307 = yes [sysvol] path = /var/db/samba4/sysvol read only = No [netlogon] path = /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca/scripts read only = No Is there anything that I am missing in the configuration or options that is preventing this from working? Other people have reported provisioning to work on FreeBSD after applying the patch.
Comment 59 refers to an IOCage jail on top of ZFS.
Bizarrely, I rebuilt samba410 without the patch, due to a typo in make.conf, and the resulting package provisioned without error.
(In reply to NetBLOKS from comment #56) In regards to Schema-Upgrade: just install pkg install py37-markdown and it will work.
net/samba410 expired today, please use Samba 4.11 or later.