Without going through the Samba code and trying to determine what and why the changes were made by the Samba devs, I don't have an answer. There have been a lot of changes to the internals of samba from release to release e.g. 4.1 branch vs 4.5 branch, etc. I once knew the samba 3 series internals quite well having made them work on OpenBSD for many years. The 4 series is a slightly different beast.
Do to the fact that Samba has a lot of security updates, not just bug fixes from month to month, rolling back to a working 4.1 is definitely not the answer. The current port should contain a message that simple file server services work only. Anything else is a bonus. If I knew enough about kernel hacking, resurrecting the initial work that Dale Rahn did on implementing ACLS and finishing it would be the way to move forward. Unfortunately I do not. Working with upstream is the way to get some answers. Sorry I can't shed anymore light on the subject at present. Ian McWilliam ________________________________________ From: owner-po...@openbsd.org [owner-po...@openbsd.org] on behalf of Jeremie Courreges-Anglas [j...@wxcvbn.org] Sent: Thursday, 2 February 2017 7:16 AM To: alexmcwhir...@triadic.us Cc: ports@openbsd.org; Ian McWilliam Subject: Re: samba4 and ACL's Cc'ing Ian, in case he has a clue. alexmcwhir...@triadic.us writes: > On 2017-01-31 07:53, Jeremie Courreges-Anglas wrote: >> This looks like an error from ''samba-tool domain provision'', not an >> error from the samba daemon. >> >> Please state exactly: >> - which OpenBSD release you're using >> - which samba version you're using (hint, on -stable only the -stable >> samba port is supported). >> - any relevant information such as the commands you type. This of >> course includes how you ran samba-tool. >> >> As a selfish developer that only uses -current I would of course prefer >> you to use -current with snapshots and packages. :) >> > > OpenBSD 5.9, Samba 4.1.22 > > samba-tool domain > provision --domain=BLAH --host-name=DC0 --host-ip=10.0.0.1 --site=BLAH > --adminpass="bl4h" --server-role=dc --function-level=2008_R2 > --targetdir=/mnt/das/samba --use-ntvfs --option="interfaces=vlan133" > --option="bind > interfaces only=yes" --option="dns forwarder=10.0.0.2" --realm=BLAH.BLAH > > This works as expected and i can run the domain. > > OpenBSD 6.0, Samba 4.4.5 > > samba-tool domain > provision --domain=BLAH --host-name=DC0 --host-ip=10.0.0.1 --site=BLAH > --adminpass="bl4h" --server-role=dc --function-level=2008_R2 > --targetdir=/mnt/das/samba --option="interfaces=vlan133" --option="bind > interfaces only=yes" --option="dns forwarder=10.0.0.2" --realm=BLAH.BLAH > > Had to remove --use-ntvfs as it is no longer an option. Gives error > about s3fs needing posix acl's. > > Tried https://www.samba.org/samba/docs/man/manpages/vfs_acl_tdb.8.html > combined with > https://www.samba.org/samba/docs/man/manpages/vfs_xattr_tdb.8.html, s3fs > still wants posix acl's. ok, I'm also having problems working around this issue. I'll try to come up with a workaround for 6.1, but in the end this should be discussed with upstream and be dealt with properly, which might take some time. Lots of efforts have been made to support samba 4, but in the end we may have to admit that this goal is not realistic. The lack of acls, extended attributes and the small NGROUPS_MAX limit make OpenBSD a poor choice for samba. All I know right now is that providing an old samba release is not the solution. Thanks again for your report. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
