sysvol replication between ntvfs and s3fs

[Daniele Dario]

Hi Matthew,

On Fri, 2012-09-21 at 20:29 -0700, Matthieu Patou wrote:
> On 09/21/2012 02:27 AM, Daniele Dario wrote:
> > Hi Matthew,
> >
> > On Wed, 2012-09-19 at 09:05 -0700, Matthieu Patou wrote:
> >> On 09/19/2012 07:18 AM, Daniele Dario wrote:
> >>> Hi Matthiew and samba team,
> >>> I'm looking if it is possible to sync sysvol partition between my two
> >>> samba4 DCs and I found your "sync_dc" script.
> >>>
> >>> Would rsync -X -u -a work also if one DC is working with NTVFS while the
> >>> other uses S3FS?
> >> Yes it should work more or less you'll need also the -A to preserve unix
> >> acls as well as s3fs use them.
> >>
> >> Still the biggest issue that you'll face is that the uid for Windows
> >> users can be differents and so the unix acls won't be correct but there
> >> is nothing we can do in the short term.
> >>
> >>
> >>> Sorry if the question is stupid but I've read that there are differences
> >>> between the two implementations and that moving from NTVFS to S3FS
> >>> requires to use the sysvolreset command to apply right ACLs.
> >>>
> >>> Thanks,
> >>> Daniele.
> >>>
> >> Matthieu.
> >>
> > I'm trying to use the sync_dc script but I'm stuck at the rsync point:
> > from man rsync I see that the line
> >
> > rsync -X -A -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
> >
> >        * will access via remote shell (don't need rsyncd on the other
> >          side)
> >        * will use $dc_account_name\$ as the user which has to
> >          authenticate on the ${dc}.${domain} host
> >
> > How does rsync authenticate the given account (eg. KDC01$) on the other
> > DC? I thought it would use the kerberos ticket got by kinit but trying
> > to replicate on the shell the commands I get
> >
> > [root at kdc01:~/tmp]# export KRB5CCNAME=/tmp/sync.$$
> > [root at kdc01:~/tmp]# kinit -k -t /usr/local/samba/private/secrets.keytab
> > KDC01$
> > [root at kdc01:~/tmp]# klist -l
> >    Name                        Cache name      Expires
> > KDC01$@SAITELITALIA.LOCAL   /tmp/krb5cc_0   Sep 21 20:44:52
> > [root at kdc01:~/tmp]# rsync -X -A -u -a KDC01
> > $@kdc02.saitelitalia.local:/usr/local/samba/var/locks/sysvol .
> > Warning: Permanently added the ECDSA host key for IP address
> > '192.168.12.2' to the list of known hosts.
> > KDC01$@kdc02.saitelitalia.local's password:
> >
> > I don't know the KDC01$ password and I think that that account is the
> > machine account which is present in the domain not on the host so I
> > guess it should not authenticate in this way.
> You have to make kerberized ssh work first for domain account.
> 
> 

I got kerberized ssh work and build csync but now I got these errors:

[root at kdc01:~]# ./sync_dc 
touch: cannot touch `/usr/local/samba/var/locks/staging/.lastts.kdc02':
No such file or directory
rsync: opendir "/usr/local/samba/var/locks/sysvol" failed: Permission
denied (13)
rsync error: some files/attrs were not transferred (see previous errors)
(code 23) at main.c(1526) [generator=3.0.7]
[stderr] 20121005 15:40:20.290 WARN     csync.statedb- sqlite3_compile
error: no such table: metadata - on query SELECT COUNT(phash) FROM
metadata LIMIT 1 OFFSET 0;
[stderr] 20121005 15:40:20.290 NOTICE   csync.statedb- statedb doesn't
exist

I'm going to investigate which is the touch error but I guess I can
solve it.

The Permission denied error from rsync seems different. Have you any
idea of what is the problem?

Same for the csync errors I have to try to rebuild it so I'll be back
with more info.

Thanks,
Daniele.