[Samba] rsync replication acl error

James B. Byrne byrnejb at harte-lyne.ca
Wed May 13 19:44:04 UTC 2020 


On Tue, May 12, 2020 09:46, Rowland penny wrote:

> One problem is that ZFS uses NFSv4ACLS and a Samba AD doesn't, it
> expects POSIX ACLS, there also is a possibility that xattr may be
> another problem.
>
> Try reading this:
>
> https://bugzilla.samba.org/show_bug.cgi?id=12912
>

I have worked with Timur on this very problem in the past.  And he has produced
in Samba-4.10.15 a version that will provision an AD DC inside a FreeBSD jail
using native ZFS.  FreeBSD Samba-4.10.15 DCs of this type may also be
successfully joined to the existing DOMAIN without error.

The problem I have is replication of the existing DC to the new ZFS based DCs. 
If I can get the sysvol and user data transferred successfully then the FSMO
roles will be transferred to one of the new DCs and the old DC (4.3) demoted
and removed from service.

Now, something is coming across because I can see this on a ZFS based DC:

[root at samba-02 ~ (master)]# getfacl
/var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# file: /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# owner: root
# group: BUILTIN\administrators
group:BUILTIN\administrators:rwxpDdaARWcCo-:fd-----:allow
group:BUILTIN\users:r-x---a-R-c---:fd-----:allow
group:BUILTIN\guests:rwxpDdaARWcCo-:fd-----:allow
   group:\everyone:r-x---a-R-c---:fd-----:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

And the existing DC with the FSMO roles shows this:

[root at SAMBA-01 ~]# getfacl /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# file: /var/db/samba4/sysvol/brockley-2016.harte-lyne.ca
# owner: root
# group: BUILTIN\administrators
user::rwx
user:root:rwx
user:BUILTIN\administrators:rwx
user:BUILTIN\server operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\administrators:rwx
group:BUILTIN\server operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---

samba-01 (DC1) is the primary DC, for want of a better term, and runs
samba-4.3.13_2. samab-02 (DC2) and samba-03 (DC3) are the replacement DCs that
have been joined to the DOMAIN.

If I can be certain that everything need has indeed come across form DC1 to DC2
then I can start the process of moving the FSMOs. It may be that rsync is just
throwing a hissy fit over some non-essential flag.  But I can hardly take that
chance on a live domain with only a single DC remaining.

Thank you for your time and attention.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the samba mailing list