[Samba] SYSVOL ACL errors after rsync replication
Miguel Medalha
medalist at sapo.pt
Sat Oct 8 22:03:15 UTC 2022
Maybe I am wrong, but there seems to be a problem with rsync regarding the copying of ACLs and Extended Attributes.
Chose some test file containing both Posix ACLs and the security.NTACL extended attribute used by Samba and check its permissions:
getfattr -n security.NTACL /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
getfacl /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins
user::rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
Now, let's do the following on the destination file:
rsync -XAaz --delete-after (etc etc)
getfattr -n security.NTACL /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
getfacl /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins
Now, let's remove the X from the rsync command:
rsync -Aaz --delete-after (etc etc)
getfattr -n security.NTACL /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
getfacl /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins
user::rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
Let's do the X again:
rsync -Xaz --delete-after (etc etc)
getfacl -d /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins
Either I am doing something wrong or the rsync command to preserve extended attributes removes the Posix ACLs for the file. The other way around , A after X, causes no problem.
I ended up stacking two rsync command to do a proper sysvol synchronization:
rsync -Xaz (etc etc)
rsync -Aaz --delete-after (etc etc)
If this is indeed a problem with rsync, I suppose it would deserve some attention from the rsync developpers.
More information about the samba
mailing list