sysvol replication between ntvfs and s3fs

Matthieu Patou mat at
Fri Sep 21 21:29:07 MDT 2012

On 09/21/2012 02:27 AM, Daniele Dario wrote:
> Hi Matthew,
> On Wed, 2012-09-19 at 09:05 -0700, Matthieu Patou wrote:
>> On 09/19/2012 07:18 AM, Daniele Dario wrote:
>>> Hi Matthiew and samba team,
>>> I'm looking if it is possible to sync sysvol partition between my two
>>> samba4 DCs and I found your "sync_dc" script.
>>> Would rsync -X -u -a work also if one DC is working with NTVFS while the
>>> other uses S3FS?
>> Yes it should work more or less you'll need also the -A to preserve unix
>> acls as well as s3fs use them.
>> Still the biggest issue that you'll face is that the uid for Windows
>> users can be differents and so the unix acls won't be correct but there
>> is nothing we can do in the short term.
>>> Sorry if the question is stupid but I've read that there are differences
>>> between the two implementations and that moving from NTVFS to S3FS
>>> requires to use the sysvolreset command to apply right ACLs.
>>> Thanks,
>>> Daniele.
>> Matthieu.
> I'm trying to use the sync_dc script but I'm stuck at the rsync point:
> from man rsync I see that the line
> rsync -X -A -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
>        * will access via remote shell (don't need rsyncd on the other
>          side)
>        * will use $dc_account_name\$ as the user which has to
>          authenticate on the ${dc}.${domain} host
> How does rsync authenticate the given account (eg. KDC01$) on the other
> DC? I thought it would use the kerberos ticket got by kinit but trying
> to replicate on the shell the commands I get
> [root at kdc01:~/tmp]# export KRB5CCNAME=/tmp/sync.$$
> [root at kdc01:~/tmp]# kinit -k -t /usr/local/samba/private/secrets.keytab
> KDC01$
> [root at kdc01:~/tmp]# klist -l
>    Name                        Cache name      Expires
> KDC01$@SAITELITALIA.LOCAL   /tmp/krb5cc_0   Sep 21 20:44:52
> [root at kdc01:~/tmp]# rsync -X -A -u -a KDC01
> $@kdc02.saitelitalia.local:/usr/local/samba/var/locks/sysvol .
> Warning: Permanently added the ECDSA host key for IP address
> '' to the list of known hosts.
> KDC01$@kdc02.saitelitalia.local's password:
> I don't know the KDC01$ password and I think that that account is the
> machine account which is present in the domain not on the host so I
> guess it should not authenticate in this way.
You have to make kerberized ssh work first for domain account.

Matthieu Patou
Samba Team

More information about the samba-technical mailing list