[Samba] how can a SYSTEM user access domain shares?

Tomasz Chmielewski mangoo at mch.one.pl
Fri Jun 17 09:15:32 GMT 2005 

Michael Trimarchi schrieb:
> Tomasz Chmielewski wrote:
> 
>> I hava a Samba3 domain and workstations that are joined to this domain.
>>
>> On each workstation boot, I would like to run a script on these 
>> workstations, that would do something useful (install software etc.).
>>
>> For security reasons, I wouldn't like to run it as a Domain 
>> Administrator (the password would be stored on a workstation, which 
>> could be potentially cracked).
>> So I have to run it as a SYSTEM user - but I am not able to access 
>> Samba domain shares as a non-domain user without providing a password.
>>
>> Can anyone help me with that? Perhaps using "machine account" 
>> credentials could help (but how to use it?)?
>>
>>
>>
> Hi,
> i think that you can use the netlogon script

No, you didn't understand the problem (or I described it in a confusing 
way).

Netlogon scripts are executed with permissions of a user that just logons.

So if "Joe" logons, this script will be executed as "Joe", and hence, no 
software installation, as "Joe" is not privileged enough (he's not a 
domain administrator for obvious reasons).


So, I start a script when the machine starts:

\\server\softwareshare\script.bat


and it is executed as a Windows SYSTEM user (full privileges on that 
machine).

The problem is, that the Windows SYSTEM user is from definition not a 
domain user, so that user can't access \\server\softwareshare (which 
shouldn't be available for "normal" domain users like "Joe").

In other words, I have a problem creating a [softwareshare] in smb.conf 
in a Samba3 domain, which will:

- disallow normal user ("Joe") access
- allow domain Administrator access (it is easy)
- allow Windows SYSTEM user access (I can't set it, as this user is not 
a domain member and shows up as Administrator with invalid password in 
Samba logs).


This setup will allow a Domain Administrator access only, so it doesn't 
serve my purpose (??????? added on purpose by me):


[softwareshare]
   comment = Installation Sources
   path = /home/unattended
   read only = yes
   browseable = no
   valid users = Administrator, ???????

-- 
Tomek

More information about the samba mailing list