[wpkg-users] how do you access network domain server shares from a 'NT Authority\SYSTEM' service account session?
mangoo at wpkg.org
Tue May 16 23:21:15 CEST 2006
Urs Rau wrote:
> So I am trying to use LocalSystem under XP and was trying to find what
> 'guest' access you are mentioning.
> I am using unattended to install the wpkg service whilst it is a domain
> adm using the install-service.js script. which by default sets the
> service to running as LocalSystem.
> My samba share looks as follows:
> comment = Windows Package Installer
> path = /usr/local/samba/ins/install/packages/wpkg
> valid users = root, dom_admin, app_admin, guest
> write list = root, dom_admin, app_admin
> force user = root
> force group = root
> read only = Yes
> guest ok = Yes
> browseable = No
> volume = WPKG
force user and force group combined with valid user = guest may be a bad
This can mean any user can theoretically remove all your software.
More on this later.
> but this does not allow me to map a drive or access files using UNC
> paths from the services's local system account.
> So when the page says 'When LocalSystem attempts to access a file share,
> it does so under the identity of guest.' is this phrase referring back
> only to the runninng under win2k (I read it as also referring to xp)? Or
> when it says that 'Windows XP has a new NetworkService account which
> begs examination.' does that mean there is a way to use this new
> NetworkService to run the local service to access network shares,
> instead of the LocalSystem?
> If the answer to this implied question there isn't known yet, I was
> hoping that my email might get us one step closer to someone that knows
> giving that answer to the list.
>> Simply, you won't connect to the domain server as a SYSTEM account,
>> unless the share allows guest access (start the service from some other
> You say "you won't" and also "unless the share allows guest access" and
> that is exactly what I do want. (I think) I am slightly confused. Which
> is it? "You won't" or "you can _IF_ the share has guest access"?
You have a Samba server, I guess it's a domain controller?
You have a WPKG share, with access rights set like that:
valid users = root, dom_admin, app_admin, guest
So one can assume that everyone can access this share (we have a guest
user in "valid users").
But, as it's a domain controller (or configured to work in a similar
manner, via "security = ..." setting), before you can even access
shares, you have to authenticate to the controller (as a domain user).
As a result, you can't access the [wpkg] share as guest, because you
don't have access to the domain controller yet (you have to enter a
house first, then you can enter the room).
> I thought that my samba share as above would give the right guest access
> , as mentioned on the page, to that share, but it doesn't. So hence my
> question, as to what else I have to put into the samba share definition
> to allow the service to access files on the samba share.
Check Samba logs (with log level = 3), it will confirm what I wrote before.
I see at least three solutions for you, two of them described on
1) start WPKG as a domain admin with Windows Task Scheduler
2) start WPKG as a domain admin with cygrunsrv.exe
These two are the best choices IMO.
A third choice is to configure Samba to map every "bad user" (the one
which didn't supply a valid password) to some username (i.e. guest).
I think it is done with something like "bad user = ..." or "map to ..."
- I just don't remember, you have to consult smb.conf documentation.
It's a bad choice in my opinion, as everyone who connect with a laptop
to your network can access this share (and perhaps copy installers with
keys and other sensitive data).
Hope this helps.
To comment your [wpkg] share settings: I would remove force user, force
group, guest ok and "guest" user from allow users, when you start WPKG
with schtasks.exe or cygrunsrv.exe.
wpkg-users mailing list
wpkg-users at lists.wpkg.org
More information about the wpkg-users