[Samba] SYSVOL ACL errors after rsync replication

Miguel Medalha medalist at sapo.pt
Sun Oct 9 14:21:27 UTC 2022

> You originally talked about the output from sysvolcheck giving errors, 
> but now you are talking about output lower down the security chain.

I am not the original poster. I posted this information because I thought it might be related to OP's problems. 

> The permissions for sysvol are stored in three places, the normal Linux 
> 'ugo' permissions, the extended attr shown by getfacl and an EA that 
> getfattr shows. A better (more readable) way of showing the EA 
> permissions is by using samba-tool:

> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl

> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

I am aware of that. What happens is that if you use rsync to synchronize sysvol, you cannot use -AX in the same command, otherwise the extended attributes holding the Posix ACLs are erased. 

On further searching, I found a report relating this to rsyncing from EXT4 to XFZ, which coincidentally was my case.

rsync -AX as root between ext4 and xfs can drop ACLs on the target

I will investigate further, by trying rsync with -AX between two XFS filesystems.

More information about the samba mailing list