Am 21.06.2016 um 10:41 schrieb lists:> Hi Achim, > > On 21-6-2016 0:01, Achim Gottinger wrote: >> Hi MJ and Rowland, >> >> I did abit of testing last week (two debian jesie servers with sernet >> 4.2 samba packages). Seems when rsync is run against rsyncd or involved >> via xinet as it is described in the wiki the user and group mapping does >> not work and uid and gid numbers are used. If I used rsync via ssh the >> mapping works and there is no need for idmap.ldb to be in sync. >> >> achim~ > > I have read your earlier message in this thread, yes. > > Just to make sure I understand you correctly: > > You are observing that rsync as a client against rsyncd DOES copy the > acls, but not by name, but by using nummerical values instead? > > (like it's configured with with --numeric-ids, on the daemon or on the > client?) > > If I understand things correctly, that would contradict almost all > documentation I can find on rsync / permissions and (extended) acls?? > > MJ >Exactly, rsync should map user and group names if the demon on the destination runs as root. But this does not work. I tested it with an group named test with gid 1000 on server #1 and gid 1001 on server #2. It works if rsync is used via ssh like this rsync -vv -XAavz -e ssh root at server2:/var/lib/samba/private/sysvol/ /var/lib/samba/private/sysvol/ Seems to be an issue with rsync causing trouble with sysvols. achim~
Hi Achim, list, On 21-6-2016 11:26, Achim Gottinger wrote:> Exactly, rsync should map user and group names if the demon on the > destination runs as root. But this does not work. I tested it with an > group named test with gid 1000 on server #1 and gid 1001 on server #2. > It works if rsync is used via ssh like this > rsync -vv -XAavz -e ssh root at server2:/var/lib/samba/private/sysvol/ > /var/lib/samba/private/sysvol/ > Seems to be an issue with rsync causing trouble with sysvols. > > achim~I just tried your suggestion, rsync over ssh vs rsync to rsyncd, and much to my surprise, there is a difference in the resulting data?! However unfortunately on our DC4, also rsync over ssh doesn't give us the same getfacl output as on DC2/DC3, but it's surprising (to me) that there is a difference at all: rsync to rsyncd result on DC4:> root at dc4:~/sysvol# getfacl /var/lib/samba/sysvol > getfacl: Removing leading '/' from absolute path names > # file: var/lib/samba/sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:3000009:r-x > user:OURDOMAIN\134proxmox$:rwx > group::rwx > group:1078:r-x > group:BUILTIN\134administrators:rwx > group:3000009:r-x > group:OURDOMAIN\134proxmox$:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:3000009:r-x > default:user:OURDOMAIN\134proxmox$:rwx > default:group::--- > default:group:1078:r-x > default:group:BUILTIN\134administrators:rwx > default:group:3000009:r-x > default:group:OURDOMAIN\134proxmox$:rwx > default:mask::rwx > default:other::---rsync over ssh result on DC4:> root at dc4:~/sysvol# getfacl sysvol/ > # file: sysvol/ > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:3000009:r-x > user:OURDOMAIN\134proxmox$:rwx > group::rwx > group:BUILTIN\134administrators:rwx > group:3000009:r-x > group:BUILTIN\134server\040operators:r-x > group:OURDOMAIN\134proxmox$:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:3000009:r-x > default:user:OURDOMAIN\134proxmox$:rwx > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:3000009:r-x > default:group:BUILTIN\134server\040operators:r-x > default:group:OURDOMAIN\134proxmox$:rwx > default:mask::rwx > default:other::---And the 'original' getfacl on both DC2/DC3 looks like this:> user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:3000009:r-x > user:3000300:rwx > group::rwx > group:BUILTIN\134server\040operators:r-x > group:BUILTIN\134administrators:rwx > group:3000009:r-x > group:3000300:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:3000009:r-x > default:user:3000300:rwx > default:group::--- > default:group:BUILTIN\134server\040operators:r-x > default:group:BUILTIN\134administrators:rwx > default:group:3000009:r-x > default:group:3000300:rwx > default:mask::rwx > default:other::---So even though your solution causes a change, our DC4 still looks not completely healthy... Suggestions to cure our DC4 would be very much appreciated... But there is a much more fundamental question... how come here is difference between (rsync over ssh) vs (rsync to rsyncd)??! MJ
