FreeBSD as an Active Directory Domain Controller

Andrea Venturoli ml at
Fri May 22 15:21:14 UTC 2020

On 2020-05-21 21:31, James B. Byrne wrote:

> Samba-4.4 and later removed support for nt style acls,

Could you elaborate on this or give a pointer?
I looked into 4.4.0 release notes, but found no mention of this removal.

 From the Samba Wiki, a Samba AD DC requires "Windows ACLs" (as opposed 
to POSIX ACLs). What do you mean with "NT style ACLs"?

> Fast forward to now.  Samba410-4.10.15 on FreeBSD-12.1p5 and using ZFS now can
> be provisioned as a DC so acls obviously must be working on ZFS,  I created a
> Samab410 instance, checked that it could provision, undid that work and
> reinstalled samba and used samba-tool to join the existing domain.  I then
> attempted to replicate the sysvol using rsync.

Just to be sure, you are now:
_ connecting via SSH from the *new* DC to the old DC;
_ copying from UFS to ZFS;
_ from a jail to a jail.

> rsync -XAavz --delete-after --rsh='ssh' []:/var/db/samba4/sysvol
> /var/db/samba4
> receiving file list ... done
> rsync: set_acl: sys_acl_set_file(sysvol, ACL_TYPE_ACCESS): Invalid argument (22)
> rsync: set_acl: sys_acl_set_file(sysvol/,
> ACL_TYPE_ACCESS): Invalid argument (22)
> rsync: set_acl: sys_acl_set_file(sysvol/,
> ACL_TYPE_ACCESS): Invalid argument (22)

Just a shot in the dark: you're not using the stock rsync package, do you?
At least in the past, an ACL patch was needed to support ACLs and that 
option is not on by default.

I'm not sure it's still the case, however; now the patch states:
> This patch adds backward-compatibility support for the --acls option.
> Since the main release has never had ACL support, the trunk doesn't
> need this code.  If you want to make rsync 3.0.x communicate with an
> older (patched) release, use this.

I don't find the above particularly clear... if someone with more 
insight could step in...

In any case, possibly you'll need to recompile rsync with that patch 
enabled (on both sides?).
Or maybe again, this is not true anymore.

Failing that, could you choose a sample file and report what ACLs are on 
the source and what you get on the target?


More information about the freebsd-questions mailing list