Project

General

Profile

Bug #28932

Set correct parameters for domain controller role

Added by Andrew Walker over 2 years ago. Updated almost 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
OS
Target version:
Seen in:
Severity:
Low Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

It looks like a side-effect of the following commit was that we stopped adding

vfs objects = zfsacl zfs_space
to the [sysvol] and [netlogon] shares. https://github.com/freenas/freenas/commit/fd84b41390e1b9dd93753da201c9325fe338f4fa#diff-142c75298569a3d6a5c1dcb5b7109845

We need to do this, and also add the following parameters on those shares in order to pass samba-tool ACL checks

zfsacl:map_dacl_protected=true
nfs4:mode=simple

generate_smb4_conf.py (48.6 KB) generate_smb4_conf.py hotpatched sysvol configuration Andrew Walker, 02/28/2018 03:19 AM

Related issues

Has duplicate FreeNAS - Bug #26552: FreeNAS as domain controller - cannot add group policy objectsClosed2017-11-08
Has duplicate FreeNAS - Bug #44548: Access to netlogon and sysvol shares via domain member computer does not work without patchClosed
Has duplicate FreeNAS - Bug #47983: Cannot create Domain ControllerClosed
Copied to FreeNAS - Bug #57834: Set correct parameters for domain controller roleClosed

History

#1 Updated by Andrew Walker over 2 years ago

Attached hot-patched generate_smb4_conf.py will make proper PR later today.

#2 Updated by Dru Lavigne over 2 years ago

  • Assignee changed from Timur Bakeyev to Andrew Walker
  • Target version set to 11.2-RC2

#3 Updated by Andrew Walker over 2 years ago

  • Status changed from Not Started to In Progress

Spoke to John about this. These VFS Objects should be set automatically in source3/smbd/pysmbd.c

static PyObject *py_smbd_set_nfsv4_defaults(PyObject *self)
{
        /*
         * This should really be done in source3/param/loadparm.c
         */
#if defined(HAVE_LIBSUNACL) && defined(FREEBSD)
        lp_do_parameter(-1, "vfs objects", "dfs_samba4 zfsacl");
#endif
        Py_RETURN_NONE;
}

I verified that the above function is being called, but the setsysvolacl() function in python/samba/provision/__init__.py is still failing when it hits:

    setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs,
             skip_invalid_chown=True, passdb=s4_passdb,
             service=SYSVOL_SERVICE)

This should eventually call a fset_nt_acl, which should be picked up by zfsacl... if it's actually staying set.

Recompiling with source3/param/loadparm.c loading zfsacl instead of acl_xattr allows provision to proceed normally. This is consistent with what I observed on my FreeNAS DC (having generate_smb4_conf.py add zfsacl to [global] resolves issue as well). Will make PR to automatically set appropriate VFS objects globally as this seems to be best bet to keep things stable and investigate generic fix in loadparm.c itself.

#4 Updated by Andrew Walker over 2 years ago

  • Status changed from In Progress to Done

#5 Updated by Andrew Walker over 2 years ago

  • Status changed from Done to In Progress

#6 Updated by Dru Lavigne over 2 years ago

  • Related to Bug #26552: FreeNAS as domain controller - cannot add group policy objects added

#7 Updated by Nick Wolff over 2 years ago

  • Severity set to Low Medium

Small usage of freenas-domain controller and minor impact so marking as low-medium.

#8 Updated by Dru Lavigne over 2 years ago

  • Related to deleted (Bug #26552: FreeNAS as domain controller - cannot add group policy objects)

#9 Updated by Dru Lavigne over 2 years ago

  • Has duplicate Bug #26552: FreeNAS as domain controller - cannot add group policy objects added

#10 Avatar?id=13649&size=24x24 Updated by Ben Gadd about 2 years ago

  • Target version changed from 11.2-RC2 to Backlog

#11 Updated by Dru Lavigne about 2 years ago

  • Status changed from In Progress to Unscreened

#13 Updated by Andrew Walker almost 2 years ago

Let's merge in this one. It fixes the issue for us. Then we can move on to other problems with the DC role.
https://github.com/freenas/freenas/pull/1939

#14 Updated by Andrew Walker almost 2 years ago

  • Status changed from Unscreened to In Progress

#15 Updated by Dru Lavigne almost 2 years ago

  • Has duplicate Bug #44548: Access to netlogon and sysvol shares via domain member computer does not work without patch added

#16 Updated by Dru Lavigne almost 2 years ago

  • Has duplicate Bug #47983: Cannot create Domain Controller added

#18 Updated by Dru Lavigne almost 2 years ago

  • Target version changed from Backlog to 11.2-RC2

#19 Updated by Dru Lavigne almost 2 years ago

  • Subject changed from generate_smb4_conf.py is not adding appropriate vfs objects to FreeNAS domain controller to Set correct parameters for domain controller role

#20 Updated by Andrew Walker almost 2 years ago

Master PR 1 https://github.com/freenas/freenas/pull/1939 (fix provisioning on ZFS)
11.2-stable PR 1: https://github.com/freenas/freenas/pull/1944
11.1-stable PR 1: https://github.com/freenas/freenas/pull/1943

Master PR 2 https://github.com/freenas/samba/pull/68 (add support for checking sysvol ACL on ZFS). --- for samba47.
11.2-stable PR 2: https://github.com/freenas/samba/pull/70
11.1-stable PR 2: https://github.com/freenas/samba/pull/69

11.2-stable PR 3: https://github.com/freenas/ports/pull/154 (master not needed as uses different samba version)
11.1-stable PR 3: https://github.com/freenas/ports/pull/152

#21 Updated by Dru Lavigne almost 2 years ago

  • Category changed from OS to Services

#22 Updated by Dru Lavigne almost 2 years ago

  • Status changed from In Progress to Ready for Testing

#23 Updated by Dru Lavigne almost 2 years ago

  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#24 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Ready for Testing to In Progress
  • Needs Merging changed from No to Yes

#25 Updated by Bug Clerk almost 2 years ago

  • Status changed from In Progress to Ready for Testing

#27 Updated by Bug Clerk almost 2 years ago

  • Target version changed from 11.2-RC2 to TrueNAS 11.1-U6.2

#28 Updated by Dru Lavigne almost 2 years ago

  • Target version changed from TrueNAS 11.1-U6.2 to 11.2-RC2
  • Needs Merging changed from Yes to No

#30 Updated by Bonnie Follweiler almost 2 years ago

  • Copied to Bug #57834: Set correct parameters for domain controller role added

#31 Updated by Bonnie Follweiler almost 2 years ago

  • Status changed from Ready for Testing to Done
  • Needs QA changed from Yes to No

The remaining issues will be addressed in https://redmine.ixsystems.com/issues/57834

#32 Updated by Andrew Walker almost 2 years ago

  • Category changed from Services to OS

Also available in: Atom PDF