[Samba] Proper sysvol replication solution...

Chan Min Wai dcmwai at gmail.com
Sat Sep 6 22:13:09 MDT 2014

Hello Louis,

Can help to advise on the unison version use on your script?

As I do have some problem when running rsync dryrun with unison...

sent 44886 bytes  received 1470 bytes  92712.00 bytes/sec
total size is 0  speedup is 0.00 (DRY RUN)
Fatal error: File "default", line 7: `copythreshold' is not a valid option

Should I just comment the copythreshold line?

Thank You.

On Fri, Aug 22, 2014 at 2:21 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:

> ah you didnt see my script...
> https://secure.bazuin.nl/scripts/3-setup-sysvol-bidirectional.sh
> You way is missing the ACL.. you need rsync with unison.
> its all in my script.
> Greetz,
> Louis
> >-----Oorspronkelijk bericht-----
> >Van: ryana at reachtechfp.com
> >[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
> >Verzonden: vrijdag 22 augustus 2014 0:14
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] Proper sysvol replication solution...
> >
> >I see the Samba guide suggests using rsync to keep sysvols in
> >sync, but
> >this poses a problem with ID's and it is only one-way. I have been
> >hesitant to suggest anything because of the flak I have been getting,
> >but I do believe I have a much better solution that transfers
> >files via
> >SSH, is bi-directional (no more only editing group policy on one
> >server), and does NOT set UID/GID information. In other words, it is
> >PERFECT for sysvol replication, and has been working on several of my
> >domains for around a year and a half without a hitch. The
> >solution I am
> >proposing is to use unison, which also works on Windows and (I
> >think) Mac.
> >
> >The way I have unison working on my systems is to install
> >unison on all
> >DC's, which is required. You also need an SSH server and client on all
> >DC's, but I assume most of you do anyway. Once they're
> >installed, it is
> >as simple as the command below. This will synchronizes changes
> >without touching your UID/GID setup. If you're paranoid, you could
> >always do a sysvolreset when done though.
> >
> >unison -batch "/path/to/sysvol" "ssh://dc02.domain.lan//path/to/sysvol"
> >
> >If you do this at a command-line, it will prompt you for your password
> >on the remote machine. This would prevent a cron job, but I overcame
> >that as well. You can create an SSH key that does not require
> >a password
> >for the systems to use. This means you can now create a cron job to
> >handle the replication every fifteen minutes or so. You could also use
> >something like "incrond" to monitor for changes in the sysvol
> >and launch
> >unison as well, but I don't personally modify the sysvol often, so
> >replication every fifteen minutes works for me.
> >
> >To create an SSH key to allow password-less replication via unison, do
> >the following.
> >
> >ssh-keygen -t dsa
> >
> >When it prompts for a file to save the key in, it should be your home
> >directory in a ".ssh" directory. I run as root, so this is
> >"/root/.ssh/id_dsa" for me. It will then prompt for a password. Ignore
> >this and just press enter. It will ask you to verify the
> >password. Press
> >enter again. If you enter a password here, it cannot run
> >without user input!
> >
> >Next, you need to copy the key to your other domain
> >controllers. You can
> >do so as follows. Note that my example is run as root. Substitute your
> >user's path if needed.
> >
> >ssh-copy-id -i /root/.ssh/id_dsa.pub root at dc02.domain.lan
> >
> >Once that is done, login to the domain controller you copied
> >the key to
> >(in the example, dc02) and check "/root/.ssh/authorized_keys"
> >to verify
> >that the key was added and nothing unexpected is there. You
> >can do this
> >with "cat /root/.ssh/authorized_keys". You should see a key on
> >a single
> >line followed by the hostname of your primary domain controller. If it
> >is there, they may now connect via SSH without a password!
> >
> >You may now copy the key to any other domain controllers in
> >your domain
> >so they trust the primary DC as well. After that, all that is left is
> >the synchronization. I urge you to run the first synchronization
> >manually, like below.
> >
> >unison "/path/to/sysvol" "ssh://dc02.domain.lan//path/to/sysvol"
> >
> >Make sure everything looks good, synchronize it, then repeat
> >for each DC
> >on your domain. Once done, you can create cron jobs to sync
> >each server,
> >or use a script like mine below. This script is on my primary DC. I
> >actually only have two DC's, but I added more as an example here.
> >
> >#!/bin/bash
> >SERVERLIST="dc02.domain.lan dc03.domain.lan dc04.domain.lan"
> >SVPATH="/path/to/sysvol"
> >
> ># Synchronize all of the domain controllers
> >for sLoop in ${SERVERLIST}
> >do
> >   unison -batch "${SVPATH}" "ssh://${sLoop}/${SVPATH}"
> >done
> >
> >exit 0
> >
> >Now set that script to run in a cron job and you're golden. You could
> >also setup "incrond" on all of your DC's and have it call
> >unison to sync
> >the other DC's whenever a write happens in your sysvol, but I do not
> >need such a thing and have not personally tried it, though I have a
> >fellow IT lead who has and likes it. My crontab job entry is
> >listed below.
> >
> >15 * * * * /root/sysvolsync.sh &> /dev/null
> >
> >I hope this helps somebody and if you see something wrong,
> >feel free to
> >let me know.
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list