[Samba] New sysvol script for dynamic sysvol replication
Kees van Vloten
keesvanvloten at gmail.com
Sun Jun 16 10:10:13 UTC 2024
On 16-06-2024 09:31, Rowland Penny via samba wrote:
> On Fri, 14 Jun 2024 22:58:51 +0000
> Darin via samba <samba at lists.samba.org> wrote:
>
>>
>>
>> Hello,
>>
>> I have written a python script that does sysvol replication
>> dynamically with DNS queries to find the PDC Emulator master and
>> syncing over SMB. It is not terribly complex but if you run it on
>> every domain controller it will allow you to seamlessly transfer
>> roles without making a bunch of changes on each domain controller. It
>> also should be fairly secure as it uses SMB. I initially was going to
>> use the Gnome virtual file system (GVFS) but it ended up being to
>> complex to implement in a small script. I hope this is useful for
>> someone.
>>
>> https://codeberg.org/darin755/Linux-AD/src/branch/main/sysvolrepl
>>
>> Thank you,
>>
>> Darin
>>
> After a quick scan of your code, I feel that I must point out that it
> would be better using kerberos instead of a credentials file.
>
> Rowland
>
I had a look as well, I like the idea of using SMB as the carrier for
replication.
I agree with Rowland that using Kerberos is a good idea. The keytab is
already available, it makes the connection passwordless and no need for
a separate service account.
Another thing is permissions: I am using Posix-ACLs on the GPOs in
sysvol and I want them to be the same on the target side after
replication. I don't want them to be converted into NT-ACLs on target. I
have not tested the code to check what happens on the so I cannot be
sure in my statement. However I would expect that, without SMB
Unix-extensions, the replication of Posix-ACLs to Posix-ACLs might be an
issue.
- Kees.
More information about the samba
mailing list