[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

L.P.H. van Belle belle at bazuin.nl
Mon Jan 15 12:31:00 UTC 2018 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: maandag 15 januari 2018 13:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Avoiding uid conflicts between rfc2307 
> user/groups and computers
> 
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > You are clear in what you say, but I still do not think you 
> need the ID
> > numbers for computers, 'SYSTEM' does not exist on a Unix machine. 
It should ! 
See also my script : 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 

> 
> It is not the SYSTEM user (that is a local user to the workstation, so
> clearly does not exist on the domain).
Yes it does. Look at "Builtin\system"  which is also "NT Authority\System. 

> 
> 
> But still windows workstation, when accessing some shares with the
> SYSTEM user, try to logon with the machine account.
Correct, thats by design, and if you get access denied, you did hit the "winbind" "user SYSTEM" bug(s).
Fix, use acl_xattr:ignore system acl = yes for now. 

> 
> So, suppose i have a computer called KAIN, i spawn a cmd shell in
> SYSTEM context and then i try to write to \\my_server\share\text.txt;
> workstation at a fist glance, try to acess using KAIN$ account, and if
> fail, do a guest access.
Yes, which is totaly correct.

> 
> If KAIN$ account have no UID (and 'Domain Computers' have no GID),
> clearly share acess fail.
No, the computer uses system, but if you test manualy it sets the computername. 

> 
> 
> I hope i was clear now.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list