[Samba] General advice needed, granting machine account permissions to a share?

Aaron C. de Bruyn aaron at heyaaron.com
Tue Nov 14 20:40:16 UTC 2023


That's definitely a valid case.
We have software deployments defined in Group Policy that install at
machine boot.
That share must allow computer accounts to read from it in order to install
the software.

-A

On Tue, Nov 14, 2023 at 12:38 PM Matt Pruett via samba <
samba at lists.samba.org> wrote:

> It does produce an id. I can try switching away from sssd as suggested
> by Rowland. I'm interested in my last question about how valid the
> notion of granting a domain machine account permissions to a share is?
> Is this something that is done in some cases? Does Microsoft consider
> it a valid use case of machine accounts? Here is my config, any
> advice/criticism would be welcome. (though I am aware that using
> .local is cursed, predates me, can't change it)  The machine account
> is a member of the "encoder group".
>
> [global]
> realm = DH.LOCAL
> workgroup = DH
> security = ads
> kerberos method = secrets and keytab
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config * : range = 10000-199999
> idmap config DH : backend = sss
> idmap config DH : range = 200000-2147483647
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> machine password timeout = 0
>
> log level = 2
> disable netbios = yes
> server min protocol = SMB2_02
>
> restrict anonymous = 2
> unix extensions = no
> dos filemode = yes
> aio max threads = 2
>
> dns proxy = no
> kernel change notify = yes
> directory name cache size = 0
> server multi channel support = no
> unix charset = UTF-8
> obey pam restrictions = False
> rpc_daemon:mdssd = disabled
> rpc_server:mdssvc = disabled
>
> server string = Encoder
> bind interfaces only = yes
> netbios name = encoder
> netbios aliases =
>
> [pdf_fileserver]
>     comment = PDF Encoding Output
>     path = /srv/pdf_fileserver
>     directory mask = 770
>     create mask = 660
>     kernel oplocks = no
>     kernel share modes = no
>     posix locking = no
>     nfs4:chown = true
>     ea support = false
>     smbd max xattr size = 2097152
>     vfs objects = streams_xattr
>     write list = +"encoder group"@dh.local +"domain users"@dh.local
>
> On Tue, Nov 14, 2023 at 12:22 PM Christian Naumer via samba
> <samba at lists.samba.org> wrote:
> >
> > Hi,
> > does your computer account have a uid on that member server?
> > Does
> > id COMPUTERNAME$
> >
> > produce an output?
> >
> > Since I also can not get at the redhat info you provided could your
> share your SMB.conf
> >
> > Regards
> >
> > Christian
> >
> >
> > Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <
> samba at lists.samba.org>:
> > >Here's the situation:
> > >I used sssd-winbind to join the server to a native windows domain.
> > >Following these instructions:
> > >https://access.redhat.com/solutions/3802321
> > >
> > >This all seems to be working fine. I have various shares that various
> > >AD groups can access and within those shares I use "posix" acls to do
> > >some more fine grained permissions.
> > >
> > >However there is a 3rd party application/service running on a windows
> > >server that polls an smb share located on this samba server for new
> > >files. This service runs as the "local system" account and provides no
> > >means of specifying separate smb credentials. Therefore it
> > >authenticates as its AD computer account. I have created an ad
> > >security group which contains both this machine account, and some
> > >other needed user accounts, and assigned this group as the unix group
> > >for that folder structure.
> > >
> > >For the users that are a member of this group, it's working fine.
> > >However for this computer account it doesn't seem to work
> > >consistently. In the logs I get a "Could not convert SID S-0-0, error
> > >is NT_STATUS_NONE_MAPPED" .
> > >
> > >So my question is firstly, is assigning computer accounts permissions
> > >to shares a valid approach to this kind of thing? Are there any
> > >significant security repercussions for using a computer account in
> > >this way?
> > >
> > >Secondly, is this chain of configuration something that can work with
> > >"posix" acls? Or should I toss that out and use:
> > >
> > >vfs objects = acl_xattr
> > >map acl inherit = yes
> > >acl_xattr:ignore system acls = yes
> > >
> > >Thanks.
> > >
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions:  https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list