[Samba] SYSVOL ACL errors after rsync replication

Miguel Medalha medalist at sapo.pt
Sat Oct 8 22:58:46 UTC 2022


> (...)
> Either I am doing something wrong or the rsync command to preserve extended attributes removes the Posix ACLs for the file. The other way around , A after X, causes no problem.
> If this is indeed a problem with rsync, I suppose it would deserve some attention from the rsync developpers.

For completeness, let's see what happens when we dump all extended attributes:

getfattr -d -m - /usr/local/samba/var/sysvol/ mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/lan.cimbal.pt/test
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
system.posix_acl_access=0sAgAAAAEABwD/////AgAHAMDGLQACAAUAwcYtAAIABwDCxi0AAgAFAMPGLQAEAAAA/////wgABwDAxi0ACAAFAMHGLQAIAAcAwsYtAAgABQDDxi0AEAAHAP////8gAAAA/////w==
system.posix_acl_default=0sAgAAAAEABwD/////AgAHAMDGLQACAAUAwcYtAAIABwDCxi0AAgAFAMPGLQAEAAAA/////wgABwDAxi0ACAAFAMHGLQAIAAcAwsYtAAgABQDDxi0AEAAHAP////8gAAAA/////w==
trusted.SGI_ACL_DEFAULT=0sAAAADAAAAAH/////AAcAAAAAAAIALcbAAAcAAAAAAAIALcbBAAUAAAAAAAIALcbCAAcAAAAAAAIALcbDAAUAAAAAAAT/////AAAAAAAAAAgALcbAAAcAAAAAAAgALcbBAAUAAAAAAAgALcbCAAcAAAAAAAgALcbDAAUAAAAAABD/////AAcAAAAAACD/////AAAAAA==
trusted.SGI_ACL_FILE=0sAAAADAAAAAH/////AAcAAAAAAAIALcbAAAcAAAAAAAIALcbBAAUAAAAAAAIALcbCAAcAAAAAAAIALcbDAAUAAAAAAAT/////AAAAAAAAAAgALcbAAAcAAAAAAAgALcbBAAUAAAAAAAgALcbCAAcAAAAAAAgALcbDAAUAAAAAABD/////AAcAAAAAACD/////AAAAAA==
user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVrTlUqzdgBAAAAAAAAAAA=

Other than ' security.NTACL' and ' user.DOSATTRIB', used by Samba,  note the presence of the following extended attributes:

system.posix_acl_access
system.posix_acl_default
trusted.SGI_ACL_DEFAULT
trusted.SGI_ACL_FILE

After the use of rsync with the -AX parameter:

getfattr -d -m - /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/lan.cimbal.pt/test
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVrTlUqzdgBAAAAAAAAAAA=

Only the attributes ' security.NTACL' and ' user.DOSATTRIB' remain.


I tried this with rsync versions 3.0.6, 3.1.2, 3.2.3, and 3.2.5, always with the same result.





More information about the samba mailing list