I want to set up a Samba domain controller on a FreeBSD hosts that uses ZFS for file storage.
When I try to run samba-tool domain provision as documented on the Samba Wiki article on setting up a domain controller, I get an error telling me that I need POSIX ACLs enabled. According to FreeBSD's page on ZFS, ZFS on FreeBSD only supports NFSv4-style ACLs, which by now is fully implemented, but incompatible with POSIX-style ACLs.
Then I came along an unofficial guide for setting up a Samba domain controller on FreeBSD, where the solution is to simply provide the --use-ntvfs flag when calling samba-tool, which I can confirm works. However, according to the feature status of AD DC on Samba, the NTVFS-feature has been deprecated in 2010, which doesn't look promising.
Now i'm at a crossroads. I can think of two ways to set up this DC, namely by using --use-ntvfs or by creating a volume and formatting it with UFS. But I am unable to forsee the pros and cons of these solutions.
What are the consequences of using --use-ntvfs? Is it something that can be changed afterwards, or am I stuck with the choice until I provision an entirely new domain?
Best Answer
Forget about POSIX.1e ACLs with Samba - they just don't make sense, as Windows uses ACL model that is totally different from POSIX.1e, and it's impossible to properly convert between the two (which doesn't prevent some folks, particularly in the Linux kenrel community, from trying - but it just cannot work well for design reasons). Use NFSv4 ACLs, they are pretty much the same as what Windows uses.
As for compiling - actually, Samba port and package are built with ACL support by default. Just make sure to always have "aclmode=passthrough" and "aclinherit=passthrough" ZFS properties set; otherwise the inheritance simply won't work.