[Samba] Log errors on domain member
Michael Tokarev
mjt at tls.msk.ru
Tue Jan 31 21:01:13 UTC 2023
31.01.2023 23:36, Andrew Bartlett via samba пишет:
..
> I understand it can often be the virus scanner (which is running in an
> elevated security context, so gets machine credentials).
There are various other cases when this can happen, not only due to A/V software.
As I noted in the beginning, I don't know *all* cases. Sometimes it happens here
on reboot, sometimes it does not. Sometimes I especially run stuff as machine
account when I don't need to set up a separate user and store their password
somewhere.
What I know for sure is that machines didn't try to create files (profiles) in there
(so far anyway). But if the parent profiles dir is not accessible on unix to machine
"user", samba does complain like this, and if I want to stop it from complaining,
a natural thing to do is to let it to "sniff" where it wants. It might get an error
that the share itself is not found (or permission were denied, like in this case),
or it can be told that its profile directory does not exist, - either way it is
fine for the win mcachine. But allowing access to the share itself makes samba
less noisy for sure.
For profiles share, this discussion is moot really (in my view anyway), because
allowing machine account to access the top of the share does is not a security
treat. User-specific dirs are inaccessible anyway. And you can restrict writes
just to "Domain Users' group (instead of "Everyone"), or sometimes it is much
better to restrict writes completely and pre-create individual user profile dirs.
/mjt
More information about the samba
mailing list