[wpkg-users] how do you access network domain server shares from a 'NT Authority\SYSTEM' service account session?

Tomasz Chmielewski mangoo at wpkg.org
Tue May 16 23:21:15 CEST 2006 

Urs Rau wrote:

(...)

> So I am trying to use LocalSystem under XP and was trying to find what
> 'guest' access you are mentioning.
> 
> I am using unattended to install the wpkg service whilst it is a domain
> adm using the install-service.js script. which by default sets the
> service to running as LocalSystem.
> 
> My samba share looks as follows:
> 
> [wpkg]
>         comment = Windows Package Installer
>         path = /usr/local/samba/ins/install/packages/wpkg
>         valid users = root, dom_admin, app_admin, guest
>         write list = root, dom_admin, app_admin
>         force user = root
>         force group = root
>         read only = Yes
>         guest ok = Yes
>         browseable = No
>         volume = WPKG

force user and force group combined with valid user = guest may be a bad 
choice.
This can mean any user can theoretically remove all your software.
More on this later.


> but this does not allow me to map a drive or access files using UNC
> paths from the services's local system account.
> 
> So when the page says 'When LocalSystem attempts to access a file share,
> it does so under the identity of guest.' is this phrase referring back
> only to the runninng under win2k (I read it as also referring to xp)? Or
> when it says that 'Windows XP has a new NetworkService account which
> begs examination.' does that mean there is a way to use this new
> NetworkService to run the local service to access network shares,
> instead of the LocalSystem?
> If the answer to this implied question there isn't known yet, I was
> hoping that my email might get us one step closer to someone that knows
> giving that answer to the list.
> 
>> ?
>>
>> Simply, you won't connect to the domain server as a SYSTEM account,
>> unless the share allows guest access (start the service from some other
>> account).
> 
> You say "you won't" and also "unless the share allows guest access" and
> that is exactly what I do want. (I think) I am slightly confused. Which
> is it? "You won't" or "you can _IF_ the share has guest access"?

You have a Samba server, I guess it's a domain controller?

You have a WPKG share, with access rights set like that:

valid users = root, dom_admin, app_admin, guest

So one can assume that everyone can access this share (we have a guest 
user in "valid users").

But, as it's a domain controller (or configured to work in a similar 
manner, via "security = ..." setting), before you can even access 
shares, you have to authenticate to the controller (as a domain user).
As a result, you can't access the [wpkg] share as guest, because you 
don't have access to the domain controller yet (you have to enter a 
house first, then you can enter the room).


> I thought that my samba share as above would give the right guest access
> , as mentioned on the page, to that share, but it doesn't. So hence my
> question, as to what else I have to put into the samba share definition
> to allow the service to access files on the samba share.

Check Samba logs (with log level = 3), it will confirm what I wrote before.

I see at least three solutions for you, two of them described on 
http://wpkg.org/index.php/Installation_instructions already:

1) start WPKG as a domain admin with Windows Task Scheduler
2) start WPKG as a domain admin with cygrunsrv.exe

These two are the best choices IMO.

A third choice is to configure Samba to map every "bad user" (the one 
which didn't supply a valid password) to some username (i.e. guest).
I think it is done with something like "bad user = ..." or "map to ..." 
- I just don't remember, you have to consult smb.conf documentation.
It's a bad choice in my opinion, as everyone who connect with a laptop 
to your network can access this share (and perhaps copy installers with 
keys and other sensitive data).

Hope this helps.


To comment your [wpkg] share settings: I would remove force user, force 
group, guest ok and "guest" user from allow users, when you start WPKG 
with schtasks.exe or cygrunsrv.exe.


-- 
Tomasz Chmielewski
http://wpkg.org







_______________________________________________
wpkg-users mailing list
wpkg-users at lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users

More information about the wpkg-users mailing list