samba - Nov 2023 - General advice needed, granting machine account permissions to a share?

Hi,
does your computer account have a uid on that member server?
Does
id COMPUTERNAME$

produce an output?

Since I also can not get at the redhat info you provided could your share your
SMB.conf

Regards

Christian


Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <samba at
lists.samba.org>:
>Here's the situation:
>I used sssd-winbind to join the server to a native windows domain.
>Following these instructions:
>https://access.redhat.com/solutions/3802321
>
>This all seems to be working fine. I have various shares that various
>AD groups can access and within those shares I use "posix" acls to
do
>some more fine grained permissions.
>
>However there is a 3rd party application/service running on a windows
>server that polls an smb share located on this samba server for new
>files. This service runs as the "local system" account and
provides no
>means of specifying separate smb credentials. Therefore it
>authenticates as its AD computer account. I have created an ad
>security group which contains both this machine account, and some
>other needed user accounts, and assigned this group as the unix group
>for that folder structure.
>
>For the users that are a member of this group, it's working fine.
>However for this computer account it doesn't seem to work
>consistently. In the logs I get a "Could not convert SID S-0-0, error
>is NT_STATUS_NONE_MAPPED" .
>
>So my question is firstly, is assigning computer accounts permissions
>to shares a valid approach to this kind of thing? Are there any
>significant security repercussions for using a computer account in
>this way?
>
>Secondly, is this chain of configuration something that can work with
>"posix" acls? Or should I toss that out and use:
>
>vfs objects = acl_xattr
>map acl inherit = yes
>acl_xattr:ignore system acls = yes
>
>Thanks.
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

It does produce an id. I can try switching away from sssd as suggested
by Rowland. I'm interested in my last question about how valid the
notion of granting a domain machine account permissions to a share is?
Is this something that is done in some cases? Does Microsoft consider
it a valid use case of machine accounts? Here is my config, any
advice/criticism would be welcome. (though I am aware that using
.local is cursed, predates me, can't change it)  The machine account
is a member of the "encoder group".

[global]
realm = DH.LOCAL
workgroup = DH
security = ads
kerberos method = secrets and keytab
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config DH : backend = sss
idmap config DH : range = 200000-2147483647
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
machine password timeout = 0

log level = 2
disable netbios = yes
server min protocol = SMB2_02

restrict anonymous = 2
unix extensions = no
dos filemode = yes
aio max threads = 2

dns proxy = no
kernel change notify = yes
directory name cache size = 0
server multi channel support = no
unix charset = UTF-8
obey pam restrictions = False
rpc_daemon:mdssd = disabled
rpc_server:mdssvc = disabled

server string = Encoder
bind interfaces only = yes
netbios name = encoder
netbios aliases 
[pdf_fileserver]
    comment = PDF Encoding Output
    path = /srv/pdf_fileserver
    directory mask = 770
    create mask = 660
    kernel oplocks = no
    kernel share modes = no
    posix locking = no
    nfs4:chown = true
    ea support = false
    smbd max xattr size = 2097152
    vfs objects = streams_xattr
    write list = +"encoder group"@dh.local +"domain
users"@dh.local

On Tue, Nov 14, 2023 at 12:22?PM Christian Naumer via samba
<samba at lists.samba.org> wrote:
>
> Hi,
> does your computer account have a uid on that member server?
> Does
> id COMPUTERNAME$
>
> produce an output?
>
> Since I also can not get at the redhat info you provided could your share
your SMB.conf
>
> Regards
>
> Christian
>
>
> Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <samba
at lists.samba.org>:
> >Here's the situation:
> >I used sssd-winbind to join the server to a native windows domain.
> >Following these instructions:
> >https://access.redhat.com/solutions/3802321
> >
> >This all seems to be working fine. I have various shares that various
> >AD groups can access and within those shares I use "posix"
acls to do
> >some more fine grained permissions.
> >
> >However there is a 3rd party application/service running on a windows
> >server that polls an smb share located on this samba server for new
> >files. This service runs as the "local system" account and
provides no
> >means of specifying separate smb credentials. Therefore it
> >authenticates as its AD computer account. I have created an ad
> >security group which contains both this machine account, and some
> >other needed user accounts, and assigned this group as the unix group
> >for that folder structure.
> >
> >For the users that are a member of this group, it's working fine.
> >However for this computer account it doesn't seem to work
> >consistently. In the logs I get a "Could not convert SID S-0-0,
error
> >is NT_STATUS_NONE_MAPPED" .
> >
> >So my question is firstly, is assigning computer accounts permissions
> >to shares a valid approach to this kind of thing? Are there any
> >significant security repercussions for using a computer account in
> >this way?
> >
> >Secondly, is this chain of configuration something that can work with
> >"posix" acls? Or should I toss that out and use:
> >
> >vfs objects = acl_xattr
> >map acl inherit = yes
> >acl_xattr:ignore system acls = yes
> >
> >Thanks.
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba