[Samba] sysvol replication as non-root?
Rowland Penny
rpenny at samba.org
Fri Feb 9 15:45:05 UTC 2024
On Fri, 9 Feb 2024 10:22:59 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> Hi!
>
> I wonder, is there a way to perform sysvol replication as a non-root
> user? When doing automatic replication, such as using rsync over ssh
> from cron, one have to put the root ssh key for the remote, which
> does not look nice. I would be much more comfortable if the whole
> thing was owned by a dedicated user (with ACLs stored in file
> attributes), but this way, sysvolcheck et al will sure complain very
> very loudly (while technically everything should work fine).
>
> Or are any attempt to do that "more securely", without root access,
> futile anyway, since pam_winbind/nss_winbind can return root user?
>
> Thanks,
>
> /mjt
>
I think it may be possible to sync using another user, if you look at
the permissions set on sysvol, you should find something like this:
drwxrwx---+ 3 root BUILTIN\administrators 4096 Aug 30 11:46
/var/lib/samba/sysvol
Yes, the owner is 'root', but the group is 'Administrators' and they
have the same permissions as 'root'. From this, I think you could use a
member of Domain Admins (which is a member of Administrators) instead
of 'root'
Rowland
More information about the samba
mailing list