Date: Fri, 22 May 2020 17:21:01 +0200 From: Andrea Venturoli <ml@netfence.it> To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD as an Active Directory Domain Controller Message-ID: <99ac30a7-126d-c0dd-6fab-e8fe445927f0@netfence.it> In-Reply-To: <1d6dd578eadaf13def02280d06f37ffe.squirrel@webmail.harte-lyne.ca> References: <mailman.411.1590057680.4501.freebsd-questions@freebsd.org> <1d6dd578eadaf13def02280d06f37ffe.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-05-21 21:31, James B. Byrne wrote: > Samba-4.4 and later removed support for nt style acls, Could you elaborate on this or give a pointer? I looked into 4.4.0 release notes, but found no mention of this removal. From the Samba Wiki, a Samba AD DC requires "Windows ACLs" (as opposed to POSIX ACLs). What do you mean with "NT style ACLs"? > Fast forward to now. Samba410-4.10.15 on FreeBSD-12.1p5 and using ZFS now can > be provisioned as a DC so acls obviously must be working on ZFS, I created a > Samab410 instance, checked that it could provision, undid that work and > reinstalled samba and used samba-tool to join the existing domain. I then > attempted to replicate the sysvol using rsync. Just to be sure, you are now: _ connecting via SSH from the *new* DC to the old DC; _ copying from UFS to ZFS; _ from a jail to a jail. > rsync -XAavz --delete-after --rsh='ssh' [192.168.8.65]:/var/db/samba4/sysvol > /var/db/samba4 > receiving file list ... done > > rsync: set_acl: sys_acl_set_file(sysvol, ACL_TYPE_ACCESS): Invalid argument (22) > > rsync: set_acl: sys_acl_set_file(sysvol/brockley-2016.harte-lyne.ca, > ACL_TYPE_ACCESS): Invalid argument (22) > > rsync: set_acl: sys_acl_set_file(sysvol/brockley-2016.harte-lyne.ca/Policies, > ACL_TYPE_ACCESS): Invalid argument (22) Just a shot in the dark: you're not using the stock rsync package, do you? At least in the past, an ACL patch was needed to support ACLs and that option is not on by default. I'm not sure it's still the case, however; now the patch states: > This patch adds backward-compatibility support for the --acls option. > Since the main release has never had ACL support, the trunk doesn't > need this code. If you want to make rsync 3.0.x communicate with an > older (patched) release, use this. I don't find the above particularly clear... if someone with more insight could step in... In any case, possibly you'll need to recompile rsync with that patch enabled (on both sides?). Or maybe again, this is not true anymore. Failing that, could you choose a sample file and report what ACLs are on the source and what you get on the target? bye av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99ac30a7-126d-c0dd-6fab-e8fe445927f0>