configpolicy/roles/samba-dc/files/sysvolsync.sh

#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :

SYSVOL=/var/lib/samba/sysvol
IDMAP_LDB=/var/lib/samba/private/idmap.ldb
WINBIND_CACHE=/var/lib/samba/winbind_cache.tdb

case "${DEBUG}" in
yes|YES|y|Y|on|ON|1|true|TRUE|t|T)
    unset DEBUG
    DEBUG=1
    ;;
*)
    unset DEBUG
    ;;
esac

debug() {
    [ -z "${DEBUG}" ] || echo "$*" >&2
}

info() {
    echo "$*" >&2
}

get_pdc() {
    dig +short -t srv _ldap._tcp.pdc._msdcs.$(dnsdomainname) \
        | sort -n \
        | awk '{print $4;exit}'
}

fqdn=$(hostname -f)
pdc=$(get_pdc)
pdc="${pdc%.}"
if [ "${pdc}" = "${fqdn}" ]; then
    debug 'Skipping SYSVOL sync on PDC emulator'
    exit 0
fi
if [ -z "${pdc}" ]; then
    echo 'Could not identify PDC emulator' >&2
    exit 1
fi
debug "Found PDC emulator: ${pdc}"

ssh_config=/var/cache/sysvolsync/ssh_config
debug "Generating configuration file: ${ssh_config}"
cat > "${ssh_config}" <<EOF
User=root
BatchMode=yes
IdentityFile=/var/lib/samba/private/sysvolsync.key
UserKnownHostsFile=/var/cache/sysvolsync/ssh_known_hosts
ControlMaster=auto
ControlPersist=yes
ControlPath=/run/sysvolsync/sshcp
EOF

debug "Opening SSH connection to ${pdc}"
ssh -F "${ssh_config}" -fN "${pdc}" || exit
trap 'ssh -F "${ssh_config}" -q -O exit "${pdc}"' INT TERM QUIT EXIT

export RSYNC_RSH="ssh -F ${ssh_config}"
debug "Synchronizing SYSVOL from ${pdc}"
rsync -a${DEBUG+i}HAXS --delete "${pdc}:${SYSVOL}/" "${SYSVOL}"
debug "Copying idmap.ldb from ${pdc}"
rsync -a${DEBUG+i} --delete "${pdc}:${IDMAP_LDB}.bak" "${IDMAP_LDB}.new"
st_new=$(stat -c %Y "${IDMAP_LDB}.new")
st_cur=$(stat -c %Y "${IDMAP_LDB}")
if [ -z "${st_cur}" ] || [ "${st_new}" != "${st_cur}" ]; then
    info "Got updated idmap.ldb from ${pdc}"
    info 'Stopping Samba service'
    systemctl stop samba || exit
    mv "${IDMAP_LDB}.new" "${IDMAP_LDB}"
    info 'Flushing idmap cache'
    net cache flush
    rm -f "${WINBIND_CACHE}"
    info 'Restarting Samba service'
    systemctl start samba || exit
    info 'Resetting SYSVOL ACLs'
    samba-tool ntacl sysvolreset
else
    debug 'Local idmap.ldb is up-to-date'
    exit 0
fi