Move Samba File Server Shares

We are experimenting with the implementation of clone/move for NS8 Samba DC using rsync, which is already utilized by the NS7 migration tool for a similar purpose.

I want to share a recent experience where a Samba DC with a File Server was relocated to a different cluster node, with a new LAN IP, while preserving share contents and ACLs.

The source DC originated from an NS7 migration, so it still uses POSIX ACLs for fine-grained filesystem permissions.

As you know, the File Server role can be assigned to only one DC in the domain. We imposed this limitation because Samba lacks a replication service for the Netlogon share, which is essential for properly acting as a DC in a distributed environment.

However, we will see how it is possible to work around this limitation and configure a second File Server. :pirate_flag:

If this approach proves reliable, we could consider implementing it as a new Samba feature.

Procedure:

  1. Assuming you already have a samba1 DC with File Server role, add the samba2 provider from the UI. :stop_sign: Stop when prompted to set the administrator’s password. Do not configure it yet!

  2. Remove the file_server flag from samba1:

    redis-cli srem module/samba1/flags file_server
    
  3. Reload the Domains and Users page, then finish samba2 configuration with the LAN IP from the UI.

  4. Enter a samba-dc shell in samba1

    runagent -m samba1 podman exec -w /srv -ti samba-dc bash -l
    
  5. Start rsync --daemon on samba1.

    Copy the following configuration (based on this script). Replace the IP and network addresses:

    # VPN IP of samba1 node
    address = 10.5.4.1
    port = 10000
    uid = 0
    gid = 0
    use chroot = no
    reverse lookup = no
    forward lookup = no
    
    [shares]
    path = /srv/shares
    read only = yes
    filter = -x! user.*
    munge symlinks = no
    # allow connections from cluster VPN:
    hosts allow = 127.0.0.1 ::1 10.5.4.0/24
    

    Save the configuration to rsync.conf:

    cat - >rsync.conf
    

    :information_source: Paste the config file, then type Ctrl+D to close the file and terminate the cat command.

    Start the daemon; it will automatically run in the background. Check its startup with tail:

    rsync --daemon --log-file=rsync.log --config=rsync.conf
    tail rsync.log
    

    Example log output:

    2025/01/28 11:06:59 [23386] rsyncd version 3.2.7 starting, listening on port 10000
    

    Export the share configuration from samba1, it will be imported later:

    net conf list > /srv/shares/shares.conf
    
  6. In the destination node, open a Bash shell and start the rsync client on samba2:

    runagent -m samba2 podman exec -w /srv -ti samba-dc bash -l
    rsync -aAX -P rsync://10.5.4.1:10000/shares/ /srv/shares/
    

    :warning: On EL-based systems, the rsync client may generate many SELinux warnings. These can be ignored until we find a way to filter out security.selinux extended-attribute transfers.

  7. Put all the shares of samba1 in read only mode. Repeat this command in the samba-dc shell of samba1, for every share.

    net conf setparm name-of-share 'read only' yes
    
  8. In samba-dc shell of samba2, run a last rsync pass, as in step 6.

  9. Then import the share definitions into samba2:

    net conf import /srv/shares/shares.conf
    
  10. Verify that the shares on samba2 are accessible. If everything is ok remove the config file:

    rm /srv/shares/shares.conf
    
  11. In Domains and Users page, remove samba1 provider.


Give this procedure a try and let us know how we can improve it!

Card: NethServer · GitHub

2 Likes

Yummy I love new features

1 Like