[Samba] Proper sysvol replication solution...

Ryan Ashley ryana at reachtechfp.com
Thu Aug 21 16:13:48 MDT 2014

I see the Samba guide suggests using rsync to keep sysvols in sync, but 
this poses a problem with ID's and it is only one-way. I have been 
hesitant to suggest anything because of the flak I have been getting, 
but I do believe I have a much better solution that transfers files via 
SSH, is bi-directional (no more only editing group policy on one 
server), and does NOT set UID/GID information. In other words, it is 
PERFECT for sysvol replication, and has been working on several of my 
domains for around a year and a half without a hitch. The solution I am 
proposing is to use unison, which also works on Windows and (I think) Mac.

The way I have unison working on my systems is to install unison on all 
DC's, which is required. You also need an SSH server and client on all 
DC's, but I assume most of you do anyway. Once they're installed, it is 
as simple as the command below. This will synchronizes changes BOTH WAYS 
without touching your UID/GID setup. If you're paranoid, you could 
always do a sysvolreset when done though.

unison -batch "/path/to/sysvol" "ssh://dc02.domain.lan//path/to/sysvol"

If you do this at a command-line, it will prompt you for your password 
on the remote machine. This would prevent a cron job, but I overcame 
that as well. You can create an SSH key that does not require a password 
for the systems to use. This means you can now create a cron job to 
handle the replication every fifteen minutes or so. You could also use 
something like "incrond" to monitor for changes in the sysvol and launch 
unison as well, but I don't personally modify the sysvol often, so 
replication every fifteen minutes works for me.

To create an SSH key to allow password-less replication via unison, do 
the following.

ssh-keygen -t dsa

When it prompts for a file to save the key in, it should be your home 
directory in a ".ssh" directory. I run as root, so this is 
"/root/.ssh/id_dsa" for me. It will then prompt for a password. Ignore 
this and just press enter. It will ask you to verify the password. Press 
enter again. If you enter a password here, it cannot run without user input!

Next, you need to copy the key to your other domain controllers. You can 
do so as follows. Note that my example is run as root. Substitute your 
user's path if needed.

ssh-copy-id -i /root/.ssh/id_dsa.pub root at dc02.domain.lan

Once that is done, login to the domain controller you copied the key to 
(in the example, dc02) and check "/root/.ssh/authorized_keys" to verify 
that the key was added and nothing unexpected is there. You can do this 
with "cat /root/.ssh/authorized_keys". You should see a key on a single 
line followed by the hostname of your primary domain controller. If it 
is there, they may now connect via SSH without a password!

You may now copy the key to any other domain controllers in your domain 
so they trust the primary DC as well. After that, all that is left is 
the synchronization. I urge you to run the first synchronization 
manually, like below.

unison "/path/to/sysvol" "ssh://dc02.domain.lan//path/to/sysvol"

Make sure everything looks good, synchronize it, then repeat for each DC 
on your domain. Once done, you can create cron jobs to sync each server, 
or use a script like mine below. This script is on my primary DC. I 
actually only have two DC's, but I added more as an example here.

SERVERLIST="dc02.domain.lan dc03.domain.lan dc04.domain.lan"

# Synchronize all of the domain controllers
for sLoop in ${SERVERLIST}
   unison -batch "${SVPATH}" "ssh://${sLoop}/${SVPATH}"

exit 0

Now set that script to run in a cron job and you're golden. You could 
also setup "incrond" on all of your DC's and have it call unison to sync 
the other DC's whenever a write happens in your sysvol, but I do not 
need such a thing and have not personally tried it, though I have a 
fellow IT lead who has and likes it. My crontab job entry is listed below.

15 * * * * /root/sysvolsync.sh &> /dev/null

I hope this helps somebody and if you see something wrong, feel free to 
let me know.

More information about the samba mailing list