On 31.01.2023 20:27, Rowland Penny via samba wrote:> > > On 31/01/2023 19:14, Peter Milesson via samba wrote: > >> Hi Michael, >> >> I don't see any reason, that the 11025 computer account should have >> any unix permissions on the server whatsoever. The server is setup >> using Windows ACLs exclusively, no unix or posix acls or permissions >> involved at all. There should be no unix access for client machines, >> not for users either BTW, and if Samba complains, it's a Samba bug. >> The path is obviously accessible by the domain users through Samba, >> otherwise their Windows environment wouldn't work (of which I would >> be very quickly informed). >> >> Best regards, >> >> Peter >> >> >> > > The problem with computers in AD domain is that they are just users > with an extra objectclass, so, as far as Samba is concerned, they are > users. > In an ldap search you can filter them out, perhaps Samba needs to do > this as standard, unless they need to be a user (for some unknown > reason, some people do want this). Of course this may be what is > supposed to happen (don't ask me about 'C') and something has gone wrong. > > Rowland >Hi Rowland, Yes I know that computer accounts are regarded as users. But no computer accounts are defined in the security settings of the shares, only users (and groups). My knowledge of the internal workings of Windows and Samba is too scant, to assess whether it's OK for Windows to try to access the share or not. Personally, I would be very reluctant to allow a machine account to get access to a share, as there are no guarantees what's up. IMHO, it would impose a huge security problem. Best regards, Peter
On 31/01/2023 20:01, Peter Milesson via samba wrote:> > > On 31.01.2023 20:27, Rowland Penny via samba wrote: >> >> >> On 31/01/2023 19:14, Peter Milesson via samba wrote: >> >>> Hi Michael, >>> >>> I don't see any reason, that the 11025 computer account should have >>> any unix permissions on the server whatsoever. The server is setup >>> using Windows ACLs exclusively, no unix or posix acls or permissions >>> involved at all. There should be no unix access for client machines, >>> not for users either BTW, and if Samba complains, it's a Samba bug. >>> The path is obviously accessible by the domain users through Samba, >>> otherwise their Windows environment wouldn't work (of which I would >>> be very quickly informed). >>> >>> Best regards, >>> >>> Peter >>> >>> >>> >> >> The problem with computers in AD domain is that they are just users >> with an extra objectclass, so, as far as Samba is concerned, they are >> users. >> In an ldap search you can filter them out, perhaps Samba needs to do >> this as standard, unless they need to be a user (for some unknown >> reason, some people do want this). Of course this may be what is >> supposed to happen (don't ask me about 'C') and something has gone wrong. >> >> Rowland >> > Hi Rowland, > > Yes I know that computer accounts are regarded as users. But no computer > accounts are defined in the security settings of the shares, only users > (and groups). My knowledge of the internal workings of Windows and Samba > is too scant, to assess whether it's OK for Windows to try to access the > share or not. Personally, I would be very reluctant to allow a machine > account to get access to a share, as there are no guarantees what's up. > IMHO, it would impose a huge security problem. > > Best regards, > > Peter >Totally agree with you, I was just trying to explain a way that computers could become 'users' to Unix, whether you want them or not. I am not saying this is what is happening, just that, maybe it could. Rowland
On Tue, 2023-01-31 at 21:01 +0100, Peter Milesson via samba wrote:> On 31.01.2023 20:27, Rowland Penny via samba wrote: > > On 31/01/2023 19:14, Peter Milesson via samba wrote: > > > Hi Michael, > > > I don't see any reason, that the 11025 computer account should > > > have any unix permissions on the server whatsoever. The server is > > > setup using Windows ACLs exclusively, no unix or posix acls or > > > permissions involved at all. There should be no unix access for > > > client machines, not for users either BTW, and if Samba > > > complains, it's a Samba bug. The path is obviously accessible by > > > the domain users through Samba, otherwise their Windows > > > environment wouldn't work (of which I would be very quickly > > > informed). > > > Best regards, > > > Peter > > > > > > > > > > The problem with computers in AD domain is that they are just users > > with an extra objectclass, so, as far as Samba is concerned, they > > are users.In an ldap search you can filter them out, perhaps Samba > > needs to do this as standard, unless they need to be a user (for > > some unknown reason, some people do want this). Of course this may > > be what is supposed to happen (don't ask me about 'C') and > > something has gone wrong. > > Rowland > Hi Rowland, > Yes I know that computer accounts are regarded as users. But no > computer accounts are defined in the security settings of the shares, > only users (and groups). My knowledge of the internal workings of > Windows and Samba is too scant, to assess whether it's OK for Windows > to try to access the share or not. Personally, I would be very > reluctant to allow a machine account to get access to a share, as > there are no guarantees what's up. IMHO, it would impose a huge > security problem.I understand it can often be the virus scanner (which is running in an elevated security context, so gets machine credentials). Andrew Bartlett-- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions