[Samba] Grant computer account access to share?

Andrew Lyon andrew.lyon at gmail.com
Thu Nov 10 08:22:43 MST 2011

On Thu, Nov 10, 2011 at 2:48 PM, Chris Weiss <cweiss at gmail.com> wrote:
> On Thu, Nov 10, 2011 at 2:24 AM, Andrew Lyon <andrew.lyon at gmail.com> wrote:
>> Hi,
>> I have a Microsoft application (SCCM) which I need to grant access to
>> a samba share, however the service which reads the files can only
>> authenticate using the computer account, there is option to configure
>> it to use a domain account.
> do you mean to say that it's a windows service that's Log On tab is
> set to local system?  because "authenticate using the computer
> account" isn't a "thing".  A windows service running as local system
> does not have permissions to access network resources at all.  This is
> a windows restriction, you have to have the account log on as a local
> or domain user if you want it to be able to access the network.

Yes exactly that, in order to give the service access to windows
shares on other windows servers I can open the share properties,
select permissions, add, and add permissions for the ad computer
account, like this: http://oi44.tinypic.com/3007f36.jpg notice the
computer icon and trailing $, then a service running as local system
can then access the share, here computer management is showing the
connected machine http://oi41.tinypic.com/11wedl3.jpg, I can also run
cmd.exe as system using sysinternals psexec and access the share.

I assume that when the computer boots up it "logs on" to AD and thus
permissions can be granted directly to its AD account, its quite an
unusual thing to do and I think it is very bad design that MS provide
no way to configure a user account that the service uses to access the
share but thats just how it works.

>> Is there any way to grant a computer account access to a share? On
>> windows I can simply add computer$ to the permissions but this doesn't
>> seem to be possible.
> without reading "man smb.conf" again, there used to be an option that
> you could set allowed and denied client IP addresses, and basically
> make the share public otherwise.  I don't know if the option still
> exists in recent versions, my understanding is that it is trivially
> easy to spoof.

It doesn't really matter how I end up making this work, if I have to
run another instance of samba on a different IP and run a separate
cable/vlan then that's what i will do, at the moment I'm struggling to
find any combination of smb.conf options that allow the process to
access the share.


More information about the samba mailing list