Introduction

This page tries to summarize the current status of Samba on FreeBSD operating system.

There is a Samba page on FreeBSD's wiki, but it was last updated nearly fifteen years ago.

Recently multiple threads appeared on FreeBSD's official mailing lists (e.g. this and this), but there were more questions than answers; OTOH, there's been a lot of activities going on in several Bugzilla reports.

Warning: these informations are what I found with my researches on the web and my own tests; I cannot guarantee they are 100% exact or complete and I take no responsibility. You are welcome to mail me corrections, additions, suggestions, etc...

Samba versions

4.13.17: available in HEAQ and 2023Q2 port tree. This is the last version that works properly on FreeBSD 12.4.
Notice this version is unsupported upstream, uses an obsolete VFS (see The New VFS) and is affected by several vulnerabilities:
- ~~CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745 and CVE-2022-32746~~: fixes for these have already been backported;
- CVE-2021-20251;
- ~~CVE-2022-3437~~: a fix for this has already been backported.
Deprecation from the port tree has already been proposed.
4.16.8: available in the 2023Q2 port tree, but only for FreeBSD 13.1 and later versions.
Since 4.14 brought a revolution in how VFS is designed, testing is advised before upgrading.
Notice this version is affected by several vulnerabilities:
Those compiling they own ports with 2023Q2 port tree can easily cherry-pick this from HEAD.
4.16.10: available in the HEAD port tree, but only for FreeBSD 13.1 and later versions.
Since 4.14 brought a revolution in how VFS is designed, testing is advised before upgrading.
4.17.x: a patch was provided, but it didn't seem to get much attention and by now it's probably outdated.
4.18.x: no info yet.

General issues

Older FreeBSD versions

The new VFS seems to require the nodup option of fdescfs. This means FreeBSD versions before 13.x are out of luck and the port has currently been marked IGNOREd for <13.1.

Support for legacy OS versions (12.4) might be investigated in the future.

If running on 12.4 is required now, with specific limitations, one might try to remove the IGNORE line and test: the theory says that new VFS code should still work with older versions of the FreeBSD, just much slower. Unfortunately practice shows that it's not working besides very basic fileserver mode, without usage of stream_xattrs module and zfsacl. YMMV.

Databases location

Whenever in Samba's documentation you read "/usr/local/samba", keep in mind that on FreeBSD, the databases are in /var/db/samba4.

Bundled libraries

The Samba ports requires a lot of libraries to build: for a few of them, a choice exist to either use a bundled version or a dependent port.

By default ldb is bundled, while cmocka, talloc, tevent and tdb are not.

Not bundling tdb might be the cause of "samba-tool offine backup" getting stuck (see this thread). TODO: check this!

ACLs

Samba makes use of filesystem ACLs (which, unfortunately, are not fully standardized between different OSes and FSes):

a machine just running winbind for NSS/PAM doesn't need ACLs;
a fileserver or NT DC should use POSIX ACLs or Windows ACLs (which in turn requires use of xattr);

it is however possible to only use standard UNIX permissions for shares and/or use some options (e.g. [in]valid users, force create mode, etc...) in /usr/local/etc/smb4.conf to manage monolithic access to shares;
an AD DC must use Windows ACLs (unless you are going to use it for authentication only and accept netlogon script, GPO, etc... will NOT work properly).

Samba is quite Linux-centric on ACL/xattr handling, but ACLs and xattr in FreeBSD are different from Linux. Also, running Samba in a jail further complicates things.

While a full solution is still under discussion, there seems to be, at the moment, a few alternatives:

you can choose not to use Windows ACL (not possible for SYSVOL on an AD DC);
for UFS an experimental VFS module (vfs_freebsd) is included since 4.10; see its man page for details and be aware of what to do when starting to use it on existing installations;
for ZFS, there's a vfs_zfsalcl module. TODO: find more informations on this.

Shadow copies

If using ZFS, it might be useful to take periodical snapshots (with py-zfs-autobackup or similar tool) and let users access them as "previous versions".

A tentative was made to create a libzfs based general solution, but seems far from being usable.

Meanwhile the standard vfs_shadow_copy2 module can do, provided it is configured properly (but see this bug).

Also read on if you are running Samba in a jail.

