Handling smb requests from Client Machine Identity

[Matt Ficken (Insight Global)]

Are you talking about a Machine account (the account the Windows client is (trying to )use) where the DC is Samba?

Are you using samba3 (or samba 4) ?

-----Original Message-----
From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Nagaraj Shyam
Sent: Wednesday, December 01, 2010 4:06 PM
To: samba-technical at lists.samba.org
Subject: Handling smb requests from Client Machine Identity

Hi,

 

Is there a recommended setup with samba to handle smb requests from
windows client machines, where the principal in the Kerberos ticket is
the windows client machine name.  winbindd in this case will not be able
to map the "user" because it will not be able to find the client machine
name in the "users and groups" container within AD server.  Samba will
deny access to the windows client in this case.

 

The above is sometimes seen when a logged in user on windows client
browses into the samba server using windows explorer by typing:

 

\\SambaServerIPAddress <file:///\\SambaServerIPAddress> 

 

In the Address part of the windows explorer on the client machine.

 

Unfortunately, I didn't save the samba logs giving more details about
the sequence of smb requests, will do so next time I see this issue, if
that helps.

 

To work around this issue, would creating an account in the "User"
container with the windows client machine name make sense?  Are there
security holes with this approach?

 

Thanks for any replies/suggestions.

 

-s