how to access a domain share as a "machine" account?

Tomasz Chmielewski mangoo at mch.one.pl
Wed Jun 15 21:50:36 GMT 2005 

This post is somehow longer, but as the subject is probably important
for Samba, if you have some Samba / Windows expertise, please read it.


I'm working on a tool for Samba called WPKG, which allows to do things
like software installation/deployment/deinstallation, running scripts
(once or many times) when a workstation boots up, etc.
I believe software installation on many workstations is one reason why
Active Directory is sometimes chosen over Samba - WPKG can install every
piece of software that has a silent installer (AD can only install MSI).

You may have heard about it before; lately it has been greatly enhanced
from the state it was a year ago.


To run a WPKG process ("software synchronization", if needed, new
packages configured on a Samba controller) it's best when Administrator
runs it when the workstation boots up:

\\server\path\to\wpkg.js /synchronize

It's relatively easy to do so when every computer in the network can
access \\server\path\to\ share as a guest, just run WPKG as a SYSTEM
user, and it will work - but it is often not the case in a domain, where
to access shares you have to specify credentials.


In this case one could run WPKG as a domain Administrator and access
\\server\path\to\ easily.
But I have some security concerns - namely the domain Administrator
password has to be on each workstation.
So if one workstation in the domain is compromised, we may assume that
the whole domain is compromised - I know that this password is well
hidden and "hashed", but for a patient cracker it should be no problem
to actually get this domain admin password.


So I came to the conclusion, that WPKG should be run like that:

1) it should access \\server\path\ with the credentials of the machine
account (each machine is technically a user with username/password,
right? so why not use it for accessing "domain shares"?)

2) it should run with either SYSTEM user account (or something similar
with appropriate rights to install software etc.)

3) no domain user/password, except for machine account credentials,
should be kept on workstations in the domain.


The problem is that there is no account that can access domain shares
*and* which has administrative rights (software installing etc.). - in
other words, I've no idea how to do the above mentioned 1), 2) and 3)
together.


Do you have any ideas how can I solve this problem?


-- 
Tomek

More information about the samba-technical mailing list