SYSTEM or Service Account Access

Questions about using Windows AD service.
Post Reply
User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

SYSTEM or Service Account Access

Post by rvandewa » Wed Sep 08, 2010 2:49 am

I am trying to give permissions to a computer's local service account, or the SYSTEM account, to access a SAMBA share. I have tried adding the "Domain Computers" group to a second group and granting permissions to it. I have also tried giving anonymous access permissions. Both to no avail. Any suggestions?

User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

Re: SYSTEM or Service Account Access

Post by rvandewa » Wed Sep 08, 2010 3:01 am

Also, giving the local group "Everyone" access also has no effect. Firmware 3.3.2 Build 0819T

QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: SYSTEM or Service Account Access

Post by QNAPJauss » Wed Sep 08, 2010 2:24 pm

Dear rvandewa,

I have tried adding the "Domain Computers" group to a second group and granting permissions to it.


It is what you have to do. But to do so, you must use active directory.
- Create a security group in Active Directory, for example “ComputerAccounts”.
- Add all the computer accounts that will need to access your shared folder.
- Give permission to the domain group “ComputerAccounts” on the shared folder.

If your PC (or server) is not in Active Directory, then you cannot give permission to "system".The only way would be to allows Read/Write access for Guest.

BR,
Jauss

User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

Re: SYSTEM or Service Account Access

Post by rvandewa » Wed Sep 08, 2010 11:47 pm

Well that is what I had done, but it didn't seem to work. Is there a log on the QNAP appliance that will tell me the user that is failing authentication over SAMBA?

QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: SYSTEM or Service Account Access

Post by QNAPJauss » Thu Sep 09, 2010 11:02 am

Hi,

Yes, you can enable connection logs for samba in :
system administration >> system logs >> system connection logs
then, options, select samba , Apply
after, click "start logging" (next to options button)

Also, in AD, the group membership are active only on login time. That means if you add the computer account to a group, you should restart the computer to make the group membership active.

BR,
Jauss

beargfr
Starting out
Posts: 12
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr » Mon Nov 20, 2017 8:42 am

I know this is an ancient thread, but I hit the same problem with not being able to permit the NT AUTHORITY\SYSTEM account to access a normal QNAP shared folder --- and SOLVED IT!

The secret is, configure an iSCSI target and at least one LUN on the QNAP, then use Windows iSCSI Initiator (built in to recent versions of Windows Server, and can be downloaded from Microsoft and added to other Windows installations). iSCSI support will allow you to connect to the defined LUN on the QNAP NAS from Windows it will be treated like a local drive. I'm using iSCSI LUN's defined on my QNAP box both as 'shared disks' to support Failover Clustering and also as the storage targets for the database files associated with my Windows Certificate Authority. Trying to use a 'regular' QNAP shared folder as storage for my CA got me the same permissions problem that is the topic of this thread, but creating an iSCSI LUN instead and using that works like a charm.

Terminology if you're not familiar with iSCSI (like I wasn't before today).
An iSCSI Target is analogous to a server end point.
An iSCSI LUN is equivalent to a disk.
Therefore, a single iSCSI Target(server) may provide access to multiple LUN's (disks).

Pretty cool stuff.

Bear

User avatar
OneCD
Ask me anything
Posts: 6117
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: SYSTEM or Service Account Access

Post by OneCD » Mon Nov 20, 2017 9:28 am

Hi Bear.

Unfortunately, your solution does not solve this problem. iSCSI has absolutely nothing to do with shared folders on the QNAP. It's a completely different network service. Your method will not allow a user to access the existing shared folders - instead, you've created your own network drive.

And please don't revive old threads. This thread was started over 7 years ago with a question about a much earlier firmware. The person who asked this question found a solution and moved-on with their life. ;)

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

beargfr
Starting out
Posts: 12
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr » Tue Apr 16, 2019 7:09 am

Well, just because it was an old thread does not mean it's not relevant. It sure would have been nice if, after they'd solved it, that they posted the solution. I'm still having a similar problem: how to authorize the various built-in windows accounts for shared folder access.

dolbyman
Guru
Posts: 14014
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: SYSTEM or Service Account Access

Post by dolbyman » Tue Apr 16, 2019 7:19 am

Only solution I can think of is a domain environment ... but with 1 1/2 years in between posts we will be long dead before this is solved

Or at least explain why service accounts need to access NAS shares

beargfr
Starting out
Posts: 12
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr » Tue Apr 16, 2019 7:48 am

Easy to explain why. I want to be able to run Windows Backup (on Windows 7 machines) and have them write their backups to the NAS. Problem is, they fail every time with an "ACCESS DENIED" result code. I believe this might be happening because the mechanism that Windows Backup uses to perform the write is actually a Windows Service: Block Level Backup Engine Service, that just happens to run under the builtin local system account which is NT AUTHORITY\System. I say "believe" because nothing in the failure event record in Windows or anywhere in the NAS logs (yes I have connection logging turned on) tells me access to WHAT, or by WHOM, so I have to guess at that. I -could- change the properties on that service and run it under an AD account that the NAS knows about and probably get it to work, but I'd prefer not to have to do that because besides making things 'non-standard' it also would require me making that change on every workstation in my network, which would be a significant amount of work not to mention something I'd have to 'remember to deal with' every time I upgraded windows, put on a new service pack, etc.

And besides... it really "frosts my cookies" when someone responds to a problem with a "why do you want to do that?" answer instead of with a solution.

User avatar
OneCD
Ask me anything
Posts: 6117
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: SYSTEM or Service Account Access

Post by OneCD » Tue Apr 16, 2019 7:57 am

beargfr wrote:
Tue Apr 16, 2019 7:48 am
it really "frosts my cookies" when someone responds to a problem with a "why do you want to do that?" answer instead of with a solution.
This usually happens because someone wants to fix a problem in a particularly weird way. And it's usually so weird, the person may be unaware of a much simpler fix that works better. They have become fixated on a single solution that they believe is the only solution. It's important to consider alternatives too.

But, we can only suggest alternatives if we know why you want to do a thing. ;)

If the aforementioned cookie-frosting is the inevitable result of you being questioned on something you haven't adequately explained, then please consider posting a full description of the issue the first time.

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

dolbyman
Guru
Posts: 14014
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: SYSTEM or Service Account Access

Post by dolbyman » Tue Apr 16, 2019 9:05 am

how about starting that backup process under a user account ? (can be set in the task scheduler)

for testing your theory

beargfr
Starting out
Posts: 12
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr » Tue Apr 16, 2019 9:15 am

The backup task itself already does run under a user account. I chased down that rabbit-hole for a good long while before I found out about the Windows service that backup uses, which runs under the built-in system account. This whole problem could be solved easily if QNAP would support adding permissions to the built-accounts with well known SID's that exist on every Windows machine.

They are all documented here:
https://support.microsoft.com/nl-nl/hel ... ng-systems

For example, SYSTEM is always SID: S-1-5-18

Post Reply

Return to “Windows Domain & Active Directory”