# Samba4, zfs, nfsv4 rights problem



## waywardnl (Sep 5, 2014)

When I install samba4 I provision with:

```
samba-tool domain provision –-interactive –-use-ntvfs
```

I answer the questions:


```
Real: BSD05.local
Domain: BSD05.com
dc
SAMBA_INTERNAL
10.30.0.100 (That is my router)
Password
Password
```

my smb4.conf

```
# Global parameters
[global]
        workgroup = BSD05.COM
        realm = BSD05.LOCAL
        netbios name = BSD05
        server role = active directory domain controller
        dns forwarder = 10.30.0.100

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
[netlogon]
        path = /var/db/samba4/sysvol/bsd05.local/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

[tmp]
        comment = Temporary Files
        path = /zdata/tmp
        browseable = Yes
        read only = No
        ea support = Yes
        map archive = No
        map readonly = No
        map system = No
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes
        zfsacl: acesort = dontcare

# Appz Drive
#
[appz]
        comment = Programma's, Games en dergelijke.
        path = /zdata/Appz
        public = no
        browseable = yes
        read only = no
```

I have fooled around with the tmp share, nothing seems to help.

I tried to add rights with: setacl(1), this did not work. I have tried to set rights in windows, I can set rights once, but when I have done this I have no rights to change the rights any more, also the user have rights with:

```
net rpc rights grant 'Domain_Admins' SeDiskOperatorPrivilege -Uadministrator
```

The user that tries to change the rights is a member of Domain Admins.

Also I have tried to change the rights with chmod(1), but then I do not have rights anymore in windows to change the share. I have tried to change the rights in windows explorer and in computer management to connect to my server bsd05. Actions --> Connect to other computer. I can connect, see the shares I only get an error 147.

My Questions, do I need to use the ACL, can I just use the chmod(1) like the old days. 1 user, 1 group is good enough

How do I use the ACL (windows ACL) NFSv4 successfully?

Why does windows react so strange to the rights?



> I use windows 8.1 for windows and FreeBSD 9.3 and Samba 4.1.9



Any pointers are welcome, I am struggling with for a few days.


----------



## SirDice (Sep 5, 2014)

waywardnl said:
			
		

> ```
> vfs objects = zfsacl
> nfs4:mode = special
> nfs4:acedup = merge
> ...


I'd remove these first. After that you should be able to use chmod(1) and chown(1) to set the correct permissions.


----------



## waywardnl (Sep 5, 2014)

I have the same problem with Appz, I added these lines after the permissions went wrong. Do I think correct that the users that I use must exist in /etc/group? Or is this a mistake to think of me, or does it not matter at all? I added permissions with setfacl(1). Or does one share affect another share with settings?


----------



## SirDice (Sep 5, 2014)

Normal UNIX permissions apply, so yes, you need to have users and groups.


----------



## Sebulon (Sep 5, 2014)

Hi @waywardnl!

There are some things to consider. First of all, your clients, the ones you try to connect to the shares to, are they joined to the domain? If not, you have to be sure to connect with "DOMAIN_NAME\user_name" stanza to make sure you are correctly authenticated.

These are the share settings we use for our domain-joined file servers:

```
vfs objects = zfsacl
        nfs4:acedup = merge
        nfs4:mode = special
        nfs4:chown = yes
        nt acl support = yes
        map acl inherit = yes
        inherit acls = yes
        inherit permissions = yes
        inherit owner = no
        ea support = yes
        store dos attributes = yes
        map hidden = no
        map system = no
        map archive = no
        case sensitive = no
```

Everything under "map acl inherit" is more or less optional but make it act and feel more like a "normal" windows file server (oxymoron perhaps but, you know...).

Filesystems that are to be shared are also `zfs create`d with -o aclmode=passthrough and -o aclinherit=passthrough.

Can´t say much about your ACL's since you haven´t actually shown them, but you´d need to not only set your ACL for just the top level directory, but for all directories and files for the ACL to have effect. This is common misconception.

