[Samba] rsync alternative -- smbclient?

Joachim Lindenberg samba at lindenberg.one
Sat Jul 13 16:46:24 UTC 2019 

As you may have noticed I am looking into containers… in order to minimize configuration I also started looking into options for sysvol replication. I am aware of the list at https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) Ignoring the robocopy option, essentially all of them use rsync, w/o ssh, w/o some extras like unison, osync, or lsyncd as Sven suggested, plus optionally defining a kind of topology by peer-to-peer-associations uni- or bi-directional. 

My understanding is that rsync without ssh allows for MitM-attacks (see Jan´s answer at https://stackoverflow.com/questions/8815031/how-much-is-in-secure-to-use-rsync-in-daemon-mode-without-ssh) – and while I don´t care about someone reading my policies, I definitely don´t want someone to modify them in transit. Imho rsync with ssh however is more cumbersome to setup, in particular when considering a number of DCs that might join or leave later on. Therefore I am considering to use smbclient instead. Smblient can use Kerberos to authenticate against peers plus can copy files, albeit not very efficient compared to rsync. 

Experimenting around I came up with the following script, which essentially identifies the “primary domain controller” and copies sysvol from there - as is suggested on https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround 

--- begin ---
#!/bin/bash
# prerequisite: apt-get install smbclient ldb-tools

realminfo=`cat /etc/samba/smb.conf | grep realm | tr -d "' " `
domain=`echo $realminfo | sed -n -E 's/realm=(.*)/\1/p' | tr A-Z a-z`
privatedir=`smbd -b | grep "PRIVATE_DIR" | sed -n -E 's/PRIVATE_DIR:(.*)/\1/p' | xargs`
sysvol=`cd $privatedir/..;pwd`/sysvol

pdc=`samba-tool fsmo show | grep PdcEmulation | sed -n -E 's/PdcEmulationMasterRole owner: CN=NTDS Settings,CN=([^,]*),.*/\1/p'`
peer=`ldbsearch --cross-ncs -H $privatedir/sam.ldb "(samAccountName=$pdc$)" | grep dNSHostName | sed -n -E 's/dNSHostName: (.*)/\1/p'`
echo $peer

mkdir /tmp/samba || echo
touch /tmp/samba/olddir

smbclient --machine-pass -e --max-protocol SMB3 \\\\$peer\\sysvol -c "prompt; recurse; dir *" >/tmp/samba/newdir

cmp /tmp/samba/newdir /tmp/samba/olddir
if [ $? -ne 0 ];
then
    mkdir /tmp/samba/sysvol
    cd /tmp/samba/sysvol
    smbclient --machine-pass -e --max-protocol SMB3 \\\\$pdc\\sysvol -c "prompt; recurse; mget *"
    mv $sysvol $sysvol.old
    mv /tmp/samba/sysvol $sysvol.old/..
    samba-tool ntacl sysvolreset
    rm -r $sysvol.old
    mv /tmp/samba/newdir /tmp/samba/olddir
fi
--- end ---

Imho 
Good: zero extra configuration, only reusing Samba configuration that exists already. More secure than rsync without ssh.
Caveats: unidirectional like the trivial rsync option. Less efficient - but one could identify changed files and just copy these. Doesn´t check whether running on "PDC" yet.
Bad: smbclient obviously does not copy the ACLs properly. In fact windows explorer crashes when displaying Security… I resorted to just resetting them as a quick & dirty workaround, but wouldn´t it be better if smbclient had an option to also copy ACLs?

Feedback welcome, I am sure some stuff can be done more elegantly then in this proof-of-concept, and I am probably also missing something..

Thanks, Joachim

More information about the samba mailing list