[wpkg-users] how do you access network domain server shares from a 'NT Authority\SYSTEM' service account session?

Urs Rau urs.rau at uk.om.org
Tue May 16 22:47:06 CEST 2006

Hi Tomasz,

Tomasz Chmielewski wrote:
> Urs Rau wrote:
>> I am looking for some advice here. I am sure this worked in the past,
>> and suspect that one of the windows service packs of the last 16 months
>> or so, 'broke' this functionality by fixing some security aspects of
>> this.
>> How does one get a local service that is set to Log on as 'Local System
>> account' and 'Allow service to interact with Desktop' to actually
>> connect to a share on a domain server? I can't seem to find the right
>> user or group that needs to be given read permission for that share on
>> the domain server. My domain server seems to reject those connections,
>> regardless of what users I tell it should be allowed to connect.
>> What have I missed, or where are the answers, I assume that at least
>> some of you do run wpkg as a local service that runs the wpkg.js engine
>> off a central server location?
> Did you look at this page:
> http://wpkg.org/index.php/Installation_instructions

Yes, I did, and sorry I should have mentioned it. What I try to achieve
is the very thing the page makes reference to when it says:

> Pick a network drive. This drive must be accessable by the user WPKG 
> is going to be configured to run as. We are using LocalSystem on 
> Windows 2000. Windows XP has a new NetworkService account which begs
> examination. When LocalSystem attempts to access a file share, it
> does so under the identity of guest. Thus, guest must have read only
> access to your entire software share.

So I am trying to use LocalSystem under XP and was trying to find what
'guest' access you are mentioning.

I am using unattended to install the wpkg service whilst it is a domain
adm using the install-service.js script. which by default sets the
service to running as LocalSystem.

My samba share looks as follows:

        comment = Windows Package Installer
        path = /usr/local/samba/ins/install/packages/wpkg
        valid users = root, dom_admin, app_admin, guest
        write list = root, dom_admin, app_admin
        force user = root
        force group = root
        read only = Yes
        guest ok = Yes
        browseable = No
        volume = WPKG

but this does not allow me to map a drive or access files using UNC
paths from the services's local system account.

So when the page says 'When LocalSystem attempts to access a file share,
it does so under the identity of guest.' is this phrase referring back
only to the runninng under win2k (I read it as also referring to xp)? Or
when it says that 'Windows XP has a new NetworkService account which
begs examination.' does that mean there is a way to use this new
NetworkService to run the local service to access network shares,
instead of the LocalSystem?
If the answer to this implied question there isn't known yet, I was
hoping that my email might get us one step closer to someone that knows
giving that answer to the list.

> ?
> Simply, you won't connect to the domain server as a SYSTEM account,
> unless the share allows guest access (start the service from some other
> account).

You say "you won't" and also "unless the share allows guest access" and
that is exactly what I do want. (I think) I am slightly confused. Which
is it? "You won't" or "you can _IF_ the share has guest access"?

I thought that my samba share as above would give the right guest access
, as mentioned on the page, to that share, but it doesn't. So hence my
question, as to what else I have to put into the samba share definition
to allow the service to access files on the samba share.

I am also trying to get answers from the samba list on this topic.
Thanks for your help.


Urs Rau						

More information about the wpkg-users mailing list