[Samba] Samba-wiki info about profiles and SYSTEM account.

L.P.H. van Belle belle at bazuin.nl
Wed May 3 10:22:04 UTC 2017


I just saw the new site for the profiles :-) didnt notice that. 
Looks nice. 

Now i saw the link to : 
This is very very disturbing.... 

Especially these lines: 
"The SYSTEM account is never sent to a remote host to authenticate and for this reason never used to access a remote file system"

"For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares." 
Now this is not ok in my believe. 

And the funny part, first reference link. 
Which states : 

. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. 
By default, the system account is granted full control to all files on an NTFS volume. 
And ...    
>>>    The system account's permissions can be removed from a file but it is not recommended. 

The last line on the wiki.
>  For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares.  

Now when it goes wrong if you remove SYSTEM from the samba shares... 

Example 1: 
Try to do the following. 
Add the Administrators security group to roaming user profiles in Computer Configuration \ Administrative Templates \ System \ User Profiles

This happens. 
 When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control. 
.... Grants who... Yes SYSTEM! 

Example 2
If you see something like: 
The Application Event Viewer indicates errors that the MSI package installation failed with an error ‘Package source not located’.

1)	On the target computer, log in as an administrator.
2)	Schedule an AT job for 1 minute ahead of the current time to launch a command prompt as NT Authority\System:
a.	C:\> at 1:00pm /interactive cmd.exe
3)	After the command prompt window to appear, you will have "NT Authority\System access."
4)	Attempt to list the contents of the share using the UNC path:
a.	C:\> dir \\server\share   - You should receive a directory listing of the files on the share

Remove system and this wont work. 

Example 3. 
A program that runs under the NT Authority\System, but the software is on a samba share. 
For example, software updaters with packages. My zarafa updater runs as user SYSTEM.
My packages are on the samba shares.. ...

Example 4.
Last one, lunch time.
Install a virusscanner, ( which mostly runs as system ) and set it to scan you network shares.

Anyone else comments on above. I dont know everything so shoot me if im wrong here. 
But removing user SYSTEM from the shares is really bad advice,
Yes, its an option, but NOT for sysvol and profiles or shares where you deploy files. 



More information about the samba mailing list