One way to set the ACL and propagate it is to use find with -exec:
`# find /zdata/tmp -type d -exec setfacl -m group:BUILTIN\\administrators:rwxpDdaARWcCo-:fd----:allow {} \;`
`# find /zdata/tmp -type f -exec setfacl -m group:BUILTIN\\administrators:rwxpDdaARWcCo-:------:allow {} \;`

I´m assuming here that "DOMAIN_NAME\Administrators" is nestled in through "BUILTIN\Administrators":
`# net sam list builtin`

```
Administrators
Users
```
`# net sam listmem Administrators`

```
# net sam listmem Administrators
BUILTIN\Administrators has 1 members
 DOMAIN_NAME\Domain Admins
```

Then you have applied an ACL that allows members (and nestled members) of "BUILTIN\Administrators" access to /zdata/tmp and all files and directories beneath it.

/Sebulon


----------



## waywardnl (Sep 5, 2014)

I tried the command and i think here could be a problem:


```
root@BSD05:/zdata # net sam listmem Administrators
Bad talloc magic value - unknown value
PANIC (pid 36925): Bad talloc magic value - unknown value
BACKTRACE: 2 stack frames:
 #0 0x804c4607c <smb_panic_s3+108> at /usr/local/lib/libsmbconf.so.0
 #1 0x8038247c5 <smb_panic+37> at /usr/local/lib/libsamba-util.so.0
Can not dump core: corepath not set up
root@BSD05:/zdata #
```


----------



## Sebulon (Sep 5, 2014)

waywardnl said:
			
		

> I tried the command and i think here could be a problem:
> 
> 
> ```
> ...



No, it does so in my SAMBA domain controller as well, I tested that from another member, which works. It´s still not quite consistent, SAMBA, may not ever be:
`# net sam listmem "Domain Admins"`

```
Can only list local group members so far.
Domain Admins is a None
```

It´s a little different for you in that your storage server is also your domain controller, I myself set up a CentOS virtualization host, just so that I could separate the two completely in it´s own VM 
But never mind, just replace "BUILTIN\Administrators" in your ACL with another group that SAMBA likes better, like "`DOMAIN_NAME\\Domain\ Admins`" or create a new group, whatever´s your fancy.

/Sebulon


----------



## waywardnl (Sep 5, 2014)

I have been testing further, the reason i don't joined, is that it does not work with Windows 8.1 Pro. I have tried to join from windows XP and this works.

But I get the same results with access rights.


With /zdata/tmp I get write access with 
	
	



```
chmod -R 0777 /zdata/tmp
```
, but with 
	
	



```
chmod -R 0775 /zdata/tmp
```
 I can only look!

This is ACL on /zdata/tmp

```
root@BSD05:/home/roland # getfacl /zdata/tmp
# file: /zdata/tmp
# owner: rsync
# group: bewoner
        group:Appz:rwxp--aARWcCos:------:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow
```
Of course I am logged in with a user that is part of the Appz group

I changed my smb4.conf and I did a provision with the, see picture attachment. 

Also I did not do this with every share:

```
zfs create /zdata/name00001
```
Is this neccesary?

How can I join windows 8.1 to the domain?

And what is going wrong with the rights?


This is my smb4.conf right now:

```
# Global parameters
[global]
        workgroup = BSD05.COM
        realm = BSD05.LOCAL
        netbios name = BSD05
        server role = active directory domain controller
        dns forwarder = 10.30.0.100
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, br
owser, eventlog6, backupkey, dnsserver, winreg, srvsvc
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/db/samba4/sysvol/bsd05.local/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

[tmp]
        path = /zdata/tmp
        read only = no
        browseable = yes
        guest ok = no
        comment = Tijdelijke Bestanden
[Erie]
        path = /zdata/Erie
        read only = no
        browseable = yes
        guest ok = no
        delete readonly = yes
```


