FreeBSD as an Active Directory Domain Controller

James B. Byrne byrnejb at harte-lyne.ca
Thu May 21 19:31:51 UTC 2020 


On Wed, May 20, 2020 13:16, Andrea Venturoli wrote:
> On 2020-05-20 19:09, James B. Byrne via freebsd-questions wrote:
>
>> What I would like to find out is whether it is at all possible to have a
>> samba-4.10 (or 4.11) based AD on FreeBSD using ZFS with multiple DCs and
>> replication. Is someone has this working I would appreciate being told how it
>> is done.
>
> Hi James.
> Sounds like the same question you asked ten days ago, which I already
> answered briefly (I use rsync).
>
> Perhaps you could tell what you tried, how you did it and how it is
> going wrong?
>

I have a DC that was setup on FreeBSD-10.3 using samba-4.3 and UFS.  At the
time samba on FreeBSD could only be set up on ufs.  Samba-4.4 and later removed
support for nt style acls, that samba on FreeBSD required.  Samba43 disappeared
with the update to 10.4 and Samba-4.4 did not work, so that system could not be
updated.

Fast forward to now.  Samba410-4.10.15 on FreeBSD-12.1p5 and using ZFS now can
be provisioned as a DC so acls obviously must be working on ZFS,  I created a
Samab410 instance, checked that it could provision, undid that work and
reinstalled samba and used samba-tool to join the existing domain.  I then
attempted to replicate the sysvol using rsync.  However, I get acl error
messages when I do that and the resulting permissions do not resemble what I
see on the DC.

rsync -XAavz --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol 
/var/db/samba4
receiving file list ... done

rsync: set_acl: sys_acl_set_file(sysvol, ACL_TYPE_ACCESS): Invalid argument (22)

rsync: set_acl: sys_acl_set_file(sysvol/brockley-2016.harte-lyne.ca,
ACL_TYPE_ACCESS): Invalid argument (22)

rsync: set_acl: sys_acl_set_file(sysvol/brockley-2016.harte-lyne.ca/Policies,
ACL_TYPE_ACCESS): Invalid argument (22)



I have gone down different routes to get around this block but I keep being
stymied by one incompatibility or another, to the point where today I installed
Debian on a BHyve vm to see id rsync behaves any differently on it than on
FreeBSD.

What I am looking for some guidance as to what is supposed to work and has been
observed to work by someone running a multi DC environment of FreeBSD and zfs. 
I presume that if I can provision a new domain on samba41 then I can likewise
set the acls using rsat.  However, if one can only have one DC in that
configuration because replication via rsync does not work on FreeBSD then that
is no better than what I have now.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list