[Samba] General advice needed, granting machine account permissions to a share?
Matt Pruett
entelin at gmail.com
Tue Nov 14 01:52:07 UTC 2023
Here's the situation:
I used sssd-winbind to join the server to a native windows domain.
Following these instructions:
https://access.redhat.com/solutions/3802321
This all seems to be working fine. I have various shares that various
AD groups can access and within those shares I use "posix" acls to do
some more fine grained permissions.
However there is a 3rd party application/service running on a windows
server that polls an smb share located on this samba server for new
files. This service runs as the "local system" account and provides no
means of specifying separate smb credentials. Therefore it
authenticates as its AD computer account. I have created an ad
security group which contains both this machine account, and some
other needed user accounts, and assigned this group as the unix group
for that folder structure.
For the users that are a member of this group, it's working fine.
However for this computer account it doesn't seem to work
consistently. In the logs I get a "Could not convert SID S-0-0, error
is NT_STATUS_NONE_MAPPED" .
So my question is firstly, is assigning computer accounts permissions
to shares a valid approach to this kind of thing? Are there any
significant security repercussions for using a computer account in
this way?
Secondly, is this chain of configuration something that can work with
"posix" acls? Or should I toss that out and use:
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes
Thanks.
More information about the samba
mailing list