[Samba] Windows 10 localsystem account

L.P.H. van Belle belle at bazuin.nl
Mon Apr 12 09:59:44 UTC 2021 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Lars Sunde via
> samba
> Verzonden: vrijdag 9 april 2021 21:25
> Aan: samba at lists.samba.org; L.P.H. van Belle
> Onderwerp: Re: [Samba] Windows 10 localsystem account
> 
> > The longer you wait with updateing samba to supported version,
> > the hard it will get to keep everything running..
> 
> Agree
> 
> > From your original post..
> > When using Windows 7 client (without domain controller)
> >  - A standard Windows user is able to access samba share.
> >  - A "NT Authority\System" user is able to access samba share.
> 
> > When using Windows 10 (Built 18362) client (without domain controller)
> >  - A standard Windows user is able to access samba share.
> >  - A "NT Authority\System" user is NOT able to access samba share. The
> error message is "The specified server cannot perform the requested
> operation."
> 
> > Now, the difference is the way windows 10 is handleing this.
> > And this is a windows security change.
> 
> > There is only 1 real fix. Upgrade samba.
> Fair enough.
> Can Samba be upgraded independently of redhat version? if no, do you think
> redhat 7.7 which includes Samba 4.9.1 is good enough?

4.9 is EOL. 

> 
> 
> > The other fix is, lower your security.
> Do you mean lower security on samba share or Windows (if possible)?
> 
> > It has all todo with Impersonation is done within windows.
> > Impersonation is the ability of a thread to execute using different
> security
> > information than the process that owns the thread.
> Please forgive my ignorance.
> What username is given to samba server when executed by process owned by
> "NT Authority\System" user on Windows 10?
> How is SID "S-1-5-18" relevant to samba server authentication?

https://wiki.samba.org/index.php/The_SYSTEM_Account 

Short version: 
When accessing the network, the LocalSystem account acts as the computer on the network

> 
> > So, you have a task.. 2 even.. and i would start with upgrading samba
> first,
> > and then windows 10, because your current version of windows 10 is also
> EOL.
> > als, build 18363 end May 11, 2021 (unless you have enterprise/Edu
> versions)
> 
> > ow and i see in your smb.com and original post you dont need security in
> this.  Review your setup with this link.
> >
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server<h
> ttps://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server>
> > An open server setup, should not be any problem. I use that at home
> also.
> Will review the content of the link.
> 
> > Greetz,
> > Louis
> 
> Thank you feedback.
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Lars Sunde via
> > samba
> > Verzonden: woensdag 7 april 2021 22:59
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Windows 10 localsystem account
> >
> > >On 28/03/2021 14:42, Lars Sunde wrote:
> > >> Thank you for the very quick response.
> > >>
> > >> Why does this work using Windows 7 that also uses 'NT
> > >> Authority\System' account?
> > >>
> > >> Upgrading any software must be approved and therefore takes a bit of
> > >> time which is not ideal.
> >
> >
> > >But using a version of Samba that went EOL 4 years ago is OK ???
> >
> > >>   * What is issue number of that particular fix?
> > >>   * What version of Samba contains that fix?
> > >>
> >
> > >Not entirely sure (for either) I just know that at one time Samba
> didn't
> > >know who 'SYSTEM' was, but it does now. The present Samba supported
> > >versions (4.13.x, 4.13.x and 4.14.x) all know 'SYSTEM', so I would
> > >suggest you upgrade to one of these versions, though this may mean you
> > >need to upgrade your red-hat OS as well.
> >
> > Does anyone else know the ticket number for this improvement? It would
> > help a lot to know the minimum version of Samba that is required.
> >
> > >>  *
> > >>
> > >> Is there any workaround for this issue that does not invovled
> updating
> > >> Samba?
> > >>
> >
> > >Not that I am aware, others may.
> >
> >
> > > Rowland
> >
> > Lars

Greetz, 

Louis

More information about the samba mailing list