[Samba] samba 4 ad member - idmap = ad for machine accounts

L.P.H. van Belle belle at bazuin.nl
Mon Sep 18 14:18:16 UTC 2017 

Ps. 

To overcome this problem is very simple ( AD or RID ) 

1) setup the SHARE where you need user NT Authority\SYSTEM with acl_xattr:ignore system acls = yes

2) setup you share with Everyone full access.. ( If you dont like everyone, you need domain users/computers/guest and maybe even more ) 
	1! You must do this from within windows. ( message access denies when connection, you forgot something, see 2!) 
	2! Check your SePrivileges setup. (script:  https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh ) 

3) setup the FOLDER security.
	Make sure you add "Creator Owner/Creator Group" one or both, you setup is your guide. I cant tell that. 
	Verified Users, Read 
	System Full Controll
	Any other group you want, but at least "Domain Admins" FULL control. 

4) Try to avoid chmod/chown use getfacl setfacl in scripts. 


Give it a try, this works fine here. (as of Debian jessie and up, with samba 4.4+ up to 4.6.7 tested/in production) 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 18 september 2017 15:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> 
> On Mon, 18 Sep 2017 14:55:04 +0200
> Denis Cardon <dcardon at tranquil.it> wrote:
> 
> > Hi Rowland,
> > 
> > >> File server config looks exactly like this, except more 
> shares, all 
> > >> with same simple config. I know that "use defualt domain" isn't 
> > >> necessery, but it's not the issue for me right now.
> > ...
> > 
> > 
> > > 'SYSTEM' is a Windows group and is meaningless to Unix, 
> it should be 
> > > mapped to a Unix ID only on a Samba AD DC and there it is an 
> > > 'xidNumber' not a 'uidNumber or 'gidNumber'. Running 'wbinfo -S 
> > > S-1-5-18' (the SID for 'SYSTEM' is S-1-5-8-18) on a UNIX domain 
> > > member, returns:
> > > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not 
> > > convert sid S-1-5-18 to uid
> > >
> > > However "wbinfo -Y  S-1-5-18" returns:
> > > 2005 (note your ID may be different)
> > >
> > > As I said, you could use the kerberos machine account 
> instead, but 
> > > are these scripts being run on the fileserver, Samba DC 
> or windows 
> > > machines ? if the later, then you shouldn't need a Unix IDs.
> > >
> > >> 2)'m using some machine autostart scripts, for various 
> tasks, which 
> > >> work again as SYSTEM, so if they have to get anything 
> from network 
> > >> share, they need to have read/write permission. What I'm 
> doing is, 
> > >> for example, as autostart run a batch script, that would check 
> > >> \\fileserver\public\test-file.txt if %COMPTURNAME% 
> exists in this 
> > >> file. if not - run some robocopy script, then >> 
> %COMPUTERNAME% to 
> > >> the end of the file.
> > >> or even something simple like this:
> > >> "if exist \\server\share\%computername%.txt (exit) else robocopy 
> > >> some-files echo . > \\server\share\%computername%.txt exit"
> > >
> > > That looks like a Windows script (not that I am an expert 
> on Windows 
> > > script languages) so I presume that it is run a Windows 
> machine and 
> > > 'SYSTEM' should be available on it via its name or SID.
> > >
> > >> 3) Some windows applications that I use also run as 
> SYSTEM account 
> > >> and they have built-in backup utilities, and if I want to backup 
> > >> straight to network share - again - machine account needs direct 
> > >> write access to share.
> > >
> > > Hmm, I think I am beginning to understand your problem, you are 
> > > confusing 'SYSTEM' with the computers account in AD.
> > >
> > > 'SYSTEM' does not exist in AD, so you cannot give it a 
> uidNumber or 
> > > gidNumber attribute.
> > >
> > > I think you need to find another way to do what you are doing now.
> > 
> > Kacper way of doing things is completly correct (at least from 
> > authentication point of view). SYSTEM account on Windows uses the 
> > machine account for authentication. So for example, using 
> psexec [1], 
> > you can try (on an elevated command prompt):
> > 
> >   psexec -s -i cmd.exe
> > 
> > Check that you are local system
> > 
> >   whoami
> > 
> > then you connect to a share (sysvol is a good choice here since 
> > "domain computers" has access)
> > 
> >   net use F: \\domain.lan\sysvol
> > 
> > Then on your DC you can check which account has been used for the
> > connexion:
> > 
> >   smbstatus
> > 
> > You'll see that SYSTEM account uses the Kerberos machine 
> account for 
> > authentication.
> > 
> 
> Thanks
> Yes that works, but it shows that you don't need the 
> computers to have uidNumber attributes, which is what I was 
> trying to get across to the OP.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list