[Samba] General advice needed, granting machine account permissions to a share?
Christian Naumer
christian.naumer at greyfish.net
Tue Nov 14 18:09:18 UTC 2023
Hi,
does your computer account have a uid on that member server?
Does
id COMPUTERNAME$
produce an output?
Since I also can not get at the redhat info you provided could your share your SMB.conf
Regards
Christian
Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <samba at lists.samba.org>:
>Here's the situation:
>I used sssd-winbind to join the server to a native windows domain.
>Following these instructions:
>https://access.redhat.com/solutions/3802321
>
>This all seems to be working fine. I have various shares that various
>AD groups can access and within those shares I use "posix" acls to do
>some more fine grained permissions.
>
>However there is a 3rd party application/service running on a windows
>server that polls an smb share located on this samba server for new
>files. This service runs as the "local system" account and provides no
>means of specifying separate smb credentials. Therefore it
>authenticates as its AD computer account. I have created an ad
>security group which contains both this machine account, and some
>other needed user accounts, and assigned this group as the unix group
>for that folder structure.
>
>For the users that are a member of this group, it's working fine.
>However for this computer account it doesn't seem to work
>consistently. In the logs I get a "Could not convert SID S-0-0, error
>is NT_STATUS_NONE_MAPPED" .
>
>So my question is firstly, is assigning computer accounts permissions
>to shares a valid approach to this kind of thing? Are there any
>significant security repercussions for using a computer account in
>this way?
>
>Secondly, is this chain of configuration something that can work with
>"posix" acls? Or should I toss that out and use:
>
>vfs objects = acl_xattr
>map acl inherit = yes
>acl_xattr:ignore system acls = yes
>
>Thanks.
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list