[Samba] Log errors on domain member

Andrew Bartlett abartlet at samba.org
Tue Jan 31 20:36:19 UTC 2023 

On Tue, 2023-01-31 at 21:01 +0100, Peter Milesson via samba wrote:
> On 31.01.2023 20:27, Rowland Penny via samba wrote:
> > On 31/01/2023 19:14, Peter Milesson via samba wrote:
> > > Hi Michael,
> > > I don't see any reason, that the 11025 computer account should
> > > have any unix permissions on the server whatsoever. The server is
> > > setup using Windows ACLs exclusively, no unix or posix acls or
> > > permissions involved at all. There should be no unix access for
> > > client machines, not for users either BTW, and if Samba
> > > complains, it's a Samba bug. The path is obviously accessible by
> > > the domain users through Samba, otherwise their Windows
> > > environment wouldn't work (of which I would be very quickly
> > > informed).
> > > Best regards,
> > > Peter
> > > 
> > > 
> > 
> > The problem with computers in AD domain is that they are just users
> > with an extra objectclass, so, as far as Samba is concerned, they
> > are users.In an ldap search you can filter them out, perhaps Samba
> > needs to do this as standard, unless they need to be a user (for
> > some unknown reason, some people do want this). Of course this may
> > be what is supposed to happen (don't ask me about 'C') and
> > something has gone wrong.
> > Rowland
> Hi Rowland,
> Yes I know that computer accounts are regarded as users. But no
> computer accounts are defined in the security settings of the shares,
> only users (and groups). My knowledge of the internal workings of
> Windows and Samba is too scant, to assess whether it's OK for Windows
> to try to access the share or not. Personally, I would be very
> reluctant to allow a machine account to get access to a share, as
> there are no guarantees what's up. IMHO, it would impose a huge
> security problem.

I understand it can often be the virus scanner (which is running in an
elevated security context, so gets machine credentials). 
Andrew Bartlett--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions

More information about the samba mailing list