SYSTEM or Service Account Access

Questions about using Windows AD service.
Locked
User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

SYSTEM or Service Account Access

Post by rvandewa »

I am trying to give permissions to a computer's local service account, or the SYSTEM account, to access a SAMBA share. I have tried adding the "Domain Computers" group to a second group and granting permissions to it. I have also tried giving anonymous access permissions. Both to no avail. Any suggestions?
User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

Re: SYSTEM or Service Account Access

Post by rvandewa »

Also, giving the local group "Everyone" access also has no effect. Firmware 3.3.2 Build 0819T
QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: SYSTEM or Service Account Access

Post by QNAPJauss »

Dear rvandewa,
I have tried adding the "Domain Computers" group to a second group and granting permissions to it.
It is what you have to do. But to do so, you must use active directory.
- Create a security group in Active Directory, for example “ComputerAccounts”.
- Add all the computer accounts that will need to access your shared folder.
- Give permission to the domain group “ComputerAccounts” on the shared folder.

If your PC (or server) is not in Active Directory, then you cannot give permission to "system".The only way would be to allows Read/Write access for Guest.

BR,
Jauss
User avatar
rvandewa
New here
Posts: 7
Joined: Thu Jul 29, 2010 9:45 pm
Location: Texas, United States

Re: SYSTEM or Service Account Access

Post by rvandewa »

Well that is what I had done, but it didn't seem to work. Is there a log on the QNAP appliance that will tell me the user that is failing authentication over SAMBA?
QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: SYSTEM or Service Account Access

Post by QNAPJauss »

Hi,

Yes, you can enable connection logs for samba in :
system administration >> system logs >> system connection logs
then, options, select samba , Apply
after, click "start logging" (next to options button)

Also, in AD, the group membership are active only on login time. That means if you add the computer account to a group, you should restart the computer to make the group membership active.

BR,
Jauss
beargfr
Starting out
Posts: 24
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr »

I know this is an ancient thread, but I hit the same problem with not being able to permit the NT AUTHORITY\SYSTEM account to access a normal QNAP shared folder --- and SOLVED IT!

The secret is, configure an iSCSI target and at least one LUN on the QNAP, then use Windows iSCSI Initiator (built in to recent versions of Windows Server, and can be downloaded from Microsoft and added to other Windows installations). iSCSI support will allow you to connect to the defined LUN on the QNAP NAS from Windows it will be treated like a local drive. I'm using iSCSI LUN's defined on my QNAP box both as 'shared disks' to support Failover Clustering and also as the storage targets for the database files associated with my Windows Certificate Authority. Trying to use a 'regular' QNAP shared folder as storage for my CA got me the same permissions problem that is the topic of this thread, but creating an iSCSI LUN instead and using that works like a charm.

Terminology if you're not familiar with iSCSI (like I wasn't before today).
An iSCSI Target is analogous to a server end point.
An iSCSI LUN is equivalent to a disk.
Therefore, a single iSCSI Target(server) may provide access to multiple LUN's (disks).

Pretty cool stuff.

Bear
User avatar
OneCD
Guru
Posts: 12039
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: SYSTEM or Service Account Access

Post by OneCD »

Hi Bear.

Unfortunately, your solution does not solve this problem. iSCSI has absolutely nothing to do with shared folders on the QNAP. It's a completely different network service. Your method will not allow a user to access the existing shared folders - instead, you've created your own network drive.

And please don't revive old threads. This thread was started over 7 years ago with a question about a much earlier firmware. The person who asked this question found a solution and moved-on with their life. ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
beargfr
Starting out
Posts: 24
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr »

Well, just because it was an old thread does not mean it's not relevant. It sure would have been nice if, after they'd solved it, that they posted the solution. I'm still having a similar problem: how to authorize the various built-in windows accounts for shared folder access.
User avatar
dolbyman
Guru
Posts: 35028
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: SYSTEM or Service Account Access

Post by dolbyman »

Only solution I can think of is a domain environment ... but with 1 1/2 years in between posts we will be long dead before this is solved

Or at least explain why service accounts need to access NAS shares
beargfr
Starting out
Posts: 24
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr »

Easy to explain why. I want to be able to run Windows Backup (on Windows 7 machines) and have them write their backups to the NAS. Problem is, they fail every time with an "ACCESS DENIED" result code. I believe this might be happening because the mechanism that Windows Backup uses to perform the write is actually a Windows Service: Block Level Backup Engine Service, that just happens to run under the builtin local system account which is NT AUTHORITY\System. I say "believe" because nothing in the failure event record in Windows or anywhere in the NAS logs (yes I have connection logging turned on) tells me access to WHAT, or by WHOM, so I have to guess at that. I -could- change the properties on that service and run it under an AD account that the NAS knows about and probably get it to work, but I'd prefer not to have to do that because besides making things 'non-standard' it also would require me making that change on every workstation in my network, which would be a significant amount of work not to mention something I'd have to 'remember to deal with' every time I upgraded windows, put on a new service pack, etc.

And besides... it really "frosts my cookies" when someone responds to a problem with a "why do you want to do that?" answer instead of with a solution.
User avatar
OneCD
Guru
Posts: 12039
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: SYSTEM or Service Account Access

Post by OneCD »

beargfr wrote: Tue Apr 16, 2019 7:48 am it really "frosts my cookies" when someone responds to a problem with a "why do you want to do that?" answer instead of with a solution.
This usually happens because someone wants to fix a problem in a particularly weird way. And it's usually so weird, the person may be unaware of a much simpler fix that works better. They have become fixated on a single solution that they believe is the only solution. It's important to consider alternatives too.

But, we can only suggest alternatives if we know why you want to do a thing. ;)

If the aforementioned cookie-frosting is the inevitable result of you being questioned on something you haven't adequately explained, then please consider posting a full description of the issue the first time.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
dolbyman
Guru
Posts: 35028
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: SYSTEM or Service Account Access

Post by dolbyman »

how about starting that backup process under a user account ? (can be set in the task scheduler)

for testing your theory
beargfr
Starting out
Posts: 24
Joined: Tue Apr 11, 2017 12:17 pm

Re: SYSTEM or Service Account Access

Post by beargfr »

The backup task itself already does run under a user account. I chased down that rabbit-hole for a good long while before I found out about the Windows service that backup uses, which runs under the built-in system account. This whole problem could be solved easily if QNAP would support adding permissions to the built-accounts with well known SID's that exist on every Windows machine.

They are all documented here:
https://support.microsoft.com/nl-nl/hel ... ng-systems

For example, SYSTEM is always SID: S-1-5-18
Locked

Return to “Windows Domain & Active Directory”