how to access a domain share as a "machine" account?
Tomasz Chmielewski
mangoo at mch.one.pl
Sun Jun 19 18:53:20 GMT 2005
Kenneth MacDonald schrieb:
>>>>>>"Tomasz" == Tomasz Chmielewski <mangoo at mch.one.pl> writes:
>
> Tomasz> I'm working on a tool for Samba called WPKG, which allows
> Tomasz> to do things like software
> Tomasz> installation/deployment/deinstallation, running scripts
> Tomasz> (once or many times) when a workstation boots up, etc. I
> Tomasz> believe software installation on many workstations is one
> Tomasz> reason why Active Directory is sometimes chosen over Samba
> Tomasz> - WPKG can install every piece of software that has a
> Tomasz> silent installer (AD can only install MSI)
>
> Oh, give me a URL!
Sorry, here it is: http://wpkg.org
(...)
> Tomasz> \\server\path\to\wpkg.js /synchronize
>
> How do you make it run as Local Administrator at startup?
Either starting it as a service using srvany, or using a Task Scheduler
(schtasks.exe).
(...)
> Tomasz> In this case one could run WPKG as a domain Administrator
> Tomasz> and access \\server\path\to\ easily. But I have some
> Tomasz> security concerns - namely the domain Administrator
> Tomasz> password has to be on each workstation. So if one
> Tomasz> workstation in the domain is compromised, we may assume
> Tomasz> that the whole domain is compromised - I know that this
> Tomasz> password is well hidden and "hashed", but for a patient
> Tomasz> cracker it should be no problem to actually get this
> Tomasz> domain admin password.
>
> Eek!
eek-a-mouse or just eek? :)
> Tomasz> So I came to the conclusion, that WPKG should be run like
> Tomasz> that:
>
> Tomasz> 1) it should access \\server\path\ with the credentials of
> Tomasz> the machine account (each machine is technically a user
> Tomasz> with username/password, right? so why not use it for
> Tomasz> accessing "domain shares"?)
>
> Tomasz> 2) it should run with either SYSTEM user account (or
> Tomasz> something similar with appropriate rights to install
> Tomasz> software etc.)
>
> Tomasz> 3) no domain user/password, except for machine account
> Tomasz> credentials, should be kept on workstations in the domain.
>
>
> Tomasz> The problem is that there is no account that can access
> Tomasz> domain shares *and* which has administrative rights
> Tomasz> (software installing etc.). - in other words, I've no idea
> Tomasz> how to do the above mentioned 1), 2) and 3) together.
>
> The system account uses the Local Administrator SID (I think) when
> running locally and the computer account's SID when accessing the
> network.
Samba says "INVALID PASSWORD" or something like that - I guess it
expects a Domain Administrator, but the share is accessed as a Local
Administrator - but the username is "Administrator" in both cases.
So maybe it's just the matter of setting a [softwareshare] correctly?
But I've no idea how, and tried so many times.
> We use Group Policies in Active Directory and they run as the SYSTEM
> account.
When I run a task as a SYSTEM account (either from a Task Scheduler or
from srvany) it seem to access the share with the credentials of the
Local Administrator.
> The one thing that's tripped us up in the past is that the
> workstation account only uses kerberos to authenticate to network
> shares (at least for our XP Professional clients). Correct SPNs are
> required on the servers' computer accounts.
I'm not very familiar, but it's smells like Kerberos a bit?
> Tomasz> Do you have any ideas how can I solve this problem?
>
> Could it be the kerberos issue?
No, I'm not running any Kerberos, and don't want to (as WPKG is meant to
be run not by just very advanced users).
--
Tomek
More information about the samba-technical
mailing list