[Samba] Rights issue on GPO

Tue Jun 21 10:10:46 UTC 2016

Hi Achim, list,

On 21-6-2016 11:26, Achim Gottinger wrote:
> Exactly, rsync should map user and group names if the demon on the
> destination runs as root. But this does not work. I tested it with an
> group named test with gid 1000 on server #1 and gid 1001 on server #2.
> It works if rsync is used via ssh like this
> rsync -vv -XAavz -e ssh root at server2:/var/lib/samba/private/sysvol/
> /var/lib/samba/private/sysvol/
> Seems to be an issue with rsync causing trouble with sysvols.
>
> achim~

I just tried your suggestion, rsync over ssh vs rsync to rsyncd, and 
much to my surprise, there is a difference in the resulting data?!

However unfortunately on our DC4, also rsync over ssh doesn't give us 
the same getfacl output as on DC2/DC3, but it's surprising (to me) that 
there is a difference at all:

rsync to rsyncd result on DC4:
> root at dc4:~/sysvol# getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:3000009:r-x
> user:OURDOMAIN\134proxmox$:rwx
> group::rwx
> group:1078:r-x
> group:BUILTIN\134administrators:rwx
> group:3000009:r-x
> group:OURDOMAIN\134proxmox$:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:3000009:r-x
> default:user:OURDOMAIN\134proxmox$:rwx
> default:group::---
> default:group:1078:r-x
> default:group:BUILTIN\134administrators:rwx
> default:group:3000009:r-x
> default:group:OURDOMAIN\134proxmox$:rwx
> default:mask::rwx
> default:other::---

rsync over ssh result on DC4:
> root at dc4:~/sysvol# getfacl sysvol/
> # file: sysvol/
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:3000009:r-x
> user:OURDOMAIN\134proxmox$:rwx
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:3000009:r-x
> group:BUILTIN\134server\040operators:r-x
> group:OURDOMAIN\134proxmox$:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:3000009:r-x
> default:user:OURDOMAIN\134proxmox$:rwx
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:3000009:r-x
> default:group:BUILTIN\134server\040operators:r-x
> default:group:OURDOMAIN\134proxmox$:rwx
> default:mask::rwx
> default:other::---

And the 'original' getfacl on both DC2/DC3 looks like this:
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:3000009:r-x
> user:3000300:rwx
> group::rwx
> group:BUILTIN\134server\040operators:r-x
> group:BUILTIN\134administrators:rwx
> group:3000009:r-x
> group:3000300:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:3000009:r-x
> default:user:3000300:rwx
> default:group::---
> default:group:BUILTIN\134server\040operators:r-x
> default:group:BUILTIN\134administrators:rwx
> default:group:3000009:r-x
> default:group:3000300:rwx
> default:mask::rwx
> default:other::---

So even though your solution causes a change, our DC4 still looks not 
completely healthy... Suggestions to cure our DC4 would be very much 
appreciated...

But there is a much more fundamental question... how come here is 
difference between (rsync over ssh) vs (rsync to rsyncd)??!

MJ