[Samba] Proper sysvol replication solution...

L.P.H. van Belle belle at bazuin.nl
Fri Aug 22 00:21:45 MDT 2014

ah you didnt see my script... 


You way is missing the ACL.. you need rsync with unison. 
its all in my script.



>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com 
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: vrijdag 22 augustus 2014 0:14
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Proper sysvol replication solution...
>I see the Samba guide suggests using rsync to keep sysvols in 
>sync, but 
>this poses a problem with ID's and it is only one-way. I have been 
>hesitant to suggest anything because of the flak I have been getting, 
>but I do believe I have a much better solution that transfers 
>files via 
>SSH, is bi-directional (no more only editing group policy on one 
>server), and does NOT set UID/GID information. In other words, it is 
>PERFECT for sysvol replication, and has been working on several of my 
>domains for around a year and a half without a hitch. The 
>solution I am 
>proposing is to use unison, which also works on Windows and (I 
>think) Mac.
>The way I have unison working on my systems is to install 
>unison on all 
>DC's, which is required. You also need an SSH server and client on all 
>DC's, but I assume most of you do anyway. Once they're 
>installed, it is 
>as simple as the command below. This will synchronizes changes 
>without touching your UID/GID setup. If you're paranoid, you could 
>always do a sysvolreset when done though.
>unison -batch "/path/to/sysvol" "ssh://dc02.domain.lan//path/to/sysvol"
>If you do this at a command-line, it will prompt you for your password 
>on the remote machine. This would prevent a cron job, but I overcame 
>that as well. You can create an SSH key that does not require 
>a password 
>for the systems to use. This means you can now create a cron job to 
>handle the replication every fifteen minutes or so. You could also use 
>something like "incrond" to monitor for changes in the sysvol 
>and launch 
>unison as well, but I don't personally modify the sysvol often, so 
>replication every fifteen minutes works for me.
>To create an SSH key to allow password-less replication via unison, do 
>the following.
>ssh-keygen -t dsa
>When it prompts for a file to save the key in, it should be your home 
>directory in a ".ssh" directory. I run as root, so this is 
>"/root/.ssh/id_dsa" for me. It will then prompt for a password. Ignore 
>this and just press enter. It will ask you to verify the 
>password. Press 
>enter again. If you enter a password here, it cannot run 
>without user input!
>Next, you need to copy the key to your other domain 
>controllers. You can 
>do so as follows. Note that my example is run as root. Substitute your 
>user's path if needed.
>ssh-copy-id -i /root/.ssh/id_dsa.pub root at dc02.domain.lan
>Once that is done, login to the domain controller you copied 
>the key to 
>(in the example, dc02) and check "/root/.ssh/authorized_keys" 
>to verify 
>that the key was added and nothing unexpected is there. You 
>can do this 
>with "cat /root/.ssh/authorized_keys". You should see a key on 
>a single 
>line followed by the hostname of your primary domain controller. If it 
>is there, they may now connect via SSH without a password!
>You may now copy the key to any other domain controllers in 
>your domain 
>so they trust the primary DC as well. After that, all that is left is 
>the synchronization. I urge you to run the first synchronization 
>manually, like below.
>unison "/path/to/sysvol" "ssh://dc02.domain.lan//path/to/sysvol"
>Make sure everything looks good, synchronize it, then repeat 
>for each DC 
>on your domain. Once done, you can create cron jobs to sync 
>each server, 
>or use a script like mine below. This script is on my primary DC. I 
>actually only have two DC's, but I added more as an example here.
>SERVERLIST="dc02.domain.lan dc03.domain.lan dc04.domain.lan"
># Synchronize all of the domain controllers
>for sLoop in ${SERVERLIST}
>   unison -batch "${SVPATH}" "ssh://${sLoop}/${SVPATH}"
>exit 0
>Now set that script to run in a cron job and you're golden. You could 
>also setup "incrond" on all of your DC's and have it call 
>unison to sync 
>the other DC's whenever a write happens in your sysvol, but I do not 
>need such a thing and have not personally tried it, though I have a 
>fellow IT lead who has and likes it. My crontab job entry is 
>listed below.
>15 * * * * /root/sysvolsync.sh &> /dev/null
>I hope this helps somebody and if you see something wrong, 
>feel free to 
>let me know.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list