On 11/03/2021 13:18, Peter Boos wrote:> hi Rowland
>
> In our environment Debian security is separated from AD
Care to expand on that ?
> (root doesn't exist in AD and domain administrators can do nothing on
Debian either)
Yes, root doesn't exist in AD (and shouldn't), but Administrator should
be mapped to the root id '0'
>
> It seams to me that the getfacl id 3000000 might be the result of some
default number in the samba-tool domain join command ?.
In a way, yes. By default, a Samba AD DC uses id numbers in the
'3000000' range, these are stored in idmap.ldb. You can override these
numbers by adding uidNumber & gidNumber attributes to users & groups in
AD.
> I wonder should the join command should instead copy the file permissions
as is how they are on the first server
No
> In our AD (to my knowledge) there is no id of 3000000 thus assuming its a
result from the joining script? (samba-tool domain join .... ?? )
> now since we also created a cert-trust between the 2 DC's root accounts
(they should trust each)
Again, can you expand on that.
> each root user should be able to act (in the name of) as root on the other
system, so a cron root job could start a sysvol copy/script
No, it shouldn't. The 'root' user is a local account and should only
work on the local machine, so it should be the local 'root' that runs
your script.
>
> If so the samba-tool should check if samba security is system integrated or
sepperated
> - if seperated ask to enable root trust and then set permissions.
Nope, I am not entirely sure what you are doing, but it doesn't sound
anywhere near correct to me.
>
> As for now i think to set the permissions using setfacl so DC1 will look as
adc1 (owner and group) or am i wrong on this ?.
>
>
You need to decide which of your DC's has the correct ID's (usually the
first DC) and copy idmap.ldb from that to any other DC's.
Rowland