sysvol replication between ntvfs and s3fs

Daniele Dario d.dario76 at gmail.com
Fri Sep 21 03:27:59 MDT 2012


Hi Matthew,

On Wed, 2012-09-19 at 09:05 -0700, Matthieu Patou wrote:
> On 09/19/2012 07:18 AM, Daniele Dario wrote:
> > Hi Matthiew and samba team,
> > I'm looking if it is possible to sync sysvol partition between my two
> > samba4 DCs and I found your "sync_dc" script.
> >
> > Would rsync -X -u -a work also if one DC is working with NTVFS while the
> > other uses S3FS?
> Yes it should work more or less you'll need also the -A to preserve unix 
> acls as well as s3fs use them.
> 
> Still the biggest issue that you'll face is that the uid for Windows 
> users can be differents and so the unix acls won't be correct but there 
> is nothing we can do in the short term.
> 
> 
> > Sorry if the question is stupid but I've read that there are differences
> > between the two implementations and that moving from NTVFS to S3FS
> > requires to use the sysvolreset command to apply right ACLs.
> >
> > Thanks,
> > Daniele.
> >
> 
> Matthieu.
> 

I'm trying to use the sync_dc script but I'm stuck at the rsync point:
from man rsync I see that the line

rsync -X -A -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING 

      * will access via remote shell (don't need rsyncd on the other
        side)
      * will use $dc_account_name\$ as the user which has to
        authenticate on the ${dc}.${domain} host

How does rsync authenticate the given account (eg. KDC01$) on the other
DC? I thought it would use the kerberos ticket got by kinit but trying
to replicate on the shell the commands I get 

[root at kdc01:~/tmp]# export KRB5CCNAME=/tmp/sync.$$
[root at kdc01:~/tmp]# kinit -k -t /usr/local/samba/private/secrets.keytab
KDC01$
[root at kdc01:~/tmp]# klist -l
  Name                        Cache name      Expires         
KDC01$@SAITELITALIA.LOCAL   /tmp/krb5cc_0   Sep 21 20:44:52
[root at kdc01:~/tmp]# rsync -X -A -u -a KDC01
$@kdc02.saitelitalia.local:/usr/local/samba/var/locks/sysvol .
Warning: Permanently added the ECDSA host key for IP address
'192.168.12.2' to the list of known hosts.
KDC01$@kdc02.saitelitalia.local's password: 

I don't know the KDC01$ password and I think that that account is the
machine account which is present in the domain not on the host so I
guess it should not authenticate in this way.

In my /etc/nsswitch.conf I have

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Am I missing something?

Thanks in advance,
Daniele.




More information about the samba-technical mailing list