When I use the code you have given me I cannot used BSD05\ (My Domain Controller)


```
root@BSD05:/home/roland # find /zdata/tmp -type d -exec setfacl -m group:BSD05\\Appz:rwxpDdaARWcCo-:fd----:allow {} \;
setfacl: malformed ACL: unknown user or group name "BSD05\Appz"
setfacl: group:BSD05\Appz:rwxpDdaARWcCo-:fd----:allow: Invalid argument
setfacl: malformed ACL: unknown user or group name "BSD05\Appz"
setfacl: group:BSD05\Appz:rwxpDdaARWcCo-:fd----:allow: Invalid argument
setfacl: malformed ACL: unknown user or group name "BSD05\Appz"
setfacl: group:BSD05\Appz:rwxpDdaARWcCo-:fd----:allow: Invalid argument
root@BSD05:/home/roland # find /zdata/tmp -type d -exec setfacl -m group:Appz:rwxpDdaARWcCo-:fd----:allow {} \;
```



> I think i get it, i' am local, so BSD05\ is not needed, only from the windows side



I have redone the group Domain Admins


```
root@BSD05:/zdata # samba-tool group listmembers 'Domain Admins'
Administrator
root@BSD05:/zdata # samba-tool group addmembers 'Domain Admins' roland,admin
Added members to group Domain Admins
root@BSD05:/zdata # net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Enter administrator's password:
Successfully granted rights.
root@BSD05:/zdata # samba-tool group listmembers 'Domain Admins'
Administrator
roland
admin
root@BSD05:/zdata #
```


----------



## Sebulon (Sep 6, 2014)

waywardnl said:
			
		

> I have been testing further, the reason i don't joined, is that it does not work with Windows 8.1 Pro. I have tried to join from windows XP and this works.
> 
> ...
> 
> How can I join windows 8.1 to the domain?



You have to configure the client to use the domain controller as DNS. On the 8.1 client, edit the network settings to enter the IP address to "bsd05" in the DNS field.

/Sebulon


----------



## waywardnl (Sep 6, 2014)

Did that and *I* can join, but *I* get an error: 
	
	



```
samba[1720] NTLMSSP NTLM2 packet check failed due to invalid signature!
```

But *W*indows 8.1 is joined, why did *I* do this with *W*indows XP? and not with *W*indows 8.1?


----------



## waywardnl (Sep 6, 2014)

waywardnl said:
			
		

> Did that and i can join, but i get an error:
> 
> 
> 
> ...




Yes, *I* can log in with BSD05/admin ;-) I am gonna going to test if the ACL rights finally work the way *I* expect.


----------



## waywardnl (Sep 6, 2014)

> Can´t say much about your ACL's since you haven´t actually shown them, but you´d need to not only set your ACL for just the top level directory, but for all directories and files for the ACL to have effect. This is common misconception.
> 
> One way to set the ACL and propagate it is to use find with -exec:
> # find /zdata/tmp -type d -exec setfacl -m group:BUILTIN\\administrators:rwxpDdaARWcCo-:fd----:allow {} \;
> # find /zdata/tmp -type f -exec setfacl -m group:BUILTIN\\administrators:rwxpDdaARWcCo-:------:allow {} \;



I cannot use BUILTIN, is this necessarry?

I now am setting the rights for Domain admins


----------



## waywardnl (Sep 6, 2014)

So *I* can join, *i* can add extra groups, and when *i* do, *i* do not see the name of the group in *W*indows.

I did manage to add groups to:

```
# find /zdata/tmp -type d -exec setfacl -m group:'Domain Admins:rwxpDdaARWcCo-:fd----:allow {} \;
# find /zdata/tmp -type f -exec setfacl -m group:Domain Admins:rwxpDdaARWcCo-:------:allow {} \;
```

When *I* add Administrator to all director_ies_ and files in ZFS container zdata *I* can access them with Administrator.

When *I* add groups it seems to work also, but *I* cannot see the group name in the *W*indows security tab under administrator or a domain adminitsrators account. All *I* see are numbers.

When *I* change diretcor_ies_ *I* get errors like 
	
	



```
samba[61187] make connection: couldn't find service "A directory on zdata"
```

A little background, when *I* made the ZFS pool, *I* did a copy over NFS with the command: 
	
	



```
cp -rpnv * /zdata
```
 8 TB went by and *I* was happy, but how can *I* share?

