[Samba] Log errors on domain member

Peter Milesson miles at atmos.eu
Tue Jan 31 20:46:44 UTC 2023 


On 31.01.2023 21:36, Andrew Bartlett via samba wrote:
> On Tue, 2023-01-31 at 21:01 +0100, Peter Milesson via samba wrote:
>> On 31.01.2023 20:27, Rowland Penny via samba wrote:
>>> On 31/01/2023 19:14, Peter Milesson via samba wrote:
>>>> Hi Michael,
>>>> I don't see any reason, that the 11025 computer account should
>>>> have any unix permissions on the server whatsoever. The server is
>>>> setup using Windows ACLs exclusively, no unix or posix acls or
>>>> permissions involved at all. There should be no unix access for
>>>> client machines, not for users either BTW, and if Samba
>>>> complains, it's a Samba bug. The path is obviously accessible by
>>>> the domain users through Samba, otherwise their Windows
>>>> environment wouldn't work (of which I would be very quickly
>>>> informed).
>>>> Best regards,
>>>> Peter
>>>>
>>>>
>>> The problem with computers in AD domain is that they are just users
>>> with an extra objectclass, so, as far as Samba is concerned, they
>>> are users.In an ldap search you can filter them out, perhaps Samba
>>> needs to do this as standard, unless they need to be a user (for
>>> some unknown reason, some people do want this). Of course this may
>>> be what is supposed to happen (don't ask me about 'C') and
>>> something has gone wrong.
>>> Rowland
>> Hi Rowland,
>> Yes I know that computer accounts are regarded as users. But no
>> computer accounts are defined in the security settings of the shares,
>> only users (and groups). My knowledge of the internal workings of
>> Windows and Samba is too scant, to assess whether it's OK for Windows
>> to try to access the share or not. Personally, I would be very
>> reluctant to allow a machine account to get access to a share, as
>> there are no guarantees what's up. IMHO, it would impose a huge
>> security problem.
> I understand it can often be the virus scanner (which is running in an
> elevated security context, so gets machine credentials).
> Andrew Bartlett--
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
> Samba Development and Support, Catalyst.Net Limited
> Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions
>
Hi Andrew,

Thanks for the hint. I just had that idea somewhere in the back of my 
head. I will do some experimenting. If it turns out to be the case, I 
will bring that up with the AV producer.

Best regards,

Peter

More information about the samba mailing list