Tomasz Chmielewski
2005-Jun-17 07:48 UTC
[Samba] how can a SYSTEM user access domain shares?
I hava a Samba3 domain and workstations that are joined to this domain. On each workstation boot, I would like to run a script on these workstations, that would do something useful (install software etc.). For security reasons, I wouldn't like to run it as a Domain Administrator (the password would be stored on a workstation, which could be potentially cracked). So I have to run it as a SYSTEM user - but I am not able to access Samba domain shares as a non-domain user without providing a password. Can anyone help me with that? Perhaps using "machine account" credentials could help (but how to use it?)? -- Tomek
Tomasz Chmielewski
2005-Jun-17 09:15 UTC
[Samba] how can a SYSTEM user access domain shares?
Michael Trimarchi schrieb:> Tomasz Chmielewski wrote: > >> I hava a Samba3 domain and workstations that are joined to this domain. >> >> On each workstation boot, I would like to run a script on these >> workstations, that would do something useful (install software etc.). >> >> For security reasons, I wouldn't like to run it as a Domain >> Administrator (the password would be stored on a workstation, which >> could be potentially cracked). >> So I have to run it as a SYSTEM user - but I am not able to access >> Samba domain shares as a non-domain user without providing a password. >> >> Can anyone help me with that? Perhaps using "machine account" >> credentials could help (but how to use it?)? >> >> >> > Hi, > i think that you can use the netlogon scriptNo, you didn't understand the problem (or I described it in a confusing way). Netlogon scripts are executed with permissions of a user that just logons. So if "Joe" logons, this script will be executed as "Joe", and hence, no software installation, as "Joe" is not privileged enough (he's not a domain administrator for obvious reasons). So, I start a script when the machine starts: \\server\softwareshare\script.bat and it is executed as a Windows SYSTEM user (full privileges on that machine). The problem is, that the Windows SYSTEM user is from definition not a domain user, so that user can't access \\server\softwareshare (which shouldn't be available for "normal" domain users like "Joe"). In other words, I have a problem creating a [softwareshare] in smb.conf in a Samba3 domain, which will: - disallow normal user ("Joe") access - allow domain Administrator access (it is easy) - allow Windows SYSTEM user access (I can't set it, as this user is not a domain member and shows up as Administrator with invalid password in Samba logs). This setup will allow a Domain Administrator access only, so it doesn't serve my purpose (??????? added on purpose by me): [softwareshare] comment = Installation Sources path = /home/unattended read only = yes browseable = no valid users = Administrator, ??????? -- Tomek