Re: [Samba] Samba-wiki info about profiles and SYSTEM account.
- Date: Wed, 3 May 2017 16:58:07 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba-wiki info about profiles and SYSTEM account.
Great to have that clear now.
Now, ... Sorry about this one but.. Ping;.... ;-)
https://bugzilla.samba.org/show_bug.cgi?id=12257 Windows 10 unable to update group policy.
https://bugzilla.samba.org/show_bug.cgi?id=12263 unable to edit / create GPO
Fixed when you apply system on the sysvol folder. ;-)
2 bugs less ;-)
> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:mmuehlfeld@xxxxxxxxx]
> Verzonden: woensdag 3 mei 2017 15:44
> Aan: L.P.H. van Belle; samba
> Onderwerp: Re: [Samba] Samba-wiki info about profiles and
> SYSTEM account.
> Hi Louis,
> it seems we are both right:
> I talked with Volker about the necessity of SYSTEM in ACLs on a Samba
> server: From Samba side, SYSTEM is not required in ACLs. It's
> important that the domain user or machine account, that is
> used to authenticate to the share, is able to access the content.
> SYSTEM is a local security principal on the client and not
> sent over the network to authenticate. When a local service
> on a domain member uses SYSTEM to access a domain network
> share, it authenticates as computername$. To access the
> content, it is necessary that this machine account is allowed
> to access the content. For example, because it is listed
> explicitely, as member of a group, or allowed by a general
> principal, such as "Authenticated Users". If the local SYSTEM
> account accesses the server using the computername$ account,
> the SYSTEM account in the ACLs is not used on the server to
> validate if computername$ is allowed to access the content -
> computername$ must somehow have access.
> On the other side, there are be some Windows services that
> may require that some ACLs are present on the remote server.
> For example, a service might not work if the ACLs on the
> remote server do not contain the SYSTEM account - even if it
> is not used on the server to access the content itself. This
> is what you discovered.
> I will update the docs accordingly.
> Am 03.05.2017 um 12:22 schrieb L.P.H. van Belle via samba:
> > Hai,
> > I just saw the new site for the profiles :-) didnt notice that.
> > Looks nice.
> > Now i saw the link to :
> > https://wiki.samba.org/index.php/The_SYSTEM_Account
> > This is very very disturbing....
> > Especially these lines:
> > "The SYSTEM account is never sent to a remote host to
> authenticate and for this reason never used to access a
> remote file system"
> > "For this reasons, you can omit the SYSTEM account in file
> system ACLs on Samba shares."
> > Now this is not ok in my believe.
> > And the funny part, first reference link.
> > -is-used-in-windows
> > Which states :
> > . On the other hand, the system account does show up on an
> NTFS volume in File Manager in the Permissions portion of the
> Security menu.
> > By default, the system account is granted full control to
> all files on an NTFS volume.
> > And ...
> >>>> The system account's permissions can be removed from
> a file but it is not recommended.
> > The last line on the wiki.
> >> For this reasons, you can omit the SYSTEM account in
> file system ACLs on Samba shares.
> > Now when it goes wrong if you remove SYSTEM from the samba shares...
> > Example 1:
> > Try to do the following.
> > Add the Administrators security group to roaming user profiles in
> > Computer Configuration \ Administrative Templates \ System \ User
> > Profiles
> > This happens.
> > When a new roaming profile directory is created, Windows
> disables permission inheritance and grants SYSTEM and the
> profile’s user account full control.
> > .... Grants who... Yes SYSTEM!
> > Example 2
> > If you see something like:
> > The Application Event Viewer indicates errors that the MSI
> package installation failed with an error ‘Package source not
> > 1) On the target computer, log in as an administrator.
> > 2) Schedule an AT job for 1 minute ahead of the current
> time to launch a command prompt as NT Authority\System:
> > a. C:\> at 1:00pm /interactive cmd.exe
> > 3) After the command prompt window to appear, you will
> have "NT Authority\System access."
> > 4) Attempt to list the contents of the share using the UNC path:
> > a. C:\> dir \\server\share - You should receive a
> directory listing of the files on the share
> > Remove system and this wont work.
> > Example 3.
> > A program that runs under the NT Authority\System, but the
> software is on a samba share.
> > For example, software updaters with packages. My zarafa
> updater runs as user SYSTEM.
> > My packages are on the samba shares.. ...
> > Example 4.
> > Last one, lunch time.
> > Install a virusscanner, ( which mostly runs as system ) and
> set it to scan you network shares.
> > Anyone else comments on above. I dont know everything so
> shoot me if im wrong here.
> > But removing user SYSTEM from the shares is really bad advice, Yes,
> > its an option, but NOT for sysvol and profiles or shares
> where you deploy files.
> > Greetz,
> > Louis
To unsubscribe from this list go to the following URL and read the