[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

L.P.H. van Belle belle at bazuin.nl
Mon Sep 24 14:34:30 UTC 2018


Hai marco, 

It has nothing todo with samba and it has all todo with samba and windows combined. 

> Sure. But that share contain a bunch of script and xml files that i
> manage by linux, and really windows have only to read them, 
> so... Guest  access fit perfectly!

Imo a bad idea, but hee.. Its your network.. Only trying to help here.
And : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755130(v=ws.11)
Is telling : The Guest account is disabled by default, and we recommend that it stay disabled.

> 
> b) most of the WPKG scripts access the share with the SYSTEM users,
> eg, using the machine account; seems this does not work anymore, even
> if users seems mapped correctly and share permissione have permission
> to 'everyone' set.
Yes, correct, because SYSTEM is not guest or nobody. Its SYSTEM. 
This is your problem, one you created yourself. (sorry)

This has all todo with the windows security updates of the last 1.5 years. 
Samba 4.5 is not the same as 4.8, and security has been up a lot. 

This is why i follow the windows way and transform these settings into samba. ( as close as possible )
Whats results in a hardly having any problems.

I suggest try the settings like this then. 
  [wpkg]
 	path = /srv/samba/wpkg
 	browseable = No
 	comment = WPKG Automated Software Deploying System
	acl_xattr:ignore system acls = yes
	wide links = Yes

You see i removed 1 line the : acl_xattr:default acl style
Now with posix you should be able to manage this from linux and use it on windows.
( without guest )

And you really only need. 

But you do need the correct settings configured from windows computer for the share and security rights. 

Sorry, i dont have an other settings (that i can recommend), 
i try to follow the MS recommendations, just because it helps in avoiding problems. 
And i know this works. 
I deploy with GPO, useing the same settings. ( except the wide links. ) 
I dont see why that should not work with WPKG.

This is what i use for the software i deploy with GPO. 
[deploy]
    path = /home/samba/deploy
    read only = no

drwxrwx---+  12 root root  4096 Aug 31  2017 deploy
A getfacl show. 

# file: home/samba/deploy
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:2004:r-x
group:2005:rwx
group:domain\040users:r-x
group:domain\040admins:rwx
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:2004:r-x
default:group:2005:rwx
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:group:domain\040computers:r-x
default:mask::rwx
default:other::---



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: maandag 24 september 2018 14:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and 
> machine account access troubles.
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > First, time is in sync? I guess it is, but check it.
> 
> Yes.
> 
> 
> > Second. 
> > Guest access enabled on a domain joint PC ? 
> > If you really really want that, then enable user guest in 
> the AD also. 
> 
> Eh? I need to enable guest access for every PC?
> In AD (i'm supposing that) i've correctly enabled guest access. See
> next response to Rowland.
> 
> 
> > But better is avoiding Guest access completely. 
> 
> Sure. But that share contain a bunch of script and xml files that i
> manage by linux, and really windows have only to read them, 
> so... Guest  access fit perfectly!
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list