SYSTEM or Service Account Access

Questions about using Windows AD service.
Post Reply
User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

SYSTEM or Service Account Access

Post by rvandewa » Wed Sep 08, 2010 2:49 am

I am trying to give permissions to a computer's local service account, or the SYSTEM account, to access a SAMBA share. I have tried adding the "Domain Computers" group to a second group and granting permissions to it. I have also tried giving anonymous access permissions. Both to no avail. Any suggestions?

User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

Re: SYSTEM or Service Account Access

Post by rvandewa » Wed Sep 08, 2010 3:01 am

Also, giving the local group "Everyone" access also has no effect. Firmware 3.3.2 Build 0819T

QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: SYSTEM or Service Account Access

Post by QNAPJauss » Wed Sep 08, 2010 2:24 pm

Dear rvandewa,

I have tried adding the "Domain Computers" group to a second group and granting permissions to it.


It is what you have to do. But to do so, you must use active directory.
- Create a security group in Active Directory, for example “ComputerAccounts”.
- Add all the computer accounts that will need to access your shared folder.
- Give permission to the domain group “ComputerAccounts” on the shared folder.

If your PC (or server) is not in Active Directory, then you cannot give permission to "system".The only way would be to allows Read/Write access for Guest.

BR,
Jauss

User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

Re: SYSTEM or Service Account Access

Post by rvandewa » Wed Sep 08, 2010 11:47 pm

Well that is what I had done, but it didn't seem to work. Is there a log on the QNAP appliance that will tell me the user that is failing authentication over SAMBA?

QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: SYSTEM or Service Account Access

Post by QNAPJauss » Thu Sep 09, 2010 11:02 am

Hi,

Yes, you can enable connection logs for samba in :
system administration >> system logs >> system connection logs
then, options, select samba , Apply
after, click "start logging" (next to options button)

Also, in AD, the group membership are active only on login time. That means if you add the computer account to a group, you should restart the computer to make the group membership active.

BR,
Jauss

beargfr
New here
Posts: 9
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr » Mon Nov 20, 2017 8:42 am

I know this is an ancient thread, but I hit the same problem with not being able to permit the NT AUTHORITY\SYSTEM account to access a normal QNAP shared folder --- and SOLVED IT!

The secret is, configure an iSCSI target and at least one LUN on the QNAP, then use Windows iSCSI Initiator (built in to recent versions of Windows Server, and can be downloaded from Microsoft and added to other Windows installations). iSCSI support will allow you to connect to the defined LUN on the QNAP NAS from Windows it will be treated like a local drive. I'm using iSCSI LUN's defined on my QNAP box both as 'shared disks' to support Failover Clustering and also as the storage targets for the database files associated with my Windows Certificate Authority. Trying to use a 'regular' QNAP shared folder as storage for my CA got me the same permissions problem that is the topic of this thread, but creating an iSCSI LUN instead and using that works like a charm.

Terminology if you're not familiar with iSCSI (like I wasn't before today).
An iSCSI Target is analogous to a server end point.
An iSCSI LUN is equivalent to a disk.
Therefore, a single iSCSI Target(server) may provide access to multiple LUN's (disks).

Pretty cool stuff.

Bear

User avatar
OneCD
Ask me anything
Posts: 5719
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: SYSTEM or Service Account Access

Post by OneCD » Mon Nov 20, 2017 9:28 am

Hi Bear.

Unfortunately, your solution does not solve this problem. iSCSI has absolutely nothing to do with shared folders on the QNAP. It's a completely different network service. Your method will not allow a user to access the existing shared folders - instead, you've created your own network drive.

And please don't revive old threads. This thread was started over 7 years ago with a question about a much earlier firmware. The person who asked this question found a solution and moved-on with their life. ;)

Debian 'Stretch' on my production NAS (TS-569 Pro), with the backup NAS (TS-559 Pro+) to eventually follow. When that happens, I'll no longer use or support any QNAP firmware. Debian powerup/poweroff times are < 1 minute.

one.cd.only@gmail.com

Image Image Image Image Image

Post Reply

Return to “Windows Domain & Active Directory”