[Samba] SYSVOL ACL errors after rsync replication

[Michal Sládek]

Hello Rowland!

Now I have both AD servers indentical:

Rocky Linux release 8.6 (Green Obsidian)
samba-4.16.5-0.el8.x86_64 (from Tanquill IT repo)

and the problem persists:

[root at ads1 /]# samba-tool ntacl sysvolcheck

[root at ads2 ~]# samba-tool ntacl sysvolreset
[root at ads2 ~]# samba-tool ntacl sysvolcheck
[root at ads2 ~]# rsync -XAavz --delete-after
--password-file=/etc/samba/rsync.passwd rsync://
sysvolrepuser at 192.168.222.111/SysVol/ /var/lib/samba/sysvol/
[root at ads2 ~]# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: VFS ACL on sysvol directory /var/lib/samba/sysvol/
ad.brotel.cz
O:LAG:BAD:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;BA)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line
186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/ntacl.py", line
446, in run
    lp)
  File "/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1873, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not
match expected value %s from provision' % (acl_type(direct_db_access),
dir_path, fsacl_sddl, SYSVOL_ACL))

Rsyncd configuration on ads1 is:

[SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvolrepuser
secrets file = /etc/samba/rsyncd.secret

Should I just add sysvolreset to rsync command in cron and let it be?
*/5 * * * *     rsync -XAavz --delete-after
--password-file=/etc/samba/rsync.passwd rsync://
sysvolrepuser at 192.168.222.111/SysVol/ /var/lib/samba/sysvol/ && samba-tool
ntacl sysvolreset

Best regards

Michal