upgrade.py uses the value set in provision/__init__.py netcmd/domain.py doesn't include the value from provision/__init__.py
Shame, otherwise there would have been one location to patch this. python/samba/netcmd/domain.py: use_rfc2307=use_rfc2307, skip_sysvolacl=False, python/samba/provision/__init__.py: am_rodc=False, lp=None, use_ntvfs=False, skip_sysvolacl=False): python/samba/provision/__init__.py: if not skip_sysvolacl: python/samba/provision/__init__.py: use_rfc2307=False, maxuid=None, maxgid=None, skip_sysvolacl=True, python/samba/provision/__init__.py: skip_sysvolacl=skip_sysvolacl) python/samba/upgrade.py: use_ntvfs=use_ntvfs, skip_sysvolacl=True) Ian McWilliam ________________________________________ From: owner-po...@openbsd.org [owner-po...@openbsd.org] on behalf of alexmcwhir...@triadic.us [alexmcwhir...@triadic.us] Sent: Thursday, 9 February 2017 1:36 PM To: Vijay Sankar Cc: ports@openbsd.org; owner-po...@openbsd.org Subject: Re: samba4 and ACL's On 2017-02-08 20:42, alexmcwhir...@triadic.us wrote: > On 2017-02-03 14:04, Vijay Sankar wrote: >> Hi Jeremie, >> >> I tested this over the past few days. >> >> If I change skip_sysvolacl=False to skip_sysvolacl=True in >> /usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py, I am >> able to >> create the domain, add additional DC's as well as additional member >> servers. All DC's are qemu VMs. Tested this further with Windows 10, >> 8.1, >> and 7 domain members and it seems to work for "normal" Windows usage. >> >> If this is not a dumb approach, please let me know if any additional >> tests >> would be useful. If it is really a bad idea, please let me know as >> well. >> >> Thank you very much for all the massive effort into this port. Much >> appreciated. >> >> Vijay > > So i got around to testing this on -stable today. It seems to work > just as expected. I was weary about this actually skipping acl's > entirely, but that does not seem to be the case. Does anyone have > thoughts on patching this to be a default? This allows us to use the > xattr_tdb / acl_xattr / acl_tdb with s3fs, which fixes quite a few of > ntvfs specific issues that will likely not be fixed as it is > depreciated. This also allows samba 4.4.X to work as well, so no need > to backport 4.5.X. > > I accomplished this by doing the following... > > chmod 0755 /var/samba > chmod 0755 /var/cache/samba > > This is needed for file share browsing to work, non-admin accounts are > mapped to the nobody user if no unix account exists for them. The > stock permissions wont allow the nobody user to view shares. > > mkdir /var/samba/testshare > chmod 0777 /var/samba/testshare > > Because users are mapped to nobody, they still need write access to > the shares. chgrp to nobody or nogroup is probably safer than 0777. > Samba still enforces windows ACL permissions (i tested to be sure) > with 0777 permissions on the folder itself. > > set skip_sysvolacl=True in > /usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py > > samba-tool domain provision --domain=TEST --host-name=DC0 > --adminpass="PASSWORD" --server-role=dc --option="dns forwarder = > 8.8.8.8" --option="xattr_tdb:file = /var/samba/xattr.tdb" > --option="acl_tdb:ignore system acls = yes" --option="vfs objects = > dfs_samba4 acl_tdb xattr_tdb" --realm=TEST.COM > > By default samba will use acl_xattr over acl_tdb. This is fine, but i > prefer to have my ACL's in a separate file. If you're fine with the > defualt then the following is acceptable. > > samba-tool domain provision --domain=TEST --host-name=DC0 > --adminpass="PASSWORD" --server-role=dc --option="dns forwarder = > 8.8.8.8" --realm=TEST.COM > > Next i just need to add the share to my smb.conf > > # Global parameters > [global] > netbios name = DC0 > realm = TEST.COM > workgroup = TEST > dns forwarder = 8.8.8.8 > server role = active directory domain controller > acl_tdb:ignore system acls = yes > xattr_tdb:file = /var/samba/xattr.tdb > vfs objects = dfs_samba4 acl_tdb xattr_tdb > > [netlogon] > path = /var/samba/sysvol/test.com/scripts > read only = No > > [sysvol] > path = /var/samba/sysvol > read only = No > > [test] > path = /var/samba/test > read only = No > > After that you can start samba, and from some fairly extensive testing > (multiple clients, strict share permissions, etc...) everything seems > fine. even though we skip setting acl's on sysvol at first, samba > generates the acls using the tdb backend on startup if they aren't > there. So it doesn't seem like a big issue. > > the samba_ad_dc init script also needs some work. smbcontrol doesn't > always behave well. I have patches for all of this if it looks good to > everyone else? One correction, samba creates uid's for every user. They are just really highly numbered, so i thought it was the nobody user. Regardless, setting the root share folder to root:users 0775 should suffice.