Bug 12027 - samba-tool ntacl sysvolreset doesn't work with ZFS, even if zfsacl is used
samba-tool ntacl sysvolreset doesn't work with ZFS, even if zfsacl is used
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules
4.4.3
x64 FreeBSD
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-18 14:21 UTC by Jørn Åne
Modified: 2016-07-18 15:40 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jørn Åne 2016-07-18 14:21:42 UTC
My setup:

Fresh samba43 on FreeBSD jail with ZFS.

ZFS is mounted with aclinherit=passthrough and aclmode=passthrough

A new DC is provisioned:

    samba-tool domain provision […] --use-xattrs=no --use-ntvfs

After provisioning, the following lines were removed from /usr/local/etc/smb4.conf:

    'server services', 'dcerpc endpoint servers', 'posix:eadb'

The following line was added to /etc/smb4.conf:

    vfs objects = zfsacl

This, as I understand it, is the procedure as it is recommended by FreeBSD ports.

    https://svnweb.freebsd.org/ports/head/net/samba43/files/README.FreeBSD.in?revision=414752&view=markup

I tried samba44 as well, but it didn't have --use-ntvfs available.  Not using --use-ntvfs causes an error stating that ACLs are not supported.


Problem description:

When I try to run `samba-tool ntacl sysvolreset`, the program fails with an error:

    ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
    <stacktrace>

Upon inspection of the referred script, I find the following Python file:

    /usr/local/lib/python2.7/site-packages/samba/provision/__init__.py

Which reads starting on line 1547:

    try:
        smbd.set_simple_acl(file.name, 0755, gid)
    except OSError:
        <snip>
        raise ProvisioningError("Your filesystem or build does not support posix ACLs […]")

The smbd object comes from samba.samba3, which is an .so file.


What I have found so far:

There is a thread on the mailing list from 2013 already identifying this problem.

    https://lists.samba.org/archive/samba/2013-September/175758.html

I have asked on Server Fault, where the answer is that NFSv4 ACLs should be used. Which is what Windows uses and what ZFS uses, but not what s3fs uses.

    https://serverfault.com/questions/757764/what-kind-of-acl-storage-to-use-for-a-samba-domain-controller-on-zfs-and-freebsd

A comment on the question states "aha. That's a bug in the tool, I would take it up upstream (samba project). In fact, it would be much better for samba to support those ace's [sic] out of the box, they are much more like Windows ace's [sic]".