[Samba] sysvol access permission problems.

[Rowland penny]

On 11/03/2021 13:18, Peter Boos wrote:
> hi Rowland
>
> In our environment Debian security is separated from AD


Care to expand on that ?

> (root doesn't exist in AD and domain administrators can do nothing on Debian either)


Yes, root doesn't exist in AD (and shouldn't), but Administrator should 
be mapped to the root id '0'


>
> It seams to me that the getfacl id 3000000 might be the result of some default number in the samba-tool domain join command ?.


In a way, yes. By default, a Samba AD DC uses id numbers in the 
'3000000' range, these are stored in idmap.ldb. You can override these 
numbers by adding uidNumber & gidNumber attributes to users & groups in AD.

> I wonder should the join command should instead copy the file permissions as is how they are on the first server


No

> In our AD (to my knowledge) there is no id of 3000000 thus assuming its a result from the joining script? (samba-tool domain join .... ?? )
> now since we also created a cert-trust between the 2 DC's root accounts (they should trust each)


Again, can you expand on that.

> each root user should be able to act (in the name of) as root on the other system, so a cron root job could start a sysvol copy/script


No, it shouldn't. The 'root' user is a local account and should only 
work on the local machine, so it should be the local 'root' that runs 
your script.

>
> If so the samba-tool should check if samba security is system integrated or sepperated
> - if seperated ask to enable root trust and then set permissions.


Nope, I am not entirely sure what you are doing, but it doesn't sound 
anywhere near correct to me.

>
> As for now i think to set the permissions using setfacl so DC1 will look as adc1 (owner and group) or am i wrong on this ?.
>
>

You need to decide which of your DC's has the correct ID's (usually the 
first DC) and copy idmap.ldb from that to any other DC's.

Rowland