Help provisioning a Samba AD in a jail on ZFS

[Alexander Zagrebin]

В Mon, 6 Nov 2017 08:26:05 +0100
Andrea Venturoli <ml at netfence.it> wrote:

> > To setup a new samba46-based domain controller on ZFS in jail (I'm
> > using it with the VIMAGE) you can try following:  
> 
> I'm not using VIMAGE (at least not yet).
> 
> > 1. Rebuild the net/samba46 port with the attached patches
> >     (patch-librpc__idl__xattr.idl,
> > patch-python__samba__provision____init__.py)
> > 
> > 2. Initialize new domain with the following command (the last two
> >     parameters makes magic):
> >     samba-tool domain provision --use-rfc2307 \
> >      --host-name=<YOUR_DC_NAME> \
> >      --realm=<YOUR_REALM> \
> >      --domain=<YOUR_DOMAIN_NAME> \
> >      --adminpass=<password> \
> >      --option="vfs objects = acl_xattr" \
> >      --option="acl_xattr:ignore system acls = yes"
> > 
> > 3. After successful provisioning, edit /usr/local/etc/smb4.conf:
> >     - remove or comment out
> >       vfs objects = acl_xattr
> >       acl_xattr:ignore system acls = yes
> >     - add the following:
> >       vfs objects = zfsacl
> >       nfs4:mode = special
> >       nfs4:acedup = merge
> >       nfs4:chown = yes
> > 
> > 4. Execute `samba-tool ntacl sysvolreset`
> > 
> > 5. Start samba  
> 
> Looks like it worked.
> Hope I don't get any suprise in the deployment phase...

There is an issue, when GPOs are situated on the ZFS:
sometimes (when a new file appended?) the GPO's files gets a wrong
permissions.
So if you will have problems with a group policy, run
`samba-tool ntacl sysvolreset` at first...

-- 
Alexander Zagrebin