how to access a domain share as a "machine" account?

Tomasz Chmielewski mangoo at
Sun Jun 19 18:53:20 GMT 2005

Kenneth MacDonald schrieb:
>>>>>>"Tomasz" == Tomasz Chmielewski <mangoo at> writes:
>     Tomasz> I'm working on a tool for Samba called WPKG, which allows
>     Tomasz> to do things like software
>     Tomasz> installation/deployment/deinstallation, running scripts
>     Tomasz> (once or many times) when a workstation boots up, etc.  I
>     Tomasz> believe software installation on many workstations is one
>     Tomasz> reason why Active Directory is sometimes chosen over Samba
>     Tomasz> - WPKG can install every piece of software that has a
>     Tomasz> silent installer (AD can only install MSI)
> Oh, give me a URL!

Sorry, here it is:


>     Tomasz> \\server\path\to\wpkg.js /synchronize
> How do you make it run as Local Administrator at startup?

Either starting it as a service using srvany, or using a Task Scheduler 


>     Tomasz> In this case one could run WPKG as a domain Administrator
>     Tomasz> and access \\server\path\to\ easily.  But I have some
>     Tomasz> security concerns - namely the domain Administrator
>     Tomasz> password has to be on each workstation.  So if one
>     Tomasz> workstation in the domain is compromised, we may assume
>     Tomasz> that the whole domain is compromised - I know that this
>     Tomasz> password is well hidden and "hashed", but for a patient
>     Tomasz> cracker it should be no problem to actually get this
>     Tomasz> domain admin password.
> Eek!

eek-a-mouse or just eek? :)

>     Tomasz> So I came to the conclusion, that WPKG should be run like
>     Tomasz> that:
>     Tomasz> 1) it should access \\server\path\ with the credentials of
>     Tomasz> the machine account (each machine is technically a user
>     Tomasz> with username/password, right? so why not use it for
>     Tomasz> accessing "domain shares"?)
>     Tomasz> 2) it should run with either SYSTEM user account (or
>     Tomasz> something similar with appropriate rights to install
>     Tomasz> software etc.)
>     Tomasz> 3) no domain user/password, except for machine account
>     Tomasz> credentials, should be kept on workstations in the domain.
>     Tomasz> The problem is that there is no account that can access
>     Tomasz> domain shares *and* which has administrative rights
>     Tomasz> (software installing etc.). - in other words, I've no idea
>     Tomasz> how to do the above mentioned 1), 2) and 3) together.
> The system account uses the Local Administrator SID (I think) when
> running locally and the computer account's SID when accessing the
> network.

Samba says "INVALID PASSWORD" or something like that - I guess it 
expects a Domain Administrator, but the share is accessed as a Local 
Administrator - but the username is "Administrator" in both cases.

So maybe it's just the matter of setting a [softwareshare] correctly?
But I've no idea how, and tried so many times.

> We use Group Policies in Active Directory and they run as the SYSTEM
> account. 

When I run a task as a SYSTEM account (either from a Task Scheduler or 
from srvany) it seem to access the share with the credentials of the 
Local Administrator.

> The one thing that's tripped us up in the past is that the
> workstation account only uses kerberos to authenticate to network
> shares (at least for our XP Professional clients).  Correct SPNs are
> required on the servers' computer accounts.

I'm not very familiar, but it's smells like Kerberos a bit?

>     Tomasz> Do you have any ideas how can I solve this problem?
> Could it be the kerberos issue?

No, I'm not running any Kerberos, and don't want to (as WPKG is meant to 
be run not by just very advanced users).


More information about the samba-technical mailing list