[Samba] Syncing Sysvol

Joachim Lindenberg samba at lindenberg.one
Tue Jul 16 16:30:18 UTC 2019

>> Rsync without ssh is insecure. I´d definitely urge to discourage rsync without ssh on wiki.samba.org.  And with ssh, rsync is imho a lot more
>>cumbersome to configure across a dynamic landscape. 
>Why? SSH can be set up to use LDAP, for password auth, to pull SSH keys
>from it, or both.

See https://lists.samba.org/archive/samba/2019-July/224346.html second paragraph. Without ssh communication is unencrypted and the server not authenticated.
I haven´t checked details, but I assume password authentication with ldap is even less secure as rsync then likely cannot do challenge/response authentication, implying an attacker can obtain your passwords.
Rsync with ssh public keys managed via ldaps (and trustworthy certificates) is likely a secure option, but I haven´t seen a good tutorial on that. Even if possible however – why not reuse the existing Kerberos authentication and SMB3?

More information about the samba mailing list