So how do *I* go about this? Is it naming, wich ISO mode do *I* use, how do *I* use it? In *S*amba 3.4 *I* never had this problem.

This is a dump of two director_ies_:

```
# file: /zdata/Appz/Windows
# owner: rsync
# group: Appz
group:BSD05.COM\Appz:rwxpDdaARWcCo-:fd----:allow
        group:Appz:rwxpDdaARWcCo-:fd----:allow
         user:root:rwxpDdaARWcCo-:fd----:allow
group:BSD05.COM\Domain Admins:rwxpDdaARWcCo-:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow
root@BSD05:/zdata # getfacl /zdata/Appz/Apparaten/
# file: /zdata/Appz/Apparaten/
# owner: rsync
# group: Appz
group:BSD05.COM\Appz:rwxpDdaARWcCo-:fd----:allow
        group:Appz:rwxpDdaARWcCo-:fd----:allow
         user:root:rwxpDdaARWcCo-:fd----:allow
group:BSD05.COM\Domain Admins:rwxpDdaARWcCo-:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow
root@BSD05:/zdata #
```

Windows does not work, Apparaten does work in Windows Xp and *W*indows 8.1


I *c*opied a directory that gave the error: 
	
	



```
NT_STATUS_OBJECT_NAME_NOT_FOUND
```
 Did add the group again and there was no problem:

```
root@BSD05:/zdata/Appz/Apparaten # ls
Android		Fiat_Panda	Nintendo DS	Router		Sitecom-router	TomTom		Windows		Xbox360
root@BSD05:/zdata/Appz/Apparaten # cp -rv /zdata/Appz/Apparaten/Android/ /zdata/Appz/Apparaten/Android.2
/zdata/Appz/Apparaten/Android/ -> /zdata/Appz/Apparaten/Android.2
/zdata/Appz/Apparaten/Android/Firefox_19.0.apk -> /zdata/Appz/Apparaten/Android.2/Firefox_19.0.apk
root@BSD05:/zdata/Appz/Apparaten # cd Android
root@BSD05:/zdata/Appz/Apparaten/Android # ls
Firefox_19.0.apk
root@BSD05:/zdata/Appz/Apparaten/Android # cd ..
root@BSD05:/zdata/Appz/Apparaten # ls -ilsa
total 483
  589186  19 drwxrwx---+ 11 rsync  Appz   11 Sep  6 21:27 .
  428381  56 drwxrwx---+ 11 rsync  Appz   16 Sep  5 19:54 ..
  589190  19 drwxrwx---+  2 rsync  Appz    3 Apr 21  2013 Android
15269898  19 drwxrwx---+  2 root   Appz    3 Sep  6 21:27 Android.2
  614663  19 drwxrwx---+  3 rsync  Appz    6 Sep  1  2009 Fiat_Panda
  614706 257 drwxrwx---+  6 rsync  Appz  569 Mar 10  2012 Nintendo DS
  589187  19 drwxrwx---+  2 rsync  Appz    4 Oct 18  2011 Router
  614704  19 drwxrwx---+  2 rsync  Appz    3 Dec 26  2011 Sitecom-router
  615759  19 drwxrwx---+  3 rsync  Appz    3 Jul 14  2013 TomTom
  589192  19 drwxrwx---+  7 rsync  Appz    7 Jul  6  2011 Windows
  614700  19 drwxrwx---+  3 rsync  Appz    3 Dec 16  2006 Xbox360
root@BSD05:/zdata/Appz/Apparaten # find /zdata/Appz/Apparaten/Android.2 -type d -exec setfacl -m group:Appz:rwxpDdaARWcCo-:fd----:allow {} \;
root@BSD05:/zdata/Appz/Apparaten # find /zdata/Appz/Apparaten/Android.2 -type f -exec setfacl -m group:Appz:rwxpDdaARWcCo-:------:allow {} \;
root@BSD05:/zdata/Appz/Apparaten #
```

I can access it, is there anything corrupt, how can *I* check ACL tables (is it called like this?) in ZFS?


