samba - Nov 2023 - General advice needed, granting machine account permissions to a share?

It does produce an id. I can try switching away from sssd as suggested
by Rowland. I'm interested in my last question about how valid the
notion of granting a domain machine account permissions to a share is?
Is this something that is done in some cases? Does Microsoft consider
it a valid use case of machine accounts? Here is my config, any
advice/criticism would be welcome. (though I am aware that using
.local is cursed, predates me, can't change it)  The machine account
is a member of the "encoder group".

[global]
realm = DH.LOCAL
workgroup = DH
security = ads
kerberos method = secrets and keytab
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config DH : backend = sss
idmap config DH : range = 200000-2147483647
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
machine password timeout = 0

log level = 2
disable netbios = yes
server min protocol = SMB2_02

restrict anonymous = 2
unix extensions = no
dos filemode = yes
aio max threads = 2

dns proxy = no
kernel change notify = yes
directory name cache size = 0
server multi channel support = no
unix charset = UTF-8
obey pam restrictions = False
rpc_daemon:mdssd = disabled
rpc_server:mdssvc = disabled

server string = Encoder
bind interfaces only = yes
netbios name = encoder
netbios aliases 
[pdf_fileserver]
    comment = PDF Encoding Output
    path = /srv/pdf_fileserver
    directory mask = 770
    create mask = 660
    kernel oplocks = no
    kernel share modes = no
    posix locking = no
    nfs4:chown = true
    ea support = false
    smbd max xattr size = 2097152
    vfs objects = streams_xattr
    write list = +"encoder group"@dh.local +"domain
users"@dh.local

On Tue, Nov 14, 2023 at 12:22?PM Christian Naumer via samba
<samba at lists.samba.org> wrote:
>
> Hi,
> does your computer account have a uid on that member server?
> Does
> id COMPUTERNAME$
>
> produce an output?
>
> Since I also can not get at the redhat info you provided could your share
your SMB.conf
>
> Regards
>
> Christian
>
>
> Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <samba
at lists.samba.org>:
> >Here's the situation:
> >I used sssd-winbind to join the server to a native windows domain.
> >Following these instructions:
> >https://access.redhat.com/solutions/3802321
> >
> >This all seems to be working fine. I have various shares that various
> >AD groups can access and within those shares I use "posix"
acls to do
> >some more fine grained permissions.
> >
> >However there is a 3rd party application/service running on a windows
> >server that polls an smb share located on this samba server for new
> >files. This service runs as the "local system" account and
provides no
> >means of specifying separate smb credentials. Therefore it
> >authenticates as its AD computer account. I have created an ad
> >security group which contains both this machine account, and some
> >other needed user accounts, and assigned this group as the unix group
> >for that folder structure.
> >
> >For the users that are a member of this group, it's working fine.
> >However for this computer account it doesn't seem to work
> >consistently. In the logs I get a "Could not convert SID S-0-0,
error
> >is NT_STATUS_NONE_MAPPED" .
> >
> >So my question is firstly, is assigning computer accounts permissions
> >to shares a valid approach to this kind of thing? Are there any
> >significant security repercussions for using a computer account in
> >this way?
> >
> >Secondly, is this chain of configuration something that can work with
> >"posix" acls? Or should I toss that out and use:
> >
> >vfs objects = acl_xattr
> >map acl inherit = yes
> >acl_xattr:ignore system acls = yes
> >
> >Thanks.
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

That's definitely a valid case.
We have software deployments defined in Group Policy that install at
machine boot.
That share must allow computer accounts to read from it in order to install
the software.

