FreeBSD as an Active Directory Domain Controller

James B. Byrne byrnejb at
Fri May 22 13:12:16 UTC 2020

On Thu, May 21, 2020 21:11, Dean E. Weimer wrote:
> Did you make sure to set your zfs data set aclmode and and aclinherit
> options to passthrough?

Yes, the samba410 instances are installed on iocage jails and the properties
are set to:

zfs get all zroot/iocage/jails/samba-0{2..3} | grep acl

zroot/iocage/jails/samba-02  aclmode                 passthrough               
                      inherited from zroot/iocage/jails

zroot/iocage/jails/samba-02  aclinherit              passthrough               
                      inherited from zroot/iocage/jails

zroot/iocage/jails/samba-03  aclmode                 passthrough               
                      inherited from zroot/iocage/jails

zroot/iocage/jails/samba-03  aclinherit              passthrough               
                      inherited from zroot/iocage/jails

> I am running Samba 4.11.8 on two FreeBSD 12.1p5 systems I did the
> initial install on 12.1 not sure which patch at the time with Samba 4.10
> and then switched to 4.11. Though this was setup as a test system and
> only has a few accounts on it. Syncing at 5 minute intervals with
> rsync -XAavq --delete-after -e "ssh" --progress
> root at /var/db/samba4/sysvol
> Its not returning any errors, but then again there is not a lot of
> changes occurring.

My problem is that I cannot tell if the issue is with rsync or not, whether the
switch between samba43 ntacls on ufs and samba410 acls on zfs is the cause, or
if something is inherently wrong with samba running on top of zfs.  If it one
of the former two then, although painful, it is possible to set up a new domain
entirely on FreeBSD and copy the the users and their profiles over.  This is
how we moved from Windows server to FreeBSD.

But I cannot do this if the issue is that I cannot get replication working.

I have set up a Debian vm using byhve and I am going to see if rsyncing to it
from the DC gives the same errors.  If rsync continues to throw errors then the
issue lies with the acl implementation on 10.3 and there will be nothing I can
do to salvage the domain.

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list