[Samba] Grant computer account access to share?

Jorell JorellF at fastmail.net
Sun Nov 20 00:21:07 MST 2011 

I think what Chris was trying to say:
Create an user account that has permissions to run the service (a 
shortcut to doing this would be to create an user with admin rights)
Open "Computer Management", "Services and Applications", "Services".
Open the "Properties" of the service you are trying to allow to access 
the share.
Select the "Log On" tab, then under "Log on as:" select "This account:" 
and enter in the user info you of the user you created.


On 11/10/2011 7:22 AM, Andrew Lyon wrote:
> On Thu, Nov 10, 2011 at 2:48 PM, Chris Weiss<cweiss at gmail.com>  wrote:
>> On Thu, Nov 10, 2011 at 2:24 AM, Andrew Lyon<andrew.lyon at gmail.com>  wrote:
>>> Hi,
>>>
>>> I have a Microsoft application (SCCM) which I need to grant access to
>>> a samba share, however the service which reads the files can only
>>> authenticate using the computer account, there is option to configure
>>> it to use a domain account.
>>
>> do you mean to say that it's a windows service that's Log On tab is
>> set to local system?  because "authenticate using the computer
>> account" isn't a "thing".  A windows service running as local system
>> does not have permissions to access network resources at all.  This is
>> a windows restriction, you have to have the account log on as a local
>> or domain user if you want it to be able to access the network.
>
> Yes exactly that, in order to give the service access to windows
> shares on other windows servers I can open the share properties,
> select permissions, add, and add permissions for the ad computer
> account, like this: http://oi44.tinypic.com/3007f36.jpg notice the
> computer icon and trailing $, then a service running as local system
> can then access the share, here computer management is showing the
> connected machine http://oi41.tinypic.com/11wedl3.jpg, I can also run
> cmd.exe as system using sysinternals psexec and access the share.
>
> I assume that when the computer boots up it "logs on" to AD and thus
> permissions can be granted directly to its AD account, its quite an
> unusual thing to do and I think it is very bad design that MS provide
> no way to configure a user account that the service uses to access the
> share but thats just how it works.
>
>>
>>>
>>> Is there any way to grant a computer account access to a share? On
>>> windows I can simply add computer$ to the permissions but this doesn't
>>> seem to be possible.
>>
>> without reading "man smb.conf" again, there used to be an option that
>> you could set allowed and denied client IP addresses, and basically
>> make the share public otherwise.  I don't know if the option still
>> exists in recent versions, my understanding is that it is trivially
>> easy to spoof.
>>
>
> It doesn't really matter how I end up making this work, if I have to
> run another instance of samba on a different IP and run a separate
> cable/vlan then that's what i will do, at the moment I'm struggling to
> find any combination of smb.conf options that allow the process to
> access the share.
>
> Andy

More information about the samba mailing list