Re: Grant computer account access to share?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think what Chris was trying to say:
Create an user account that has permissions to run the service (a shortcut to doing this would be to create an user with admin rights)
Open "Computer Management", "Services and Applications", "Services".
Open the "Properties" of the service you are trying to allow to access the share. Select the "Log On" tab, then under "Log on as:" select "This account:" and enter in the user info you of the user you created.


On 11/10/2011 7:22 AM, Andrew Lyon wrote:
On Thu, Nov 10, 2011 at 2:48 PM, Chris Weiss<cweiss@xxxxxxxxx>  wrote:
On Thu, Nov 10, 2011 at 2:24 AM, Andrew Lyon<andrew.lyon@xxxxxxxxx>  wrote:
Hi,

I have a Microsoft application (SCCM) which I need to grant access to
a samba share, however the service which reads the files can only
authenticate using the computer account, there is option to configure
it to use a domain account.

do you mean to say that it's a windows service that's Log On tab is
set to local system?  because "authenticate using the computer
account" isn't a "thing".  A windows service running as local system
does not have permissions to access network resources at all.  This is
a windows restriction, you have to have the account log on as a local
or domain user if you want it to be able to access the network.

Yes exactly that, in order to give the service access to windows
shares on other windows servers I can open the share properties,
select permissions, add, and add permissions for the ad computer
account, like this: http://oi44.tinypic.com/3007f36.jpg notice the
computer icon and trailing $, then a service running as local system
can then access the share, here computer management is showing the
connected machine http://oi41.tinypic.com/11wedl3.jpg, I can also run
cmd.exe as system using sysinternals psexec and access the share.

I assume that when the computer boots up it "logs on" to AD and thus
permissions can be granted directly to its AD account, its quite an
unusual thing to do and I think it is very bad design that MS provide
no way to configure a user account that the service uses to access the
share but thats just how it works.



Is there any way to grant a computer account access to a share? On
windows I can simply add computer$ to the permissions but this doesn't
seem to be possible.

without reading "man smb.conf" again, there used to be an option that
you could set allowed and denied client IP addresses, and basically
make the share public otherwise.  I don't know if the option still
exists in recent versions, my understanding is that it is trivially
easy to spoof.


It doesn't really matter how I end up making this work, if I have to
run another instance of samba on a different IP and run a separate
cable/vlan then that's what i will do, at the moment I'm struggling to
find any combination of smb.conf options that allow the process to
access the share.

Andy

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux