[Samba] SYSVOL ACL errors after rsync replication
Miguel Medalha
medalist at sapo.pt
Sun Oct 9 14:21:27 UTC 2022
> You originally talked about the output from sysvolcheck giving errors,
> but now you are talking about output lower down the security chain.
I am not the original poster. I posted this information because I thought it might be related to OP's problems.
> The permissions for sysvol are stored in three places, the normal Linux
> 'ugo' permissions, the extended attr shown by getfacl and an EA that
> getfattr shows. A better (more readable) way of showing the EA
> permissions is by using samba-tool:
> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
I am aware of that. What happens is that if you use rsync to synchronize sysvol, you cannot use -AX in the same command, otherwise the extended attributes holding the Posix ACLs are erased.
On further searching, I found a report relating this to rsyncing from EXT4 to XFZ, which coincidentally was my case.
rsync -AX as root between ext4 and xfs can drop ACLs on the target
https://github.com/WayneD/rsync/issues/301
I will investigate further, by trying rsync with -AX between two XFS filesystems.
More information about the samba
mailing list