Urs Rau wrote:
(...)
So I am trying to use LocalSystem under XP and was trying to find what
'guest' access you are mentioning.
I am using unattended to install the wpkg service whilst it is a domain
adm using the install-service.js script. which by default sets the
service to running as LocalSystem.
My samba share looks as follows:
[wpkg]
comment = Windows Package Installer
path = /usr/local/samba/ins/install/packages/wpkg
valid users = root, dom_admin, app_admin, guest
write list = root, dom_admin, app_admin
force user = root
force group = root
read only = Yes
guest ok = Yes
browseable = No
volume = WPKG
force user and force group combined with valid user = guest may be a bad
choice.
This can mean any user can theoretically remove all your software.
More on this later.
but this does not allow me to map a drive or access files using UNC
paths from the services's local system account.
So when the page says 'When LocalSystem attempts to access a file share,
it does so under the identity of guest.' is this phrase referring back
only to the runninng under win2k (I read it as also referring to xp)? Or
when it says that 'Windows XP has a new NetworkService account which
begs examination.' does that mean there is a way to use this new
NetworkService to run the local service to access network shares,
instead of the LocalSystem?
If the answer to this implied question there isn't known yet, I was
hoping that my email might get us one step closer to someone that knows
giving that answer to the list.
?
Simply, you won't connect to the domain server as a SYSTEM account,
unless the share allows guest access (start the service from some other
account).
You say "you won't" and also "unless the share allows guest access" and
that is exactly what I do want. (I think) I am slightly confused. Which
is it? "You won't" or "you can _IF_ the share has guest access"?
You have a Samba server, I guess it's a domain controller?
You have a WPKG share, with access rights set like that:
valid users = root, dom_admin, app_admin, guest
So one can assume that everyone can access this share (we have a guest
user in "valid users").
But, as it's a domain controller (or configured to work in a similar
manner, via "security = ..." setting), before you can even access
shares, you have to authenticate to the controller (as a domain user).
As a result, you can't access the [wpkg] share as guest, because you
don't have access to the domain controller yet (you have to enter a
house first, then you can enter the room).
I thought that my samba share as above would give the right guest access
, as mentioned on the page, to that share, but it doesn't. So hence my
question, as to what else I have to put into the samba share definition
to allow the service to access files on the samba share.
Check Samba logs (with log level = 3), it will confirm what I wrote before.
I see at least three solutions for you, two of them described on
http://wpkg.org/index.php/Installation_instructions already:
1) start WPKG as a domain admin with Windows Task Scheduler
2) start WPKG as a domain admin with cygrunsrv.exe
These two are the best choices IMO.
A third choice is to configure Samba to map every "bad user" (the one
which didn't supply a valid password) to some username (i.e. guest).
I think it is done with something like "bad user = ..." or "map to ..."
- I just don't remember, you have to consult smb.conf documentation.
It's a bad choice in my opinion, as everyone who connect with a laptop
to your network can access this share (and perhaps copy installers with
keys and other sensitive data).
Hope this helps.
To comment your [wpkg] share settings: I would remove force user, force
group, guest ok and "guest" user from allow users, when you start WPKG
with schtasks.exe or cygrunsrv.exe.
--
Tomasz Chmielewski
http://wpkg.org
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
wpkg-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wpkg-users