----------



## Sebulon (Sep 6, 2014)

waywardnl said:
			
		

> Did that and *I* can join, but *I* get an error:
> 
> 
> 
> ...



Well, simply because XP is older (EOL) and less demanding; didn´t use NTLMv2, as far as i remember. You have to enter at least "forward" names for all clients on the network in the domain controller´s DNS for NTLMv2 authentication to work (I think).



			
				waywardnl said:
			
		

> So *I* can join, *i* can add extra groups, and when *i* do, *i* do not see the name of the group in *W*indows.
> 
> ...
> 
> ...



I´ve already told you what options you need in your [shares], have you added them?
https://forums.freebsd.org/posting.php?mode=quote&f=43&p=267574#pr267505

I strongly advise you to download and install Remote Systems Administration Tools (RSAT) for Windows. It makes administering domains so much easier than doing it all though CLI:
http://www.microsoft.com/en-us/download/details.aspx?id=39296

/Sebulon


----------



## waywardnl (Sep 6, 2014)

No I did not, I use the FreeBSD server as domain controller, where my clients connect to, So this server is not joined with another domain, we are speaking about:


```
vfs objects = zfsacl
            nfs4:acedup = merge
            nfs4:mode = special
            nfs4:chown = yes
            nt acl support = yes
            map acl inherit = yes
            inherit acls = yes
            inherit permissions = yes
            inherit owner = no
            ea support = yes
            store dos attributes = yes
            map hidden = no
            map system = no
            map archive = no
            case sensitive = no
```

So does these apply to me too?

I will install the Windows things.


Also I found out that when you chmod(), you have to apply setfacl() again.


----------



## Sebulon (Sep 8, 2014)

waywardnl said:
			
		

> No I did not, I use the FreeBSD server as domain controller, where my clients connect to, So this server is not joined with another domain, we are speaking about:



Yes, and those clients, the Windows 8.1 and Windows XP needs to be registered in your domain controller´s DNS for NTLMv2 authentication to work.



			
				waywardnl said:
			
		

> So does these apply to me too?



Yes.



			
				waywardnl said:
			
		

> Also I found out that when you chmod(), you have to apply setfacl() again.



You can prevent that by changing the aclmode and aclinherit options of those filesystems, like I showed you how to create new ones, you can also change options for existing ones like:
`# zfs set -o <option>=<value> <filesystem>`

/Sebulon


----------



## waywardnl (Sep 8, 2014)

First of all thank you for clearing that up!

I have done these settings on ZFS:

```
root@BSD05:/home/roland # zfs set aclmode=passthrough zdata
root@BSD05:/home/roland # zfs set aclinherit=passthrough zdata
```

And did this again:

```
# find /zdata/tmp -type d -exec setfacl -m group:BUILTIN\\administrators:rwxpDdaARWcCo-:fd----:allow {} \;
# find /zdata/tmp -type f -exec setfacl -m group:BUILTIN\\administrators:rwxpDdaARWcCo-:------:allow {} \;
```

Added this to the shares inside smb4.conf:


```
vfs objects = zfsacl
            nfs4:acedup = merge
            nfs4:mode = special
            nfs4:chown = yes
            nt acl support = yes
            map acl inherit = yes
            inherit acls = yes
            inherit permissions = yes
            inherit owner = no
            ea support = yes
            store dos attributes = yes
            map hidden = no
            map system = no
```

And *I* am testing.


----------



## waywardnl (Sep 9, 2014)

I am getting the same problem, some director_ie_s cannot be accessed within Appz. And *I* still don't see usernames/groups in *W*indows. With `getfacl` *I* get the right information. Does anyone have the same problem? Or are there some other pointers?


----------



## Sebulon (Sep 10, 2014)

waywardnl said:
			
		

> I am getting the same problem, some director_ie_s cannot be accessed within Appz. And *I* still don't see usernames/groups in *W*indows. With `getfacl` *I* get the right information. Does anyone have the same problem? Or are there some other pointers?



