[Samba] SYSVOL ACL errors after rsync replication
Rowland Penny
rpenny at samba.org
Sun Oct 9 08:19:57 UTC 2022
On 08/10/2022 23:58, Miguel Medalha via samba wrote:
>> (...)
>> Either I am doing something wrong or the rsync command to preserve extended attributes removes the Posix ACLs for the file. The other way around , A after X, causes no problem.
>> If this is indeed a problem with rsync, I suppose it would deserve some attention from the rsync developpers.
>
> For completeness, let's see what happens when we dump all extended attributes:
>
> getfattr -d -m - /usr/local/samba/var/sysvol/ mydomain.com/testfile
> getfattr: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/sysvol/lan.cimbal.pt/test
> security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
> system.posix_acl_access=0sAgAAAAEABwD/////AgAHAMDGLQACAAUAwcYtAAIABwDCxi0AAgAFAMPGLQAEAAAA/////wgABwDAxi0ACAAFAMHGLQAIAAcAwsYtAAgABQDDxi0AEAAHAP////8gAAAA/////w==
> system.posix_acl_default=0sAgAAAAEABwD/////AgAHAMDGLQACAAUAwcYtAAIABwDCxi0AAgAFAMPGLQAEAAAA/////wgABwDAxi0ACAAFAMHGLQAIAAcAwsYtAAgABQDDxi0AEAAHAP////8gAAAA/////w==
> trusted.SGI_ACL_DEFAULT=0sAAAADAAAAAH/////AAcAAAAAAAIALcbAAAcAAAAAAAIALcbBAAUAAAAAAAIALcbCAAcAAAAAAAIALcbDAAUAAAAAAAT/////AAAAAAAAAAgALcbAAAcAAAAAAAgALcbBAAUAAAAAAAgALcbCAAcAAAAAAAgALcbDAAUAAAAAABD/////AAcAAAAAACD/////AAAAAA==
> trusted.SGI_ACL_FILE=0sAAAADAAAAAH/////AAcAAAAAAAIALcbAAAcAAAAAAAIALcbBAAUAAAAAAAIALcbCAAcAAAAAAAIALcbDAAUAAAAAAAT/////AAAAAAAAAAgALcbAAAcAAAAAAAgALcbBAAUAAAAAAAgALcbCAAcAAAAAAAgALcbDAAUAAAAAABD/////AAcAAAAAACD/////AAAAAA==
> user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVrTlUqzdgBAAAAAAAAAAA=
>
> Other than ' security.NTACL' and ' user.DOSATTRIB', used by Samba, note the presence of the following extended attributes:
>
> system.posix_acl_access
> system.posix_acl_default
> trusted.SGI_ACL_DEFAULT
> trusted.SGI_ACL_FILE
>
> After the use of rsync with the -AX parameter:
>
> getfattr -d -m - /usr/local/samba/var/sysvol/mydomain.com/testfile
> getfattr: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/sysvol/lan.cimbal.pt/test
> security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA==
> user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVrTlUqzdgBAAAAAAAAAAA=
>
> Only the attributes ' security.NTACL' and ' user.DOSATTRIB' remain.
>
>
> I tried this with rsync versions 3.0.6, 3.1.2, 3.2.3, and 3.2.5, always with the same result.
>
>
You originally talked about the output from sysvolcheck giving errors,
but now you are talking about output lower down the security chain.
The permissions for sysvol are stored in three places, the normal Linux
'ugo' permissions, the extended attr shown by getfacl and an EA that
getfattr shows. A better (more readable) way of showing the EA
permissions is by using samba-tool:
sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
Which you might find familiar.
Rowland
More information about the samba
mailing list