[Samba] Log errors on domain member

Peter Milesson miles at atmos.eu
Wed Feb 1 07:18:27 UTC 2023



On 31.01.2023 22:01, Michael Tokarev via samba wrote:
> 31.01.2023 23:36, Andrew Bartlett via samba пишет:
> ..
>> I understand it can often be the virus scanner (which is running in an
>> elevated security context, so gets machine credentials).
>
> There are various other cases when this can happen, not only due to 
> A/V software.
>
> As I noted in the beginning, I don't know *all* cases. Sometimes it 
> happens here
> on reboot, sometimes it does not. Sometimes I especially run stuff as 
> machine
> account when I don't need to set up a separate user and store their 
> password
> somewhere.
>
> What I know for sure is that machines didn't try to create files 
> (profiles) in there
> (so far anyway). But if the parent profiles dir is not accessible on 
> unix to machine
> "user", samba does complain like this, and if I want to stop it from 
> complaining,
> a natural thing to do is to let it to "sniff" where it wants. It might 
> get an error
> that the share itself is not found (or permission were denied, like in 
> this case),
> or it can be told that its profile directory does not exist, - either 
> way it is
> fine for the win mcachine. But allowing access to the share itself 
> makes samba
> less noisy for sure.
>
> For profiles share, this discussion is moot really (in my view 
> anyway), because
> allowing machine account to access the top of the share does is not a 
> security
> treat. User-specific dirs are inaccessible anyway. And you can 
> restrict writes
> just to "Domain Users' group (instead of "Everyone"), or sometimes it 
> is much
> better to restrict writes completely and pre-create individual user 
> profile dirs.
>
> /mjt
>
Hi Michael,

It is the same for more shares than the profile share. The complain in 
the journal is, that the machine account from where the user accesses 
the share, does not have permission.

I need to research things much more in depth, as it seems the entries in 
the journal are not consistent for all machines and users.

Best regards,

Peter




More information about the samba mailing list