[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
L.P.H. van Belle
belle at bazuin.nl
Mon Jan 15 12:31:00 UTC 2018
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: maandag 15 januari 2018 13:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Avoiding uid conflicts between rfc2307
> user/groups and computers
>
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > You are clear in what you say, but I still do not think you
> need the ID
> > numbers for computers, 'SYSTEM' does not exist on a Unix machine.
It should !
See also my script :
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
>
> It is not the SYSTEM user (that is a local user to the workstation, so
> clearly does not exist on the domain).
Yes it does. Look at "Builtin\system" which is also "NT Authority\System.
>
>
> But still windows workstation, when accessing some shares with the
> SYSTEM user, try to logon with the machine account.
Correct, thats by design, and if you get access denied, you did hit the "winbind" "user SYSTEM" bug(s).
Fix, use acl_xattr:ignore system acl = yes for now.
>
> So, suppose i have a computer called KAIN, i spawn a cmd shell in
> SYSTEM context and then i try to write to \\my_server\share\text.txt;
> workstation at a fist glance, try to acess using KAIN$ account, and if
> fail, do a guest access.
Yes, which is totaly correct.
>
> If KAIN$ account have no UID (and 'Domain Computers' have no GID),
> clearly share acess fail.
No, the computer uses system, but if you test manualy it sets the computername.
>
>
> I hope i was clear now.
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà , 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list