[Samba] Log errors on domain member

Rowland Penny rpenny at samba.org
Tue Jan 31 20:10:52 UTC 2023 


On 31/01/2023 20:01, Peter Milesson via samba wrote:
> 
> 
> On 31.01.2023 20:27, Rowland Penny via samba wrote:
>>
>>
>> On 31/01/2023 19:14, Peter Milesson via samba wrote:
>>
>>> Hi Michael,
>>>
>>> I don't see any reason, that the 11025 computer account should have 
>>> any unix permissions on the server whatsoever. The server is setup 
>>> using Windows ACLs exclusively, no unix or posix acls or permissions 
>>> involved at all. There should be no unix access for client machines, 
>>> not for users either BTW, and if Samba complains, it's a Samba bug. 
>>> The path is obviously accessible by the domain users through Samba, 
>>> otherwise their Windows environment wouldn't work (of which I would 
>>> be very quickly informed).
>>>
>>> Best regards,
>>>
>>> Peter
>>>
>>>
>>>
>>
>> The problem with computers in AD domain is that they are just users 
>> with an extra objectclass, so, as far as Samba is concerned, they are 
>> users.
>> In an ldap search you can filter them out, perhaps Samba needs to do 
>> this as standard, unless they need to be a user (for some unknown 
>> reason, some people do want this). Of course this may be what is 
>> supposed to happen (don't ask me about 'C') and something has gone wrong.
>>
>> Rowland
>>
> Hi Rowland,
> 
> Yes I know that computer accounts are regarded as users. But no computer 
> accounts are defined in the security settings of the shares, only users 
> (and groups). My knowledge of the internal workings of Windows and Samba 
> is too scant, to assess whether it's OK for Windows to try to access the 
> share or not. Personally, I would be very reluctant to allow a machine 
> account to get access to a share, as there are no guarantees what's up. 
> IMHO, it would impose a huge security problem.
> 
> Best regards,
> 
> Peter
> 


Totally agree with you, I was just trying to explain a way that 
computers could become 'users' to Unix, whether you want them or not.
I am not saying this is what is happening, just that, maybe it could.

Rowland

More information about the samba mailing list