[Samba] rsync alternative -- smbclient?
samba at lindenberg.one
Sat Jul 13 16:46:24 UTC 2019
As you may have noticed I am looking into containers… in order to minimize configuration I also started looking into options for sysvol replication. I am aware of the list at https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) Ignoring the robocopy option, essentially all of them use rsync, w/o ssh, w/o some extras like unison, osync, or lsyncd as Sven suggested, plus optionally defining a kind of topology by peer-to-peer-associations uni- or bi-directional.
My understanding is that rsync without ssh allows for MitM-attacks (see Jan´s answer at https://stackoverflow.com/questions/8815031/how-much-is-in-secure-to-use-rsync-in-daemon-mode-without-ssh) – and while I don´t care about someone reading my policies, I definitely don´t want someone to modify them in transit. Imho rsync with ssh however is more cumbersome to setup, in particular when considering a number of DCs that might join or leave later on. Therefore I am considering to use smbclient instead. Smblient can use Kerberos to authenticate against peers plus can copy files, albeit not very efficient compared to rsync.
Experimenting around I came up with the following script, which essentially identifies the “primary domain controller” and copies sysvol from there - as is suggested on https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
--- begin ---
# prerequisite: apt-get install smbclient ldb-tools
realminfo=`cat /etc/samba/smb.conf | grep realm | tr -d "' " `
domain=`echo $realminfo | sed -n -E 's/realm=(.*)/\1/p' | tr A-Z a-z`
privatedir=`smbd -b | grep "PRIVATE_DIR" | sed -n -E 's/PRIVATE_DIR:(.*)/\1/p' | xargs`
pdc=`samba-tool fsmo show | grep PdcEmulation | sed -n -E 's/PdcEmulationMasterRole owner: CN=NTDS Settings,CN=([^,]*),.*/\1/p'`
peer=`ldbsearch --cross-ncs -H $privatedir/sam.ldb "(samAccountName=$pdc$)" | grep dNSHostName | sed -n -E 's/dNSHostName: (.*)/\1/p'`
mkdir /tmp/samba || echo
smbclient --machine-pass -e --max-protocol SMB3 \\\\$peer\\sysvol -c "prompt; recurse; dir *" >/tmp/samba/newdir
cmp /tmp/samba/newdir /tmp/samba/olddir
if [ $? -ne 0 ];
smbclient --machine-pass -e --max-protocol SMB3 \\\\$pdc\\sysvol -c "prompt; recurse; mget *"
mv $sysvol $sysvol.old
mv /tmp/samba/sysvol $sysvol.old/..
samba-tool ntacl sysvolreset
rm -r $sysvol.old
mv /tmp/samba/newdir /tmp/samba/olddir
--- end ---
Good: zero extra configuration, only reusing Samba configuration that exists already. More secure than rsync without ssh.
Caveats: unidirectional like the trivial rsync option. Less efficient - but one could identify changed files and just copy these. Doesn´t check whether running on "PDC" yet.
Bad: smbclient obviously does not copy the ACLs properly. In fact windows explorer crashes when displaying Security… I resorted to just resetting them as a quick & dirty workaround, but wouldn´t it be better if smbclient had an option to also copy ACLs?
Feedback welcome, I am sure some stuff can be done more elegantly then in this proof-of-concept, and I am probably also missing something..
More information about the samba