On 31.01.2023 20:27, Rowland Penny via samba wrote:>
>
> On 31/01/2023 19:14, Peter Milesson via samba wrote:
>
>> Hi Michael,
>>
>> I don't see any reason, that the 11025 computer account should have
>> any unix permissions on the server whatsoever. The server is setup
>> using Windows ACLs exclusively, no unix or posix acls or permissions
>> involved at all. There should be no unix access for client machines,
>> not for users either BTW, and if Samba complains, it's a Samba bug.
>> The path is obviously accessible by the domain users through Samba,
>> otherwise their Windows environment wouldn't work (of which I would
>> be very quickly informed).
>>
>> Best regards,
>>
>> Peter
>>
>>
>>
>
> The problem with computers in AD domain is that they are just users
> with an extra objectclass, so, as far as Samba is concerned, they are
> users.
> In an ldap search you can filter them out, perhaps Samba needs to do
> this as standard, unless they need to be a user (for some unknown
> reason, some people do want this). Of course this may be what is
> supposed to happen (don't ask me about 'C') and something has
gone wrong.
>
> Rowland
>
Hi Rowland,
Yes I know that computer accounts are regarded as users. But no computer
accounts are defined in the security settings of the shares, only users
(and groups). My knowledge of the internal workings of Windows and Samba
is too scant, to assess whether it's OK for Windows to try to access the
share or not. Personally, I would be very reluctant to allow a machine
account to get access to a share, as there are no guarantees what's up.
IMHO, it would impose a huge security problem.
Best regards,
Peter