On 2017-02-03 14:04, Vijay Sankar wrote:
Hi Jeremie,
I tested this over the past few days.
If I change skip_sysvolacl=False to skip_sysvolacl=True in
/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py, I am
able to
create the domain, add additional DC's as well as additional member
servers. All DC's are qemu VMs. Tested this further with Windows 10,
8.1,
and 7 domain members and it seems to work for "normal" Windows usage.
If this is not a dumb approach, please let me know if any additional
tests
would be useful. If it is really a bad idea, please let me know as
well.
Thank you very much for all the massive effort into this port. Much
appreciated.
Vijay
So i got around to testing this on -stable today. It seems to work just
as expected. I was weary about this actually skipping acl's entirely,
but that does not seem to be the case. Does anyone have thoughts on
patching this to be a default? This allows us to use the xattr_tdb /
acl_xattr / acl_tdb with s3fs, which fixes quite a few of ntvfs specific
issues that will likely not be fixed as it is depreciated. This also
allows samba 4.4.X to work as well, so no need to backport 4.5.X.
I accomplished this by doing the following...
chmod 0755 /var/samba
chmod 0755 /var/cache/samba
This is needed for file share browsing to work, non-admin accounts are
mapped to the nobody user if no unix account exists for them. The stock
permissions wont allow the nobody user to view shares.
mkdir /var/samba/testshare
chmod 0777 /var/samba/testshare
Because users are mapped to nobody, they still need write access to the
shares. chgrp to nobody or nogroup is probably safer than 0777. Samba
still enforces windows ACL permissions (i tested to be sure) with 0777
permissions on the folder itself.
set skip_sysvolacl=True in
/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py
samba-tool domain provision --domain=TEST --host-name=DC0
--adminpass="PASSWORD" --server-role=dc --option="dns forwarder =
8.8.8.8" --option="xattr_tdb:file = /var/samba/xattr.tdb"
--option="acl_tdb:ignore system acls = yes" --option="vfs objects =
dfs_samba4 acl_tdb xattr_tdb" --realm=TEST.COM
By default samba will use acl_xattr over acl_tdb. This is fine, but i
prefer to have my ACL's in a separate file. If you're fine with the
defualt then the following is acceptable.
samba-tool domain provision --domain=TEST --host-name=DC0
--adminpass="PASSWORD" --server-role=dc --option="dns forwarder =
8.8.8.8" --realm=TEST.COM
Next i just need to add the share to my smb.conf
# Global parameters
[global]
netbios name = DC0
realm = TEST.COM
workgroup = TEST
dns forwarder = 8.8.8.8
server role = active directory domain controller
acl_tdb:ignore system acls = yes
xattr_tdb:file = /var/samba/xattr.tdb
vfs objects = dfs_samba4 acl_tdb xattr_tdb
[netlogon]
path = /var/samba/sysvol/test.com/scripts
read only = No
[sysvol]
path = /var/samba/sysvol
read only = No
[test]
path = /var/samba/test
read only = No
After that you can start samba, and from some fairly extensive testing
(multiple clients, strict share permissions, etc...) everything seems
fine. even though we skip setting acl's on sysvol at first, samba
generates the acls using the tdb backend on startup if they aren't
there. So it doesn't seem like a big issue.
the samba_ad_dc init script also needs some work. smbcontrol doesn't
always behave well. I have patches for all of this if it looks good to
everyone else?
