Sysvol replication

Matthieu Patou mat at samba.org
Thu Apr 19 11:22:04 MDT 2012 

Hello Kev,

On 04/19/2012 04:07 AM, Kev Latimer wrote:
> Just wondering what the current best practice is for sysvol 
> replication across Samba4 DC's?
>
So my recommendation is to use rsync and csync, with a staging directory.

What I do is that on a given DC I rsync all other DC sysvol in the 
staging directory, and then from the staging to the real sysvol 
directory with csync.

The reason for using rsync is that it copies the file and the exended 
attributes and that very important as Samba DC stores NTACLs in extended 
attribute (mostly), but in my tries it was not doing a great job doing 
the 2 way sync and keeping the "latest version" of the file.
I found csync being quite good at this, that why the sync between the 
staging and the live directory is done with csync.

> If there is no best practice, what do other people do to ensure sysvol 
> is replicated properly across their samba DC's?
>
> My first thought was a cron'ed rsync, but I'm not sure how that would 
> deal with the xattr's when it made it to the other DC's and there is 
> always the potential for it to be out of date should it be updated on 
> multiple GPO's.
>
> From the other end of the spectrum, I thought about designating one DC 
> (the first DC in the domain) to have the "master" sysvol and exporting 
> it via. NFS but again, not sure how this would get along with xattr.
>
> What does everyone else do?  I've done a little googling but the 
> limited useful results I've found have generally been from a number of 
> years ago and figure with the fast-moving target that is Samba4, it 
> might be good to get an up-to-date set of ideas on this.
>
I have a script but it definitely need rewrite to make it really useful, 
I don't have time to work on this right now I just attached a cleaned 
version that should work if you adapt the paths.

This script has still a massive issue that it expect UID and GID to be 
the same which is not always the case, I think it's possible to overcome 
the issue but it hasn't been done so far.

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

-------------- next part --------------
#!/bin/bash
#
# Copyright (C) Matthieu Patou <mat at matws.net> 2011-2012
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

export KRB5CCNAME=/tmp/sync.$$
. /usr/local/etc/ecv/list_dcs

contacteddc=0
me=`hostname -s`
domain=`hostname -d`
PROVISIONDIR=/usr/local/domain/$domain/
STAGING=$PROVISIONDIR/staging
SYSVOL=$PROVISIONDIR/sysvol

# Add some randomness 
sleep $(( $RANDOM % 50 ))
rm -rf $STAGING/*
kinit -k -t /etc/krb5.keytab  `hostname -s | tr "[:lower:]" "[:upper:]"`\$
date +%s >$SYSVOL/.flag
for dc in $LIST_DC; do
	if [ $dc == $me ]; then
		continue
	fi

	# can we ping this dc ?
	ping -c 2 $dc >/dev/null 2>&1
	if [ $? -ne 0 ]; then
		continue
	fi

	[ ! -f $STAGING/.lastts.$dc ]&& touch $STAGING/.lastts.$dc
		dc_account_name=`echo $me | tr "[:lower:]" "[:upper:]"`
		rsync  -X -u -a  $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING

	[ $? -ne 0 ]&& continue
	contacteddc=$(($contacteddc + 1))

	if [ -f $STAGING/sysvol/.flag ]; then
		# A sync is running on another dc ...
		now=`date +%s`
		ts=`cat $SYSVOL/.flag`
		delta=$(( $now - $ts ))
		if [ $delta -gt 300 ]; then
			echo -ne "A sync is already running on $dc for more than 5 minutes, you should "
			echo "check and if needed remove the following file: $SYSVOL/.flag"
		else
			sleep $(( $RANDOM % 50 + 20))
			rm -rf $STAGING/*
			rsync  -X -u -a  $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
			if [ -f $STAGING/sysvol/.flag ]; then
				#echo "Sync is running"
				rm -f $KRB5CCNAME
				[ -f $SYSVOL/.flag ]&& rm $SYSVOL/.flag
				exit 0
			fi
		fi
	fi
done

if [ $contacteddc -eq 0 ]; then
	if [ -f $STAGING/sysvol/.flag ]; then
		rm $STATING/sysvol/.flag
		exit 0
	fi
fi
csync $STAGING $SYSVOL
cd $STAGING
find . >/tmp/listfiles.$$
cd /

while read l; do
	nb=`getfattr -d -m "" "$SYSVOL/$l" 2>/dev/null |wc -l`
	nb2=`getfattr -d -m "" "$STAGING/sysvol/$l" 2>/dev/null |wc -l`
	if [ ! -L "$STAGING/sysvol/$l" -a $nb -eq 0 -a $nb2 -ne 0 ]; then
		echo "setting acls on $l"
		getfattr -d -m "" "$STAGING/sysvol/$l" 2>/dev/null | sed 's at staging/@@' |setfattr --restore=- 2>/dev/null
	fi
done </tmp/listfiles.$$

rm /tmp/listfiles.$$

rm -f $KRB5CCNAME
[ -f $SYSVOL/.flag ]&& rm $SYSVOL/.flag

More information about the samba-technical mailing list