[Samba] General advice needed, granting machine account permissions to a share?

Matt Pruett entelin at gmail.com
Tue Nov 14 22:10:14 UTC 2023 

It wouldn't be a big deal to switch, there's some data but the
permissions can be redone, so I'll look into that.

On Tue, Nov 14, 2023 at 3:20 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Tue, 14 Nov 2023 14:37:19 -0600
> Matt Pruett via samba <samba at lists.samba.org> wrote:
>
> > It does produce an id. I can try switching away from sssd as suggested
> > by Rowland. I'm interested in my last question about how valid the
> > notion of granting a domain machine account permissions to a share is?
> > Is this something that is done in some cases? Does Microsoft consider
> > it a valid use case of machine accounts? Here is my config, any
> > advice/criticism would be welcome. (though I am aware that using
> > .local is cursed, predates me, can't change it)  The machine account
> > is a member of the "encoder group".
>
> Using a computer account as a user is very valid, which is easy to
> understand when you realise that a computer account is just a user
> account with an extra objectclass.
>
> >
> > [global]
> > realm = DH.LOCAL
> > workgroup = DH
> > security = ads
> > kerberos method = secrets and keytab
> > template homedir = /home/%U
> > idmap config * : backend = tdb
> > idmap config * : range = 10000-199999
>
> I take it that this smb.conf ultimately came from redhat, if so, would
> someone from redhat like to explain why the default '*' domain is set
> for 189,999 IDs, when it is only really meant for the 'Well Known SIDs'
> (there are less than 200 of those) and anything outside the 'DH' domain
> (so really 0), don't you think that 189,999 is a bit of an overkill ?
>
> > idmap config DH : backend = sss
> > idmap config DH : range = 200000-2147483647
>
> Have you got any data using those ID's, if not, I suggest you dump sssd
> and reset the ranges (I would use the rid idmap backend).
>
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> > machine password timeout = 0
>
> With 'machine password timeout' set to '0', winbind will never change
> the machine password, as far as I understand it.
>
> >
> > log level = 2
> > disable netbios = yes
> > server min protocol = SMB2_02
> >
> > restrict anonymous = 2
> > unix extensions = no
> > dos filemode = yes
> > aio max threads = 2
> >
> > dns proxy = no
> > kernel change notify = yes
> > directory name cache size = 0
> > server multi channel support = no
> > unix charset = UTF-8
> > obey pam restrictions = False
> > rpc_daemon:mdssd = disabled
> > rpc_server:mdssvc = disabled
> >
> > server string = Encoder
> > bind interfaces only = yes
> > netbios name = encoder
> > netbios aliases =
> >
> > [pdf_fileserver]
> >     comment = PDF Encoding Output
> >     path = /srv/pdf_fileserver
> >     directory mask = 770
> >     create mask = 660
> >     kernel oplocks = no
> >     kernel share modes = no
> >     posix locking = no
> >     nfs4:chown = true
> >     ea support = false
> >     smbd max xattr size = 2097152
> >     vfs objects = streams_xattr
> >     write list = +"encoder group"@dh.local +"domain users"@dh.local
> >
>
> From that smb.conf, I personally feel that you would get better results
> from dumping sssd and re-configuring smb.conf, but that must be your
> decision.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list