Please show entire "/usr/local/etc/smb4.conf" and output of:
`# samba-tool group list`
`# getfacl /zdata/Appz`

And probably (I don´t know, you haven´t shown `zfs list`, but):
`# for i in aclmode aclinherit; do zfs get -H $i zdata/Appz; done`

/Sebulon


----------



## waywardnl (Sep 11, 2014)

Little bit more history, when I was installing FreeBSD I had created the ZFS pool, I did something stupid. So I started to reinstall, imported the ZFS pool and worked on that. Then I have read some things about inherit in aclmode() and set it up, then I used [man=]setfacl[/man] and I think I messed it up really good with all that experimental.

Now I have set it up again and started to copy. I complete ignore all the FreeBSD commands, I have set up ZFS:


```
root@BSD05:/zdata # zfs set aclinherit=passthrough zdata/Special
root@BSD05:/zdata # zfs set aclmode=passthrough zdata/Special
```

and went straight to my Windows 8.1 and setup domain admins as full rights through Windows and now I see the name's instead of the PID numbers. I got a good feeling about this. 

Because it is so much data (8 terabyte) the rights are not fast to apply. But I will set up a virtual machine so i can shutdown my laptop and let my server do his stuff.

Also I have found an interesting one:

```
zfs create -o casesensitivity=insensitive zdata/Special
```

Case sensitivity is not imported for MS, so I figured I use this one.
https://lists.samba.org/archive/samba-technical/2014-February/098084.html


Interesting is that when I wanted to add attributes to zdata and all the directories underneath it, it would go through all the files. So now I have set all shares up in separate ZFS containers. Wish me luck.


----------



## waywardnl (Sep 11, 2014)

I also found out, that `chmod 0777` on the directory's is okay. When you delete the everybody user group from the directory's in your zfs() pool, that only the one that are in the correct groups have access to that directory. 

Don't know if this is normal, but I can live with this.


Moving on, and I will keep you posted.


----------



## waywardnl (Sep 16, 2014)

I think I got the root source of all these problems. My OS partition is running on a Mirror, one of the hard disks seem to have problems a lot of the time. Because it was a mirror setup the problems would be corrected by my controller. But finally the failing hard drive gave in:


```
2014/9/14 17:58:0 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0bae00 sectors 0x80 .
	2014/9/14 17:58:0 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:58:0 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0ba780 sectors 0x80 .
	2014/9/14 17:58:0 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:58:0 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0ba080 sectors 0x80 .
	2014/9/14 17:57:0 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:56:56 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b9980 sectors 0x80 .
	2014/9/14 17:56:56 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:56:26 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b8a80 sectors 0x80 .
	2014/9/14 17:56:26 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:56:26 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b7600 sectors 0x80 .
	2014/9/14 17:56:19 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:55:50 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b6f00 sectors 0x80 .
	2014/9/14 17:55:50 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:55:20 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b5f80 sectors 0x80 .
	2014/9/14 17:55:20 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:55:20 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b5880 sectors 0x80 .
	2014/9/14 17:55:20 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:55:20 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b5200 sectors 0x80 .
	2014/9/14 17:55:20 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:55:20 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b4b00 sectors 0x80 .
	2014/9/14 17:54:42 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:54:38 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b4400 sectors 0x80 .
	2014/9/14 17:54:38 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:54:8 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b2700 sectors 0x80 .
	2014/9/14 17:54:8 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:54:8 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b2000 sectors 0x80 .
	2014/9/14 17:54:8 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
	2014/9/14 17:54:8 	Successfully repaired bad sector on disk 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11: LBA 0x1d0b1980 sectors 0x80 .
	2014/9/14 17:53:7 	An error occured on the disk at 'SAMSUNG HD103UJ-S13PJDWS222266' at Controller1-Channel11.
```

So I replaced the failing harddrive and I am starting over again.

The hint for me was: I could not install Windows 7 in my Virtualbox, it stopped while installing and the hard disk indicator of the VirtualBox would stay red. I could only kill the process and then I could start over. RAID is cool, but sometimes you don't see immediately what is wrong.

Moving on!


