[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Marco Gaiarin gaio at sv.lnf.it
Mon Jan 15 13:55:55 UTC 2018

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> > It is not the SYSTEM user (that is a local user to the workstation, so
> > clearly does not exist on the domain).
> Yes it does. Look at "Builtin\system"  which is also "NT Authority\System. 

Ahem, clearly every machine (workstation, server; i suppose also the
domain) have a SYSTEM account, but they are ''different'':
account, and i think have not to be mapped each other...

> > But still windows workstation, when accessing some shares with the
> > SYSTEM user, try to logon with the machine account.
> Correct, thats by design, and if you get access denied, you did hit the "winbind" "user SYSTEM" bug(s).
> Fix, use acl_xattr:ignore system acl = yes for now. 

?! Reading the manpage:

       acl_xattr:ignore system acls = [yes|no]
           When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module. The default is no, which means that Samba keeps setting and evaluating both the system
           ACLs and the NT ACLs. This is better if you need your system ACLs be set for local or NFS file access, too. If you only access the data via Samba you might set this to yes to achieve better
           NT ACL compatibility.

seems me unrelated.

What i'm speaking about is that, in Microsoft Server OS (and i suppose
on Samba too ;) access done by local SYSTEM user to a share, trigger
access via the respective machine account.
Some docs corroborate this:

	The LocalSystem account is a predefined local account used by
	the service control manager. [...]
	It has extensive privileges on the local computer, and acts as
	the computer on the network.

	When a service runs under the LocalSystem account on a computer
	that is a domain member, the service has whatever network access
	is granted to the computer account, or to any groups of which the
	computer account is a member.

So, on samba, it is not (only) a matter of ACL: machine account have to
had an UID, to write (or read also...) to a share!

Probably i'm missing somethin really ''basic'', but seems obvious to
me... if i use rfc2307, in a domain member (if i use RID backend, or if i'm in
a domain controller, some sort of automatic mapping is in place...) the
only way to have non-anonymous access to shares by local workstation
SYSTEM account is to add UID to machine account...

> > If KAIN$ account have no UID (and 'Domain Computers' have no GID),
> > clearly share acess fail.
> No, the computer uses system, but if you test manualy it sets the computername. 

No, sorry i've not understood what you mean...

dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list