[Samba] Samba-wiki info about profiles and SYSTEM account.

Marc Muehlfeld mmuehlfeld at samba.org
Wed May 3 13:43:48 UTC 2017 

Hi Louis,

it seems we are both right:

I talked with Volker about the necessity of SYSTEM in ACLs on a Samba 
server: From Samba side, SYSTEM is not required in ACLs. It's important 
that the domain user or machine account, that is used to authenticate to 
the share, is able to access the content.

SYSTEM is a local security principal on the client and not sent over the 
network to authenticate. When a local service on a domain member uses 
SYSTEM to access a domain network share, it authenticates as 
computername$. To access the content, it is necessary that this machine 
account is allowed to access the content. For example, because it is 
listed explicitely, as member of a group, or allowed by a general 
principal, such as "Authenticated Users". If the local SYSTEM account 
accesses the server using the computername$ account, the SYSTEM account 
in the ACLs is not used on the server to validate if computername$ is 
allowed to access the content - computername$ must somehow have access.

On the other side, there are be some Windows services that may require 
that some ACLs are present on the remote server. For example, a service 
might not work if the ACLs on the remote server do not contain the 
SYSTEM account - even if it is not used on the server to access the 
content itself. This is what you discovered.

I will update the docs accordingly.

Regards,
Marc




Am 03.05.2017 um 12:22 schrieb L.P.H. van Belle via samba:
> Hai,
> 
> I just saw the new site for the profiles :-) didnt notice that.
> Looks nice.
> 
> Now i saw the link to :
> https://wiki.samba.org/index.php/The_SYSTEM_Account
> This is very very disturbing....
> 
> Especially these lines:
> "The SYSTEM account is never sent to a remote host to authenticate and for this reason never used to access a remote file system"
> 
> "For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares."
> Now this is not ok in my believe.
> 
> And the funny part, first reference link.
> https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows
> Which states :
> 
> . On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu.
> By default, the system account is granted full control to all files on an NTFS volume.
> And ...
>>>>     The system account's permissions can be removed from a file but it is not recommended.
> 
> The last line on the wiki.
>>   For this reasons, you can omit the SYSTEM account in file system ACLs on Samba shares.
> 
> Now when it goes wrong if you remove SYSTEM from the samba shares...
> 
> Example 1:
> Try to do the following.
> Add the Administrators security group to roaming user profiles in Computer Configuration \ Administrative Templates \ System \ User Profiles
> 
> This happens.
>   When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control.
> .... Grants who... Yes SYSTEM!
> 
> Example 2
> If you see something like:
> The Application Event Viewer indicates errors that the MSI package installation failed with an error ‘Package source not located’.
> 
> 1)	On the target computer, log in as an administrator.
> 2)	Schedule an AT job for 1 minute ahead of the current time to launch a command prompt as NT Authority\System:
> a.	C:\> at 1:00pm /interactive cmd.exe
> 3)	After the command prompt window to appear, you will have "NT Authority\System access."
> 4)	Attempt to list the contents of the share using the UNC path:
> a.	C:\> dir \\server\share   - You should receive a directory listing of the files on the share
> 
> Remove system and this wont work.
> 
> Example 3.
> A program that runs under the NT Authority\System, but the software is on a samba share.
> For example, software updaters with packages. My zarafa updater runs as user SYSTEM.
> My packages are on the samba shares.. ...
> 
> 
> Example 4.
> Last one, lunch time.
> Install a virusscanner, ( which mostly runs as system ) and set it to scan you network shares.
> 
> 
> Anyone else comments on above. I dont know everything so shoot me if im wrong here.
> But removing user SYSTEM from the shares is really bad advice,
> Yes, its an option, but NOT for sysvol and profiles or shares where you deploy files.
> 
> 
> Greetz,
> 
> Louis
> 
>

More information about the samba mailing list