Jails

Running Samba in a jail is a controversial practice: while it has obvious advantages (e.g. running an AD DC and a fileserver on the same machine), some people think it is a bad idea; others are instead doing this and report it as working. Upstream will usually wash their hands of any trouble if Samba does not work in a jail.

One peculiarity of jails is the inability to access the SYSTEM extended attributes namespace:

if you are on UFS, see above: you'll need to use vfs_freebsd in compat mode;
TODO: on ZFS?

Samba 4.16's RC script also wants to mount its own private fdescfs filesystem: in order to allow for this in a jail, you need allow.mount.fdescfs=true, which in turns needs enforce_statfs<2.

Jail privileges are clearly insufficient, if, when starting Samba, you see:

warn "samba_server: cannot fdescfs mount to /var/run/samba4/fd"

Due to the script not working properly, you could also see:

mount: none: Operation not permitted

If using EZJail, you should edit /usr/local/etc/ezjail/{jail_name}, with the following line:

export jail_{jail_name}_parameters="allow.mount.fdescfs=true enforce_statfs=1"

If using ZFS and you want shadow copies:

on 12.4, nothing is needed;
on 13.1, it simply does not work;
on 13.2, you'll need to add zfs.mount_snapshot=1 to the above.

Also notice they can't possibly work for directories mounted from outside the jail (e.g. with nullfs).

Missing cores

It can happen that some Samba daemon crashes, but is unable to produce a core; in the log something the following will show up:

      unable to change to %N.core
      refusing to dump core

Setting the following should solve:

      sysctl kern.corefile=/somepath/%N_%P.core
      sysctl kern.sugid_coredump=1

Notice that, in order to be able to get useful dumps, Samba needs to be compiled WITH_DEBUG.

Specific problems

This list tries to address some of the current problems users are like to encounter and provide links to relevant informations, possibly providing a solution or workaround.

By no means this list is meant to be exhaustive.

4.8 to 4.10 upgrade

Upgrading from 4.8 to 4.10 should be attempted by following Samba's standard procedure. Non-FreeBSD specific notes are mostly out of scope here.

Things to pay attention to:

since Samba 4.9, the new default for ea support in smb4.conf has been changed to yes.

smb.conf(5) notes however that "the SMB protocol allows setting attributes whose value is 64K bytes long, and that on NTFS, the maximum storage space for extended attributes per file is 64K. On most UNIX systems (Solaris and ZFS file system being the exception), the limits are much lower - typically 4K. Worse, the same 4K space is often used to store system metadata such as POSIX ACLs, or Samba's NT ACLs. Giving clients access to this tight space via extended attribute support could consume all of it by unsuspecting client applications, which would prevent changing system metadata due to lack of space.

Take care if you're using UFS.
If upgrading an installation serving shares with Windows ACL on UFS2 filesystem, see UPDATING entry 20190630. More info above.

Provisioning an AD DC domain

Warning: information in this chapter was collected a long time ago and many things might have changed. It might not be true, fresh, or relevant anymore.

In the first place, provisioning seems to fail unless you specify additional options.

Adding --option="vfs objects=freebsd" seems to be enough to provision in a non jailed UFS2-with-ACLs situation.

Similarly --option="vfs objects=zfsacl" lets provisioning work on ZFS (base or jail).

Given that, I've had mixed results, as updates to the ports seem to have intermittently broken and fixed it (see this bug).

Classic upgrade

Warning: information in this chapter was collected a long time ago and many things might have changed. It might not be true, fresh, or relevant anymore.

I've managed to Classic upgrades succesfully on ZFS with --option="vfs objects=zfsacl".

Given that, I've had mixed results, as updates to the ports seem to have intermittently broken and fixed it (see this bug).

AD DC in a jail not starting

If a jailed AD DC instance does not start, the cause might be to the nbt service.

See this bug for full info and workaround.

"Directory name is invalid" when opening files

I've seen this on several systems running Samba 4.16 after the upgrade from FreeBSD 13.1 to 13.2 (with absolutely no changes in the configurations/options/etc...).

While the underlying cause is still unknown to me, the following is a quick fix:

find {share} -exec rmextattr user DOSATTRIB "{}" ";"

Take backups before doing this, as I take no responsibility for any side-effect.

Page last updated on 2023/6/3.