samba - Oct 2022 - SYSVOL ACL errors after rsync replication

Hello!

I am trying to setup new secondary DC in Samba domain and I face strange
problem with SYSVOL ACL. Each time I do rsync, I got ACL errors:

samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck
rsync -XAavz --delete-after --password-file=/etc/samba/rsync.passwd rsync://
sysvolrepuser at 192.168.222.111/SysVol/ /var/lib/samba/sysvol/
samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: VFS ACL on sysvol directory /var/lib/samba/sysvol/
ad.brotel.cz
O:LAG:BAD:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;BA)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line
186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/ntacl.py",
line
446, in run
    lp)
  File
"/usr/lib64/python3.6/site-packages/samba/provision/__init__.py",
line 1873, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not
match expected value %s from provision' % (acl_type(direct_db_access),
dir_path, fsacl_sddl, SYSVOL_ACL))

I can fix the error with sysvolreset but since I synchronize SYSVOL
regularly, it gets broken again very soon.

I have compared ID mapping with:
ldbsearch -H /var/lib/samba/private/idmap.ldb
and databases on both servers are indentical.

Samba is 4.9.18 on primary DC and 4.16.5 on secondary DC.

I saw similar problem reported here:
https://askubuntu.com/questions/1274367/sysvolcheck-returns-error-on-backup-dc-upon-each-replication

Any help would be appreciated.

Best regards

Michal

On 07/10/2022 14:43, Michal Sl?dek via samba wrote:
> Hello!
> 
> I am trying to setup new secondary DC in Samba domain and I face strange
> problem with SYSVOL ACL. Each time I do rsync, I got ACL errors:
> 
> 
> Samba is 4.9.18 on primary DC and 4.16.5 on secondary DC.
> 
Here is what I would do:

Ensure that Sysvol on the DC running 4.16.5 is correct, also ensure that 
Samba and AD are running correctly.

Transfer any FSMO roles on the DC running 4.9.18 to the other DC.

Transfer anything else on the DC running 4.9.18 that you might need (not 
Samba).

Demote the DC running 4.9.18 and, as this is a very old version of 
Samba, probably upgrade the OS. Upgrade/install Samba 4.16.5 and then 
join this to AD domain as a DC.

Sync idmap.ldb and Sysvol from the existing DC to your new one and run 
sysvolreset (do this any time you sync Sysvol).

Notice that I didn't mention primary/secondary, PDC/BDC, etc in relation 
to your DC's, all DC's are equal (or rather they should be) except for 
the FSMO roles and they can be on any DC.

Rowland

Maybe I am wrong, but there seems to be a problem with rsync regarding the
copying of ACLs and Extended Attributes.

Chose some test file containing both Posix ACLs and the security.NTACL extended
attribute used by Samba and check its permissions:

getfattr -n security.NTACL /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA=
getfacl /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins
user::rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---


Now, let's do the following on the destination file:

rsync -XAaz --delete-after (etc etc)

getfattr -n security.NTACL /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA=
getfacl /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins


Now, let's remove the X from the rsync command:

rsync -Aaz --delete-after (etc etc)

getfattr -n security.NTACL /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA=

getfacl /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins
user::rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---


Let's do the X again:

rsync -Xaz --delete-after (etc etc)

getfacl -d /usr/local/samba/var/sysvol/mydomain.com/testfile
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/mydomain.com/testfile
# owner: 3000008
# group: CIMBAL\134domain\040admins


Either I am doing something wrong or the rsync command to preserve extended
attributes removes the Posix ACLs for the file. The other way around , A after
X, causes no problem.

I ended up stacking two rsync command to do a proper sysvol synchronization:

rsync -Xaz (etc etc)
rsync -Aaz --delete-after (etc etc)


If this is indeed a problem with rsync, I suppose it would deserve some
attention from the rsync developpers.

> (...)
> Either I am doing something wrong or the rsync command to preserve extended
attributes removes the Posix ACLs for the file. The other way around , A after
X, causes no problem.
> If this is indeed a problem with rsync, I suppose it would deserve some
attention from the rsync developpers.
For completeness, let's see what happens when we dump all extended
attributes:

getfattr -d -m - /usr/local/samba/var/sysvol/ mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/lan.cimbal.pt/test
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA=system.posix_acl_access=0sAgAAAAEABwD/////AgAHAMDGLQACAAUAwcYtAAIABwDCxi0AAgAFAMPGLQAEAAAA/////wgABwDAxi0ACAAFAMHGLQAIAAcAwsYtAAgABQDDxi0AEAAHAP////8gAAAA/////w=system.posix_acl_default=0sAgAAAAEABwD/////AgAHAMDGLQACAAUAwcYtAAIABwDCxi0AAgAFAMPGLQAEAAAA/////wgABwDAxi0ACAAFAMHGLQAIAAcAwsYtAAgABQDDxi0AEAAHAP////8gAAAA/////w=trusted.SGI_ACL_DEFAULT=0sAAAADAAAAAH/////AAcAAAAAAAIALcbAAAcAAAAAAAIALcbBAAUAAAAAAAIALcbCAAcAAAAAAAIALcbDAAUAAAAAAAT/////AAAAAAAAAAgALcbAAAcAAAAAAAgALcbBAAUAAAAAAAgALcbCAAcAAAAAAAgALcbDAAUAAAAAABD/////AAcAAAAAACD/////AAAAAA=trusted.SGI_ACL_FILE=0sAAAADAAAAAH/////AAcAAAAAAAIALcbAAAcAAAAAAAIALcbBAAUAAAAAAAIALcbCAAcAAAAAAAIALcbDAAUAAAAAAAT/////AAAAAAAAAAgALcbAAAcAAAAAAAgALcbBAAUAAAAAAAgALcbCAAcAAAAAAAgALcbDAAUAAAAAABD/////AAcAAAAAACD/////AAAAAA=user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVrTlUqzdgBAAAAAAAAAAA
Other than ' security.NTACL' and ' user.DOSATTRIB', used by
Samba,  note the presence of the following extended attributes:

system.posix_acl_access
system.posix_acl_default
trusted.SGI_ACL_DEFAULT
trusted.SGI_ACL_FILE

After the use of rsync with the -AX parameter:

getfattr -d -m - /usr/local/samba/var/sysvol/mydomain.com/testfile
getfattr: Removing leading '/' from absolute path names
# file: usr/local/samba/var/sysvol/lan.cimbal.pt/test
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABSRZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAABBQAAAAAABRUAAAD7/f1QzALsISdGyxEAAgAABADoAAgAAAAACxQA/wEfAAEBAAAAAAADAAAAAAADFACpABIAAQEAAAAAAAULAAAAAAMUAP8BHwABAQAAAAAABRIAAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEV8EAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQACAAAAAyQAqQASAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQMCAAAAAyQA/wEfAAEFAAAAAAAFFQAAAPv9/VDMAuwhJ0bLEQcCAAAAAxQAqQASAAEBAAAAAAAFCQAAAA=user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVrTlUqzdgBAAAAAAAAAAA
Only the attributes ' security.NTACL' and ' user.DOSATTRIB'
remain.


I tried this with rsync versions 3.0.6, 3.1.2, 3.2.3, and 3.2.5, always with the
same result.