[Samba] sysvol access permission problems.

Rowland penny rpenny at samba.org
Thu Mar 11 13:58:25 UTC 2021

On 11/03/2021 13:18, Peter Boos wrote:
> hi Rowland
> In our environment Debian security is separated from AD

Care to expand on that ?

> (root doesn't exist in AD and domain administrators can do nothing on Debian either)

Yes, root doesn't exist in AD (and shouldn't), but Administrator should 
be mapped to the root id '0'

> It seams to me that the getfacl id 3000000 might be the result of some default number in the samba-tool domain join command ?.

In a way, yes. By default, a Samba AD DC uses id numbers in the 
'3000000' range, these are stored in idmap.ldb. You can override these 
numbers by adding uidNumber & gidNumber attributes to users & groups in AD.

> I wonder should the join command should instead copy the file permissions as is how they are on the first server


> In our AD (to my knowledge) there is no id of 3000000 thus assuming its a result from the joining script? (samba-tool domain join .... ?? )
> now since we also created a cert-trust between the 2 DC's root accounts (they should trust each)

Again, can you expand on that.

> each root user should be able to act (in the name of) as root on the other system, so a cron root job could start a sysvol copy/script

No, it shouldn't. The 'root' user is a local account and should only 
work on the local machine, so it should be the local 'root' that runs 
your script.

> If so the samba-tool should check if samba security is system integrated or sepperated
> - if seperated ask to enable root trust and then set permissions.

Nope, I am not entirely sure what you are doing, but it doesn't sound 
anywhere near correct to me.

> As for now i think to set the permissions using setfacl so DC1 will look as adc1 (owner and group) or am i wrong on this ?.

You need to decide which of your DC's has the correct ID's (usually the 
first DC) and copy idmap.ldb from that to any other DC's.


More information about the samba mailing list