----------



## von_Gaden (Sep 18, 2014)

Sebulon said:
			
		

> It´s a little different for you in that your storage server is also your domain controller, I myself set up a CentOS virtualization host, just so that I could separate the two completely in it´s own VM
> /Sebulon



What are the benefits from such separation?
I've noticed an annoying behavior of Samba4 DC - suddenly after its promotion/provision it becomes invisible in the Windows network and may be contacted only via its `\\name` This should not be normal, but I don't think I've misconfigured something...
For successful provision of Samba4 DC we have to use `ntvfs`. But it seems that this doesn't support some valuable `vfs objects` such as `recycle`...
And one more off-topic complaint: I managed to bring DNS updates to life only via Samba internal DNS, which does not meet my requirements for reliable DNS needed eg. for mail server.
So, is there a way to build Samba4 AD DC with file/storage server, interface/IP limitations and reliable DNS? I'd appreciate any help.


----------



## waywardnl (Sep 19, 2014)

No problem, I think it is on topic. I don't know if this will help you, but I noticed with the whole new installation that there is an update of samba and i don't have to make the directory's /var/log/samba4. So maybe this version has a few fixes in it.


----------



## waywardnl (Sep 22, 2014)

With my new setup, the new harddisk drive in mij RAID 1 configuration, and the freshly joined windows machines with samba 4(), i had a problem:

sympton:
Loosing connection with BSD05 (My Samba4() configuration). When i was copying under  i have gotten errors that the server lost connection. Now i also have a backup server where i' am copying data from. This is Samba 3.6(), here i had the line 
	
	



```
become master = yes
```
, now i have set this line to
	
	



```
no
```
. This problem is also solved, i dont loose connection anymore. I figured that these two server are fighting to become master and on the way i lost connection  :e 

In all these years of building a new server with samba(), Copying old data (from the old server) to the new server freebsd() configuration i never had this problem before. So i think i learned something here!  :stud If you have two samba servers in your network, point out wich server is going to be the master. So i really did not know exactly how samba operated, i had no problems anyway.

Now i only have one problem left: Sometimes my windows tells me i don't have the right, i press try again and it goes further. I think this has something todo with my 2 samba servers in my network. I will look further and keep you posted with my findings and any input is welcome!

In the mean while copying goes fairly well except the occassionally warning about rights, but i will figure this out too! (Thankyou for the input)

Ohh yeah these errors come back in my log, and i have choosen internal samba and nog named() from bind 9.x():
https://forums.freebsd.org/viewtopic.php?f=43&t=46986&p=268725

So if anyone could give me pointers about this problem?


----------



## Sebulon (Sep 22, 2014)

von_Gaden said:
			
		

> What are the benefits from such separation?



I have many other VM's that run different things, like one for poudriere build server, puppetmaster, upnp media server, transmission server, mail, plus the storage that serves them (and physical clients) with NFS, SMB, AFP, iSCSI, and I really wanted to better define what resource was malfunctioning, in case something was wrong. More like the UNIX philosophy "do one thing and do it well". For the DC it was mostly because I already tried it on ZFS, felt that the provision was a little bit trickier and wanted to deploy it on dumb-old UFS instead (it´s all stored on ZFS anyway), and had no problems with it.

Then again, I´ve also added layers of complexity to it, so net sum is probably the same in the end 

/Sebulon


----------



## von_Gaden (Sep 23, 2014)

Can you "see" your AD DC on the network by browsing it from Windows workstations / domain members? If you can how did you achieved that? Do you build Samba with Avahi or Bonjour?
What DNS do you use - Samba internal, dns/bind98, dns/bind99 or dns/bind910?


----------



## Sebulon (Sep 25, 2014)

von_Gaden said:
			
		

> Can you "see" your AD DC on the network by browsing it from Windows workstations / domain members? If you can how did you achieved that? Do you build Samba with Avahi or Bonjour?
> What DNS do you use - Samba internal, dns/bind98, dns/bind99 or dns/bind910?



