how to access a domain share as a "machine" account?

[Tomasz Chmielewski]

Kenneth MacDonald schrieb:
>>>>>>"Tomasz" == Tomasz Chmielewski <mangoo at mch.one.pl> writes:
> 
>     Tomasz> I'm working on a tool for Samba called WPKG, which allows
>     Tomasz> to do things like software
>     Tomasz> installation/deployment/deinstallation, running scripts
>     Tomasz> (once or many times) when a workstation boots up, etc.  I
>     Tomasz> believe software installation on many workstations is one
>     Tomasz> reason why Active Directory is sometimes chosen over Samba
>     Tomasz> - WPKG can install every piece of software that has a
>     Tomasz> silent installer (AD can only install MSI)
> 
> Oh, give me a URL!

Sorry, here it is: http://wpkg.org


(...)

>     Tomasz> \\server\path\to\wpkg.js /synchronize
> 
> How do you make it run as Local Administrator at startup?

Either starting it as a service using srvany, or using a Task Scheduler 
(schtasks.exe).


(...)


>     Tomasz> In this case one could run WPKG as a domain Administrator
>     Tomasz> and access \\server\path\to\ easily.  But I have some
>     Tomasz> security concerns - namely the domain Administrator
>     Tomasz> password has to be on each workstation.  So if one
>     Tomasz> workstation in the domain is compromised, we may assume
>     Tomasz> that the whole domain is compromised - I know that this
>     Tomasz> password is well hidden and "hashed", but for a patient
>     Tomasz> cracker it should be no problem to actually get this
>     Tomasz> domain admin password.
> 
> Eek!

eek-a-mouse or just eek? :)


>     Tomasz> So I came to the conclusion, that WPKG should be run like
>     Tomasz> that:
> 
>     Tomasz> 1) it should access \\server\path\ with the credentials of
>     Tomasz> the machine account (each machine is technically a user
>     Tomasz> with username/password, right? so why not use it for
>     Tomasz> accessing "domain shares"?)
> 
>     Tomasz> 2) it should run with either SYSTEM user account (or
>     Tomasz> something similar with appropriate rights to install
>     Tomasz> software etc.)
> 
>     Tomasz> 3) no domain user/password, except for machine account
>     Tomasz> credentials, should be kept on workstations in the domain.
> 
> 
>     Tomasz> The problem is that there is no account that can access
>     Tomasz> domain shares *and* which has administrative rights
>     Tomasz> (software installing etc.). - in other words, I've no idea
>     Tomasz> how to do the above mentioned 1), 2) and 3) together.
> 
> The system account uses the Local Administrator SID (I think) when
> running locally and the computer account's SID when accessing the
> network.

Samba says "INVALID PASSWORD" or something like that - I guess it 
expects a Domain Administrator, but the share is accessed as a Local 
Administrator - but the username is "Administrator" in both cases.

So maybe it's just the matter of setting a [softwareshare] correctly?
But I've no idea how, and tried so many times.


> We use Group Policies in Active Directory and they run as the SYSTEM
> account. 

When I run a task as a SYSTEM account (either from a Task Scheduler or 
from srvany) it seem to access the share with the credentials of the 
Local Administrator.


> The one thing that's tripped us up in the past is that the
> workstation account only uses kerberos to authenticate to network
> shares (at least for our XP Professional clients).  Correct SPNs are
> required on the servers' computer accounts.

I'm not very familiar, but it's smells like Kerberos a bit?


>     Tomasz> Do you have any ideas how can I solve this problem?
> 
> Could it be the kerberos issue?

No, I'm not running any Kerberos, and don't want to (as WPKG is meant to 
be run not by just very advanced users).


-- 
Tomek