On 2017-02-08 20:42, alexmcwhir...@triadic.us wrote:
On 2017-02-03 14:04, Vijay Sankar wrote:
Hi Jeremie,
I tested this over the past few days.
If I change skip_sysvolacl=False to skip_sysvolacl=True in
/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py, I am
able to
create the domain, add additional DC's as well as additional member
servers. All DC's are qemu VMs. Tested this further with Windows 10,
8.1,
and 7 domain members and it seems to work for "normal" Windows usage.
If this is not a dumb approach, please let me know if any additional
tests
would be useful. If it is really a bad idea, please let me know as
well.
Thank you very much for all the massive effort into this port. Much
appreciated.
Vijay
So i got around to testing this on -stable today. It seems to work
just as expected. I was weary about this actually skipping acl's
entirely, but that does not seem to be the case. Does anyone have
thoughts on patching this to be a default? This allows us to use the
xattr_tdb / acl_xattr / acl_tdb with s3fs, which fixes quite a few of
ntvfs specific issues that will likely not be fixed as it is
depreciated. This also allows samba 4.4.X to work as well, so no need
to backport 4.5.X.
I accomplished this by doing the following...
chmod 0755 /var/samba
chmod 0755 /var/cache/samba
This is needed for file share browsing to work, non-admin accounts are
mapped to the nobody user if no unix account exists for them. The
stock permissions wont allow the nobody user to view shares.
mkdir /var/samba/testshare
chmod 0777 /var/samba/testshare
Because users are mapped to nobody, they still need write access to
the shares. chgrp to nobody or nogroup is probably safer than 0777.
Samba still enforces windows ACL permissions (i tested to be sure)
with 0777 permissions on the folder itself.
set skip_sysvolacl=True in
/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py
samba-tool domain provision --domain=TEST --host-name=DC0
--adminpass="PASSWORD" --server-role=dc --option="dns forwarder =
8.8.8.8" --option="xattr_tdb:file = /var/samba/xattr.tdb"
--option="acl_tdb:ignore system acls = yes" --option="vfs objects =
dfs_samba4 acl_tdb xattr_tdb" --realm=TEST.COM
By default samba will use acl_xattr over acl_tdb. This is fine, but i
prefer to have my ACL's in a separate file. If you're fine with the
defualt then the following is acceptable.
samba-tool domain provision --domain=TEST --host-name=DC0
--adminpass="PASSWORD" --server-role=dc --option="dns forwarder =
8.8.8.8" --realm=TEST.COM
Next i just need to add the share to my smb.conf
# Global parameters
[global]
netbios name = DC0
realm = TEST.COM
workgroup = TEST
dns forwarder = 8.8.8.8
server role = active directory domain controller
acl_tdb:ignore system acls = yes
xattr_tdb:file = /var/samba/xattr.tdb
vfs objects = dfs_samba4 acl_tdb xattr_tdb
[netlogon]
path = /var/samba/sysvol/test.com/scripts
read only = No
[sysvol]
path = /var/samba/sysvol
read only = No
[test]
path = /var/samba/test
read only = No
After that you can start samba, and from some fairly extensive testing
(multiple clients, strict share permissions, etc...) everything seems
fine. even though we skip setting acl's on sysvol at first, samba
generates the acls using the tdb backend on startup if they aren't
there. So it doesn't seem like a big issue.
the samba_ad_dc init script also needs some work. smbcontrol doesn't
always behave well. I have patches for all of this if it looks good to
everyone else?
One correction, samba creates uid's for every user. They are just really
highly numbered, so i thought it was the nobody user. Regardless,
setting the root share folder to root:users 0775 should suffice.
