samba - Feb 2024 - sysvol replication as non-root?

Hi!

I wonder, is there a way to perform sysvol replication as a non-root user?
When doing automatic replication, such as using rsync over ssh from cron,
one have to put the root ssh key for the remote, which does not look nice.
I would be much more comfortable if the whole thing was owned by a dedicated
user (with ACLs stored in file attributes), but this way, sysvolcheck et al
will sure complain very very loudly (while technically everything should
work fine).

Or are any attempt to do that "more securely", without root access,
futile
anyway, since pam_winbind/nss_winbind can return root user?

Thanks,

/mjt

On Fri, 9 Feb 2024 10:22:59 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> Hi!
> 
> I wonder, is there a way to perform sysvol replication as a non-root
> user? When doing automatic replication, such as using rsync over ssh
> from cron, one have to put the root ssh key for the remote, which
> does not look nice. I would be much more comfortable if the whole
> thing was owned by a dedicated user (with ACLs stored in file
> attributes), but this way, sysvolcheck et al will sure complain very
> very loudly (while technically everything should work fine).
> 
> Or are any attempt to do that "more securely", without root
access,
> futile anyway, since pam_winbind/nss_winbind can return root user?
> 
> Thanks,
> 
> /mjt
> 
I think it may be possible to sync using another user, if you look at
the permissions set on sysvol, you should find something like this:

drwxrwx---+ 3 root BUILTIN\administrators 4096 Aug 30 11:46
/var/lib/samba/sysvol

Yes, the owner is 'root', but the group is 'Administrators' and
they
have the same permissions as 'root'. From this, I think you could use a
member of Domain Admins (which is a member of Administrators) instead
of 'root'

Rowland