samba - Nov 2023 - General advice needed, granting machine account permissions to a share?

Here's the situation:
I used sssd-winbind to join the server to a native windows domain.
Following these instructions:
https://access.redhat.com/solutions/3802321

This all seems to be working fine. I have various shares that various
AD groups can access and within those shares I use "posix" acls to do
some more fine grained permissions.

However there is a 3rd party application/service running on a windows
server that polls an smb share located on this samba server for new
files. This service runs as the "local system" account and provides no
means of specifying separate smb credentials. Therefore it
authenticates as its AD computer account. I have created an ad
security group which contains both this machine account, and some
other needed user accounts, and assigned this group as the unix group
for that folder structure.

For the users that are a member of this group, it's working fine.
However for this computer account it doesn't seem to work
consistently. In the logs I get a "Could not convert SID S-0-0, error
is NT_STATUS_NONE_MAPPED" .

So my question is firstly, is assigning computer accounts permissions
to shares a valid approach to this kind of thing? Are there any
significant security repercussions for using a computer account in
this way?

Secondly, is this chain of configuration something that can work with
"posix" acls? Or should I toss that out and use:

vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes

Thanks.

On Mon, 13 Nov 2023 19:52:07 -0600
Matt Pruett via samba <samba at lists.samba.org> wrote:
> Here's the situation:
> I used sssd-winbind to join the server to a native windows domain.
> Following these instructions:
> https://access.redhat.com/solutions/3802321
That is behind a sign in wall, I cannot view it.
> 
> This all seems to be working fine. I have various shares that various
> AD groups can access and within those shares I use "posix" acls
to do
> some more fine grained permissions.
> 
The problem is, sssd is not provided or written by Samba, it is a
redhat product and isn't required for Samba to work.

As it isn't a Samba product, very little is know about it here, you will
get much more help from the sssd-users mailing list.

If you decide to remove sssd and go with just Samba, we can help you
with that.

If you just require authentication, then sssd is great, but the moment
that you require file shares, it has nothing to offer. For file sharing
you require the 'smbd' daemon, which in an AD domain requires winbind.
There is, in my opinion, no point in running winbind and sssd, they
both do the same thing, so just run winbind without sssd and only have
one configuration file.

Rowland

Hi,
does your computer account have a uid on that member server?
Does
id COMPUTERNAME$

produce an output?

Since I also can not get at the redhat info you provided could your share your
SMB.conf

Regards

Christian


Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <samba at
lists.samba.org>:
>Here's the situation:
>I used sssd-winbind to join the server to a native windows domain.
>Following these instructions:
>https://access.redhat.com/solutions/3802321
>
>This all seems to be working fine. I have various shares that various
>AD groups can access and within those shares I use "posix" acls to
do
>some more fine grained permissions.
>
>However there is a 3rd party application/service running on a windows
>server that polls an smb share located on this samba server for new
>files. This service runs as the "local system" account and
provides no
>means of specifying separate smb credentials. Therefore it
>authenticates as its AD computer account. I have created an ad
>security group which contains both this machine account, and some
>other needed user accounts, and assigned this group as the unix group
>for that folder structure.
>
>For the users that are a member of this group, it's working fine.
>However for this computer account it doesn't seem to work
>consistently. In the logs I get a "Could not convert SID S-0-0, error
>is NT_STATUS_NONE_MAPPED" .
>
>So my question is firstly, is assigning computer accounts permissions
>to shares a valid approach to this kind of thing? Are there any
>significant security repercussions for using a computer account in
>this way?
>
>Secondly, is this chain of configuration something that can work with
>"posix" acls? Or should I toss that out and use:
>
>vfs objects = acl_xattr
>map acl inherit = yes
>acl_xattr:ignore system acls = yes
>
>Thanks.
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba