samba - Aug 2023 - migration of data

Hi,

I have to migrate our data from one old samba server to a new one. Due 
to various reasons we had to change some settings. Now I struggle to get 
the acls right.

old smb.conf:

[global]
 ??????? log file = /var/log/samba/%m
 ??????? realm = AD.XXXXXX
 ??????? security = ADS
 ??????? template homedir = /home/%U
 ??????? template shell = /bin/bash
 ??????? winbind use default domain = Yes
 ??????? workgroup = AD
 ??????? idmap config ad:range = 2000-300000
 ??????? idmap config ad:schema_mode = rfc2307
 ??????? idmap config ad:backend = ad
 ??????? idmap config * : range = 1000000-1000100
 ??????? idmap config * : backend = tdb
 ??????? create mask = 0770
 ??????? directory mask = 0770
 ??????? map acl inherit = Yes
 ??????? vfs objects = acl_xattr


new smb.conf:

[global]
 ??????? clustering = Yes
 ??????? registry shares = Yes
 ??????? log file = /var/log/samba/%m
 ??????? realm = AD.XXXXXX
 ??????? security = ADS
 ??????? template shell = /bin/bash
 ??????? winbind use default domain = Yes
 ??????? workgroup = AD
 ??????? idmap config ad:range = 1000000-1999999
 ??????? idmap config ad:backend = rid
 ??????? idmap config * : range = 10000-10100
 ??????? idmap config * : backend = tdb
 ??????? inherit acls = Yes
 ??????? map acl inherit = Yes
 ??????? ctdb:registry.tdb = yes
 ??????? vfs objects = acl_xattr
 ??????? acl_xattr:ignore system acls = yes

The big differences are affecting my problem:
- idmap config ad:backend changed from ad to rid (rsync can handle that 
- I know)
- previously the acls were stored via posix and extended attributes, now 
they are stored only in extended attributes

How can I copy the data without losing the access rights?? There is 
_not_ one user who has access to all files/directories in the share. So 
copying via windows is not possible (right now).

Regards
Sebastian

Sebastian Neustein wrote:
> I have to migrate our data from one old samba server to a new one. Due 
> to various reasons we had to change some settings. Now I struggle to 
> get the acls right.
> ?Previously the acls were stored via posix and extended attributes, 
> now they are stored only in extended attributes

With the default settings of vfs_acl_xattr samba takes posix acls into 
account when delivering data - how can I activate
"acl_xattr:ignore system acls = yes"
without loosing the information saved in posix acls? Background: our 
future file system won't be able to support acls.

Is there a way to migrate all acl information from the posix acls into 
the extended attributes? I have an inkling that I read at some stage, 
that vfs_acl_xattr deletes/overwrites the extended attributes once the 
posix acls are changed. Is there a way to trigger that on cli?

The idea is to change these settings on the old server before copying 
the data to the new server. I hope to be able to use rsync for the 
migration then.

Thanks you for any help with this!
Sebastian