Marco Gaiarin
2018-Jan-15 09:51 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Rowland Penny via samba In chel di` si favelave...> I am not disputing what you say, I am just asking for concrete proof > that a computer account MUST have a uidNumber account.Rowland, it is not (only) a matter of authentication, it is a matter of 'act' with machine account. I've digged a bit but found nothing than (i use WPKG as deployment system, it is only an example): https://wpkg.org/System_User https://wpkg.org/SYSTEM_user_Command_Prompt probably was some old thread in mailing list; anyway, SYSTEM user can act (eg, access shares) with the machine account credentials; AFAIK accessing as SYSTEM to a share will trigger an access with machine account, and as fallback as anonymous/Everyone. So, if you mean that machine account can auth without UID, it is right; if they need access (non anonymous) to some share, i suppose a UID is needed. I hope i was clear. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-Jan-15 10:19 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Mon, 15 Jan 2018 10:51:54 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > I am not disputing what you say, I am just asking for concrete proof > > that a computer account MUST have a uidNumber account. > > Rowland, it is not (only) a matter of authentication, it is a matter > of 'act' with machine account. > > > I've digged a bit but found nothing than (i use WPKG as deployment > system, it is only an example): > > https://wpkg.org/System_User > https://wpkg.org/SYSTEM_user_Command_Prompt > > probably was some old thread in mailing list; anyway, SYSTEM user can > act (eg, access shares) with the machine account credentials; AFAIK > accessing as SYSTEM to a share will trigger an access with machine > account, and as fallback as anonymous/Everyone. > > > So, if you mean that machine account can auth without UID, it is > right; if they need access (non anonymous) to some share, i suppose a > UID is needed. > > > I hope i was clear. >You are clear in what you say, but I still do not think you need the ID numbers for computers, 'SYSTEM' does not exist on a Unix machine. Rowland
Marco Gaiarin
2018-Jan-15 12:02 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Rowland Penny via samba In chel di` si favelave...> You are clear in what you say, but I still do not think you need the ID > numbers for computers, 'SYSTEM' does not exist on a Unix machine.It is not the SYSTEM user (that is a local user to the workstation, so clearly does not exist on the domain). But still windows workstation, when accessing some shares with the SYSTEM user, try to logon with the machine account. So, suppose i have a computer called KAIN, i spawn a cmd shell in SYSTEM context and then i try to write to \\my_server\share\text.txt; workstation at a fist glance, try to acess using KAIN$ account, and if fail, do a guest access. If KAIN$ account have no UID (and 'Domain Computers' have no GID), clearly share acess fail. I hope i was clear now. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Jan-15 12:31 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 15 januari 2018 13:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Avoiding uid conflicts between rfc2307 > user/groups and computers > > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > You are clear in what you say, but I still do not think you > need the ID > > numbers for computers, 'SYSTEM' does not exist on a Unix machine.It should ! See also my script : https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh> > It is not the SYSTEM user (that is a local user to the workstation, so > clearly does not exist on the domain).Yes it does. Look at "Builtin\system" which is also "NT Authority\System.> > > But still windows workstation, when accessing some shares with the > SYSTEM user, try to logon with the machine account.Correct, thats by design, and if you get access denied, you did hit the "winbind" "user SYSTEM" bug(s). Fix, use acl_xattr:ignore system acl = yes for now.> > So, suppose i have a computer called KAIN, i spawn a cmd shell in > SYSTEM context and then i try to write to \\my_server\share\text.txt; > workstation at a fist glance, try to acess using KAIN$ account, and if > fail, do a guest access.Yes, which is totaly correct.> > If KAIN$ account have no UID (and 'Domain Computers' have no GID), > clearly share acess fail.No, the computer uses system, but if you test manualy it sets the computername.> > > I hope i was clear now. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers