[Samba] Log errors on domain member
rpenny at samba.org
Tue Jan 31 20:10:52 UTC 2023
On 31/01/2023 20:01, Peter Milesson via samba wrote:
> On 31.01.2023 20:27, Rowland Penny via samba wrote:
>> On 31/01/2023 19:14, Peter Milesson via samba wrote:
>>> Hi Michael,
>>> I don't see any reason, that the 11025 computer account should have
>>> any unix permissions on the server whatsoever. The server is setup
>>> using Windows ACLs exclusively, no unix or posix acls or permissions
>>> involved at all. There should be no unix access for client machines,
>>> not for users either BTW, and if Samba complains, it's a Samba bug.
>>> The path is obviously accessible by the domain users through Samba,
>>> otherwise their Windows environment wouldn't work (of which I would
>>> be very quickly informed).
>>> Best regards,
>> The problem with computers in AD domain is that they are just users
>> with an extra objectclass, so, as far as Samba is concerned, they are
>> In an ldap search you can filter them out, perhaps Samba needs to do
>> this as standard, unless they need to be a user (for some unknown
>> reason, some people do want this). Of course this may be what is
>> supposed to happen (don't ask me about 'C') and something has gone wrong.
> Hi Rowland,
> Yes I know that computer accounts are regarded as users. But no computer
> accounts are defined in the security settings of the shares, only users
> (and groups). My knowledge of the internal workings of Windows and Samba
> is too scant, to assess whether it's OK for Windows to try to access the
> share or not. Personally, I would be very reluctant to allow a machine
> account to get access to a share, as there are no guarantees what's up.
> IMHO, it would impose a huge security problem.
> Best regards,
Totally agree with you, I was just trying to explain a way that
computers could become 'users' to Unix, whether you want them or not.
I am not saying this is what is happening, just that, maybe it could.
More information about the samba