[Samba] how can a SYSTEM user access domain shares?
Tomasz Chmielewski
mangoo at mch.one.pl
Fri Jun 17 09:15:32 GMT 2005
Michael Trimarchi schrieb:
> Tomasz Chmielewski wrote:
>
>> I hava a Samba3 domain and workstations that are joined to this domain.
>>
>> On each workstation boot, I would like to run a script on these
>> workstations, that would do something useful (install software etc.).
>>
>> For security reasons, I wouldn't like to run it as a Domain
>> Administrator (the password would be stored on a workstation, which
>> could be potentially cracked).
>> So I have to run it as a SYSTEM user - but I am not able to access
>> Samba domain shares as a non-domain user without providing a password.
>>
>> Can anyone help me with that? Perhaps using "machine account"
>> credentials could help (but how to use it?)?
>>
>>
>>
> Hi,
> i think that you can use the netlogon script
No, you didn't understand the problem (or I described it in a confusing
way).
Netlogon scripts are executed with permissions of a user that just logons.
So if "Joe" logons, this script will be executed as "Joe", and hence, no
software installation, as "Joe" is not privileged enough (he's not a
domain administrator for obvious reasons).
So, I start a script when the machine starts:
\\server\softwareshare\script.bat
and it is executed as a Windows SYSTEM user (full privileges on that
machine).
The problem is, that the Windows SYSTEM user is from definition not a
domain user, so that user can't access \\server\softwareshare (which
shouldn't be available for "normal" domain users like "Joe").
In other words, I have a problem creating a [softwareshare] in smb.conf
in a Samba3 domain, which will:
- disallow normal user ("Joe") access
- allow domain Administrator access (it is easy)
- allow Windows SYSTEM user access (I can't set it, as this user is not
a domain member and shows up as Administrator with invalid password in
Samba logs).
This setup will allow a Domain Administrator access only, so it doesn't
serve my purpose (??????? added on purpose by me):
[softwareshare]
comment = Installation Sources
path = /home/unattended
read only = yes
browseable = no
valid users = Administrator, ???????
--
Tomek
More information about the samba
mailing list