The seeing you´re referring to, du you mean like, if the machines show up under "Network" in an explorer window? If yes, then no, they don´t, none of them do. But if I type in e.g. "\\dc" and hit enter, it connects and I can see sysvol and so on. All clients´s (physical and virtual) MAC addresses are registered to an IP in my DHCP, all clients use DHCP and all IP's are registered in SAMBA´s DNS. DHCP also sets the "search" parameter in client´s DNS settings, so I can type "dc" instead of "dc.foo.bar".

I chose SAMBA_INTERNAL for DNS, less fuss to set up. Here´s the options I use for net/samba41:

```
# This file is auto-generated by 'make config'.
# Options for samba41-4.1.7

_OPTIONS_READ=samba41-4.1.7
_FILE_COMPLETE_OPTIONS_LIST=ACL_SUPPORT ADS AIO_SUPPORT CUPS DEBUG DEVELOPER DNSUPDATE EXP_MODULES FAM_SUPPORT LDAP MANPAGES PAM_SMBPASS PTHREADPOOL QUOTAS SYSLOG UTMP NSUPDATE BIND98 BIND99 AVAHI MDNSRESPONDER
OPTIONS_FILE_SET+=ACL_SUPPORT
OPTIONS_FILE_SET+=ADS
OPTIONS_FILE_SET+=AIO_SUPPORT
OPTIONS_FILE_SET+=CUPS
OPTIONS_FILE_SET+=DEBUG
OPTIONS_FILE_UNSET+=DEVELOPER
OPTIONS_FILE_SET+=DNSUPDATE
OPTIONS_FILE_SET+=EXP_MODULES
OPTIONS_FILE_SET+=FAM_SUPPORT
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_SET+=MANPAGES
OPTIONS_FILE_SET+=PAM_SMBPASS
OPTIONS_FILE_SET+=PTHREADPOOL
OPTIONS_FILE_SET+=QUOTAS
OPTIONS_FILE_SET+=SYSLOG
OPTIONS_FILE_SET+=UTMP
OPTIONS_FILE_SET+=NSUPDATE
OPTIONS_FILE_UNSET+=BIND98
OPTIONS_FILE_UNSET+=BIND99
OPTIONS_FILE_SET+=AVAHI
OPTIONS_FILE_UNSET+=MDNSRESPONDER
```

Haven´t configured avahi to broadcast anything though, but I always have these in smb.conf:

```
netbios name = SERVERNAME
        interfaces = XXX.XXX.XXX.XXX/YY
```

Since nmbd´s running, might as well. HTH!

/Sebulon


----------



## waywardnl (Jan 26, 2015)

I wanted to come back to this topic, and iI can say iI got it running fairly well! I dumped the idea to first copy ever[yth]ing within freebsd FreeBSD through an NFS server and then giving the right rights to the directory and files through Windows.
First iI make the ZFS (partition) with:
`# zfs create -o casesensitivity=insensitive zdata/Special
# zfs set aclinherit=passthrough zdata/Special
# zfs set aclmode=passthrough zdata/Special`
And then iI set the right rights to directory and copy with robocopy within Windows, this seems to work well and the rights are transferred correctly with the inherit option.

I only get double file names and directory's. Not always but some, also see this topic:
https://forums.freebsd.org/threads/...e-objects-is-shared-directory-listings.49652/

I also did a full reinstall of FreeBSD and now iI am working with FreeBSD 10.1

All the problems iI had where problems with the Highpoint RocketRAID 2740, Failing hard drives that works good, errors that not existed....  I sent this card back. This surely put a lot of confusion in the mix for me and you guys.


----------



## waywardnl (Feb 19, 2015)

I still had some problems with loosing connection, it turns out that the Bridged network adapter from emulators/virtualbox-ose was causing this problem. I had problems that share where not accessible anymore, and even the error: 0x80070043
https://forums.virtualbox.org/viewtopic.php?f=7&t=66150


----------



## waywardnl (Apr 12, 2015)

VirtualBox says it is the fork of FreeBSD that is causing the problem
https://forums.virtualbox.org/viewtopic.php?f=7&t=66150


----------