Am 21.06.2016 um 12:10 schrieb lists:> Hi Achim, list, > > On 21-6-2016 11:26, Achim Gottinger wrote: >> Exactly, rsync should map user and group names if the demon on the >> destination runs as root. But this does not work. I tested it with an >> group named test with gid 1000 on server #1 and gid 1001 on server #2. >> It works if rsync is used via ssh like this >> rsync -vv -XAavz -e ssh root at server2:/var/lib/samba/private/sysvol/ >> /var/lib/samba/private/sysvol/ >> Seems to be an issue with rsync causing trouble with sysvols. >> >> achim~ > > I just tried your suggestion, rsync over ssh vs rsync to rsyncd, and > much to my surprise, there is a difference in the resulting data?! > > However unfortunately on our DC4, also rsync over ssh doesn't give us > the same getfacl output as on DC2/DC3, but it's surprising (to me) > that there is a difference at all: > > rsync to rsyncd result on DC4: >> root at dc4:~/sysvol# getfacl /var/lib/samba/sysvol >> getfacl: Removing leading '/' from absolute path names >> # file: var/lib/samba/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:3000009:r-x >> user:OURDOMAIN\134proxmox$:rwx >> group::rwx >> group:1078:r-x >> group:BUILTIN\134administrators:rwx >> group:3000009:r-x >> group:OURDOMAIN\134proxmox$:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:3000009:r-x >> default:user:OURDOMAIN\134proxmox$:rwx >> default:group::--- >> default:group:1078:r-x >> default:group:BUILTIN\134administrators:rwx >> default:group:3000009:r-x >> default:group:OURDOMAIN\134proxmox$:rwx >> default:mask::rwx >> default:other::--- > > rsync over ssh result on DC4: >> root at dc4:~/sysvol# getfacl sysvol/ >> # file: sysvol/ >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:3000009:r-x >> user:OURDOMAIN\134proxmox$:rwx >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:3000009:r-x >> group:BUILTIN\134server\040operators:r-x >> group:OURDOMAIN\134proxmox$:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:3000009:r-x >> default:user:OURDOMAIN\134proxmox$:rwx >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:3000009:r-x >> default:group:BUILTIN\134server\040operators:r-x >> default:group:OURDOMAIN\134proxmox$:rwx >> default:mask::rwx >> default:other::--- > > And the 'original' getfacl on both DC2/DC3 looks like this: >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:3000009:r-x >> user:3000300:rwx >> group::rwx >> group:BUILTIN\134server\040operators:r-x >> group:BUILTIN\134administrators:rwx >> group:3000009:r-x >> group:3000300:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:3000009:r-x >> default:user:3000300:rwx >> default:group::--- >> default:group:BUILTIN\134server\040operators:r-x >> default:group:BUILTIN\134administrators:rwx >> default:group:3000009:r-x >> default:group:3000300:rwx >> default:mask::rwx >> default:other::--- > > So even though your solution causes a change, our DC4 still looks not > completely healthy... Suggestions to cure our DC4 would be very much > appreciated... > > But there is a much more fundamental question... how come here is > difference between (rsync over ssh) vs (rsync to rsyncd)??! > > MJ >Looks like on DC4 3000300 is mapped to an computer account for "proxmox". On DC2/DC32 3000009 should map to S-1-5-18 (Local System) and 3000300 S-1-5-11 (Autheticated Users). These are both Security groups which do not resolv via winbindd so they can not be mapped. (you may add manual mapping via the --groupmap on your rsync commandline). I assume you can delete the mapping for 3000300 on dc4 and change the mapping for S-1-5-11 to 3000300 (and S-1-5-18 to 3000009 if that id is not used by something else) in idmap.ldb on DC4. After an cache flush sync things should work again.