[Samba] General advice needed, granting machine account permissions to a share?

Tue Nov 14 21:19:16 UTC 2023

On Tue, 14 Nov 2023 14:37:19 -0600
Matt Pruett via samba <samba at lists.samba.org> wrote:

> It does produce an id. I can try switching away from sssd as suggested
> by Rowland. I'm interested in my last question about how valid the
> notion of granting a domain machine account permissions to a share is?
> Is this something that is done in some cases? Does Microsoft consider
> it a valid use case of machine accounts? Here is my config, any
> advice/criticism would be welcome. (though I am aware that using
> .local is cursed, predates me, can't change it)  The machine account
> is a member of the "encoder group".

Using a computer account as a user is very valid, which is easy to
understand when you realise that a computer account is just a user
account with an extra objectclass.

> 
> [global]
> realm = DH.LOCAL
> workgroup = DH
> security = ads
> kerberos method = secrets and keytab
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config * : range = 10000-199999

I take it that this smb.conf ultimately came from redhat, if so, would
someone from redhat like to explain why the default '*' domain is set
for 189,999 IDs, when it is only really meant for the 'Well Known SIDs'
(there are less than 200 of those) and anything outside the 'DH' domain
(so really 0), don't you think that 189,999 is a bit of an overkill ?

> idmap config DH : backend = sss
> idmap config DH : range = 200000-2147483647

Have you got any data using those ID's, if not, I suggest you dump sssd
and reset the ranges (I would use the rid idmap backend).

> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> machine password timeout = 0

With 'machine password timeout' set to '0', winbind will never change
the machine password, as far as I understand it.

> 
> log level = 2
> disable netbios = yes
> server min protocol = SMB2_02
> 
> restrict anonymous = 2
> unix extensions = no
> dos filemode = yes
> aio max threads = 2
> 
> dns proxy = no
> kernel change notify = yes
> directory name cache size = 0
> server multi channel support = no
> unix charset = UTF-8
> obey pam restrictions = False
> rpc_daemon:mdssd = disabled
> rpc_server:mdssvc = disabled
> 
> server string = Encoder
> bind interfaces only = yes
> netbios name = encoder
> netbios aliases =
> 
> [pdf_fileserver]
>     comment = PDF Encoding Output
>     path = /srv/pdf_fileserver
>     directory mask = 770
>     create mask = 660
>     kernel oplocks = no
>     kernel share modes = no
>     posix locking = no
>     nfs4:chown = true
>     ea support = false
>     smbd max xattr size = 2097152
>     vfs objects = streams_xattr
>     write list = +"encoder group"@dh.local +"domain users"@dh.local
> 

From that smb.conf, I personally feel that you would get better results
from dumping sssd and re-configuring smb.conf, but that must be your
decision.

Rowland