-A

On Tue, Nov 14, 2023 at 12:38?PM Matt Pruett via samba <
samba at lists.samba.org> wrote:
> It does produce an id. I can try switching away from sssd as suggested
> by Rowland. I'm interested in my last question about how valid the
> notion of granting a domain machine account permissions to a share is?
> Is this something that is done in some cases? Does Microsoft consider
> it a valid use case of machine accounts? Here is my config, any
> advice/criticism would be welcome. (though I am aware that using
> .local is cursed, predates me, can't change it)  The machine account
> is a member of the "encoder group".
>
> [global]
> realm = DH.LOCAL
> workgroup = DH
> security = ads
> kerberos method = secrets and keytab
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config * : range = 10000-199999
> idmap config DH : backend = sss
> idmap config DH : range = 200000-2147483647
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> machine password timeout = 0
>
> log level = 2
> disable netbios = yes
> server min protocol = SMB2_02
>
> restrict anonymous = 2
> unix extensions = no
> dos filemode = yes
> aio max threads = 2
>
> dns proxy = no
> kernel change notify = yes
> directory name cache size = 0
> server multi channel support = no
> unix charset = UTF-8
> obey pam restrictions = False
> rpc_daemon:mdssd = disabled
> rpc_server:mdssvc = disabled
>
> server string = Encoder
> bind interfaces only = yes
> netbios name = encoder
> netbios aliases >
> [pdf_fileserver]
>     comment = PDF Encoding Output
>     path = /srv/pdf_fileserver
>     directory mask = 770
>     create mask = 660
>     kernel oplocks = no
>     kernel share modes = no
>     posix locking = no
>     nfs4:chown = true
>     ea support = false
>     smbd max xattr size = 2097152
>     vfs objects = streams_xattr
>     write list = +"encoder group"@dh.local +"domain
users"@dh.local
>
> On Tue, Nov 14, 2023 at 12:22?PM Christian Naumer via samba
> <samba at lists.samba.org> wrote:
> >
> > Hi,
> > does your computer account have a uid on that member server?
> > Does
> > id COMPUTERNAME$
> >
> > produce an output?
> >
> > Since I also can not get at the redhat info you provided could your
> share your SMB.conf
> >
> > Regards
> >
> > Christian
> >
> >
> > Am 14. November 2023 02:52:07 MEZ schrieb Matt Pruett via samba <
> samba at lists.samba.org>:
> > >Here's the situation:
> > >I used sssd-winbind to join the server to a native windows domain.
> > >Following these instructions:
> > >https://access.redhat.com/solutions/3802321
> > >
> > >This all seems to be working fine. I have various shares that
various
> > >AD groups can access and within those shares I use
"posix" acls to do
> > >some more fine grained permissions.
> > >
> > >However there is a 3rd party application/service running on a
windows
> > >server that polls an smb share located on this samba server for
new
> > >files. This service runs as the "local system" account
and provides no
> > >means of specifying separate smb credentials. Therefore it
> > >authenticates as its AD computer account. I have created an ad
> > >security group which contains both this machine account, and some
> > >other needed user accounts, and assigned this group as the unix
group
> > >for that folder structure.
> > >
> > >For the users that are a member of this group, it's working
fine.
> > >However for this computer account it doesn't seem to work
> > >consistently. In the logs I get a "Could not convert SID
S-0-0, error
> > >is NT_STATUS_NONE_MAPPED" .
> > >
> > >So my question is firstly, is assigning computer accounts
permissions
> > >to shares a valid approach to this kind of thing? Are there any
> > >significant security repercussions for using a computer account in
> > >this way?
> > >
> > >Secondly, is this chain of configuration something that can work
with
> > >"posix" acls? Or should I toss that out and use:
> > >
> > >vfs objects = acl_xattr
> > >map acl inherit = yes
> > >acl_xattr:ignore system acls = yes
> > >
> > >Thanks.
> > >
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions:  https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 14 Nov 2023 14:37:19 -0600
Matt Pruett via samba <samba at lists.samba.org> wrote:
> It does produce an id. I can try switching away from sssd as suggested
> by Rowland. I'm interested in my last question about how valid the
> notion of granting a domain machine account permissions to a share is?
> Is this something that is done in some cases? Does Microsoft consider
> it a valid use case of machine accounts? Here is my config, any
> advice/criticism would be welcome. (though I am aware that using
> .local is cursed, predates me, can't change it)  The machine account
> is a member of the "encoder group".
Using a computer account as a user is very valid, which is easy to
understand when you realise that a computer account is just a user
account with an extra objectclass.
> 
> [global]
> realm = DH.LOCAL
> workgroup = DH
> security = ads
> kerberos method = secrets and keytab
> template homedir = /home/%U
> idmap config * : backend = tdb
> idmap config * : range = 10000-199999
I take it that this smb.conf ultimately came from redhat, if so, would
someone from redhat like to explain why the default '*' domain is set
for 189,999 IDs, when it is only really meant for the 'Well Known SIDs'
(there are less than 200 of those) and anything outside the 'DH' domain
(so really 0), don't you think that 189,999 is a bit of an overkill ?
> idmap config DH : backend = sss
> idmap config DH : range = 200000-2147483647
Have you got any data using those ID's, if not, I suggest you dump sssd
and reset the ranges (I would use the rid idmap backend).
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> machine password timeout = 0
With 'machine password timeout' set to '0', winbind will never
change
the machine password, as far as I understand it.
> 
> log level = 2
> disable netbios = yes
> server min protocol = SMB2_02
> 
> restrict anonymous = 2
> unix extensions = no
> dos filemode = yes
> aio max threads = 2
> 
> dns proxy = no
> kernel change notify = yes
> directory name cache size = 0
> server multi channel support = no
> unix charset = UTF-8
> obey pam restrictions = False
> rpc_daemon:mdssd = disabled
> rpc_server:mdssvc = disabled
> 
> server string = Encoder
> bind interfaces only = yes
> netbios name = encoder
> netbios aliases > 
> [pdf_fileserver]
>     comment = PDF Encoding Output
>     path = /srv/pdf_fileserver
>     directory mask = 770
>     create mask = 660
>     kernel oplocks = no
>     kernel share modes = no
>     posix locking = no
>     nfs4:chown = true
>     ea support = false
>     smbd max xattr size = 2097152
>     vfs objects = streams_xattr
>     write list = +"encoder group"@dh.local +"domain
users"@dh.local
> 
From that smb.conf, I personally feel that you would get better results
from dumping sssd and re-configuring smb.conf, but that must be your
decision.

Rowland