We are experimenting with the implementation of clone/move for NS8 Samba DC using rsync, which is already utilized by the NS7 migration tool for a similar purpose.
I want to share a recent experience where a Samba DC with a File Server was relocated to a different cluster node, with a new LAN IP, while preserving share contents and ACLs.
The source DC originated from an NS7 migration, so it still uses POSIX ACLs for fine-grained filesystem permissions.
As you know, the File Server role can be assigned to only one DC in the domain. We imposed this limitation because Samba lacks a replication service for the Netlogon share, which is essential for properly acting as a DC in a distributed environment.
However, we will see how it is possible to work around this limitation and configure a second File Server.
If this approach proves reliable, we could consider implementing it as a new Samba feature.
Procedure:
-
Assuming you already have a
samba1
DC with File Server role, add thesamba2
provider from the UI.Stop when prompted to set the administrator’s password. Do not configure it yet!
-
Remove the
file_server
flag from samba1:redis-cli srem module/samba1/flags file_server
-
Reload the Domains and Users page, then finish
samba2
configuration with the LAN IP from the UI. -
Enter a samba-dc shell in samba1
runagent -m samba1 podman exec -w /srv -ti samba-dc bash -l
-
Start
rsync --daemon
onsamba1
.Copy the following configuration (based on this script). Replace the IP and network addresses:
# VPN IP of samba1 node address = 10.5.4.1 port = 10000 uid = 0 gid = 0 use chroot = no reverse lookup = no forward lookup = no [shares] path = /srv/shares read only = yes filter = -x! user.* munge symlinks = no # allow connections from cluster VPN: hosts allow = 127.0.0.1 ::1 10.5.4.0/24
Save the configuration to
rsync.conf
:cat - >rsync.conf
Paste the config file, then type
Ctrl+D
to close the file and terminate thecat
command.Start the daemon; it will automatically run in the background. Check its startup with
tail
:rsync --daemon --log-file=rsync.log --config=rsync.conf tail rsync.log
Example log output:
2025/01/28 11:06:59 [23386] rsyncd version 3.2.7 starting, listening on port 10000
Export the share configuration from
samba1
, it will be imported later:net conf list > /srv/shares/shares.conf
-
In the destination node, open a Bash shell and start the
rsync
client onsamba2
:runagent -m samba2 podman exec -w /srv -ti samba-dc bash -l rsync -aAX -P rsync://10.5.4.1:10000/shares/ /srv/shares/
On EL-based systems, the rsync client may generate many SELinux warnings. These can be ignored until we find a way to filter out
security.selinux
extended-attribute transfers. -
Put all the shares of
samba1
in read only mode. Repeat this command in the samba-dc shell of samba1, for every share.net conf setparm name-of-share 'read only' yes
-
In samba-dc shell of samba2, run a last rsync pass, as in step 6.
-
Then import the share definitions into
samba2
:net conf import /srv/shares/shares.conf
-
Verify that the shares on
samba2
are accessible. If everything is ok remove the config file:rm /srv/shares/shares.conf
-
In Domains and Users page, remove
samba1
provider.
Give this procedure a try and let us know how we can improve it!
Card: NethServer · GitHub