SYSTEM or Service Account Access
- rvandewa
- New here
- Posts: 7
- Joined: Thu Jul 29, 2010 9:45 pm
- Location: Texas, United States
SYSTEM or Service Account Access
I am trying to give permissions to a computer's local service account, or the SYSTEM account, to access a SAMBA share. I have tried adding the "Domain Computers" group to a second group and granting permissions to it. I have also tried giving anonymous access permissions. Both to no avail. Any suggestions?
- rvandewa
- New here
- Posts: 7
- Joined: Thu Jul 29, 2010 9:45 pm
- Location: Texas, United States
Re: SYSTEM or Service Account Access
Also, giving the local group "Everyone" access also has no effect. Firmware 3.3.2 Build 0819T
-
- QNAP Staff
- Posts: 499
- Joined: Fri Oct 02, 2009 12:18 pm
- Location: Taipei, TAIWAN
Re: SYSTEM or Service Account Access
Dear rvandewa,
- Create a security group in Active Directory, for example “ComputerAccounts”.
- Add all the computer accounts that will need to access your shared folder.
- Give permission to the domain group “ComputerAccounts” on the shared folder.
If your PC (or server) is not in Active Directory, then you cannot give permission to "system".The only way would be to allows Read/Write access for Guest.
BR,
Jauss
It is what you have to do. But to do so, you must use active directory.I have tried adding the "Domain Computers" group to a second group and granting permissions to it.
- Create a security group in Active Directory, for example “ComputerAccounts”.
- Add all the computer accounts that will need to access your shared folder.
- Give permission to the domain group “ComputerAccounts” on the shared folder.
If your PC (or server) is not in Active Directory, then you cannot give permission to "system".The only way would be to allows Read/Write access for Guest.
BR,
Jauss
Jauss
The FAQ & Tutorial: https://www.qnap.com/i/en/tutorial/index.php
The Forum: http://forum.qnap.com
The Forum FAQ: http://forum.qnap.com/viewforum.php?f=174
WIKI: http://wiki.qnap.com
WIKI FAQ: http://wiki.qnap.com/wiki/FAQs
Compatibility List: http://www.qnap.com/compatibility
Utilities : https://www.qnap.com/utility
Online Support : http://www.qnap.com/support
Online Support Form : http://helpdesk.qnap.com/
The FAQ & Tutorial: https://www.qnap.com/i/en/tutorial/index.php
The Forum: http://forum.qnap.com
The Forum FAQ: http://forum.qnap.com/viewforum.php?f=174
WIKI: http://wiki.qnap.com
WIKI FAQ: http://wiki.qnap.com/wiki/FAQs
Compatibility List: http://www.qnap.com/compatibility
Utilities : https://www.qnap.com/utility
Online Support : http://www.qnap.com/support
Online Support Form : http://helpdesk.qnap.com/
- rvandewa
- New here
- Posts: 7
- Joined: Thu Jul 29, 2010 9:45 pm
- Location: Texas, United States
Re: SYSTEM or Service Account Access
Well that is what I had done, but it didn't seem to work. Is there a log on the QNAP appliance that will tell me the user that is failing authentication over SAMBA?
-
- QNAP Staff
- Posts: 499
- Joined: Fri Oct 02, 2009 12:18 pm
- Location: Taipei, TAIWAN
Re: SYSTEM or Service Account Access
Hi,
Yes, you can enable connection logs for samba in :
system administration >> system logs >> system connection logs
then, options, select samba , Apply
after, click "start logging" (next to options button)
Also, in AD, the group membership are active only on login time. That means if you add the computer account to a group, you should restart the computer to make the group membership active.
BR,
Jauss
Yes, you can enable connection logs for samba in :
system administration >> system logs >> system connection logs
then, options, select samba , Apply
after, click "start logging" (next to options button)
Also, in AD, the group membership are active only on login time. That means if you add the computer account to a group, you should restart the computer to make the group membership active.
BR,
Jauss
Jauss
The FAQ & Tutorial: https://www.qnap.com/i/en/tutorial/index.php
The Forum: http://forum.qnap.com
The Forum FAQ: http://forum.qnap.com/viewforum.php?f=174
WIKI: http://wiki.qnap.com
WIKI FAQ: http://wiki.qnap.com/wiki/FAQs
Compatibility List: http://www.qnap.com/compatibility
Utilities : https://www.qnap.com/utility
Online Support : http://www.qnap.com/support
Online Support Form : http://helpdesk.qnap.com/
The FAQ & Tutorial: https://www.qnap.com/i/en/tutorial/index.php
The Forum: http://forum.qnap.com
The Forum FAQ: http://forum.qnap.com/viewforum.php?f=174
WIKI: http://wiki.qnap.com
WIKI FAQ: http://wiki.qnap.com/wiki/FAQs
Compatibility List: http://www.qnap.com/compatibility
Utilities : https://www.qnap.com/utility
Online Support : http://www.qnap.com/support
Online Support Form : http://helpdesk.qnap.com/
-
- Starting out
- Posts: 24
- Joined: Tue Apr 11, 2017 12:17 pm
Re: SYSTEM or Service Account Access
I know this is an ancient thread, but I hit the same problem with not being able to permit the NT AUTHORITY\SYSTEM account to access a normal QNAP shared folder --- and SOLVED IT!
The secret is, configure an iSCSI target and at least one LUN on the QNAP, then use Windows iSCSI Initiator (built in to recent versions of Windows Server, and can be downloaded from Microsoft and added to other Windows installations). iSCSI support will allow you to connect to the defined LUN on the QNAP NAS from Windows it will be treated like a local drive. I'm using iSCSI LUN's defined on my QNAP box both as 'shared disks' to support Failover Clustering and also as the storage targets for the database files associated with my Windows Certificate Authority. Trying to use a 'regular' QNAP shared folder as storage for my CA got me the same permissions problem that is the topic of this thread, but creating an iSCSI LUN instead and using that works like a charm.
Terminology if you're not familiar with iSCSI (like I wasn't before today).
An iSCSI Target is analogous to a server end point.
An iSCSI LUN is equivalent to a disk.
Therefore, a single iSCSI Target(server) may provide access to multiple LUN's (disks).
Pretty cool stuff.
Bear
The secret is, configure an iSCSI target and at least one LUN on the QNAP, then use Windows iSCSI Initiator (built in to recent versions of Windows Server, and can be downloaded from Microsoft and added to other Windows installations). iSCSI support will allow you to connect to the defined LUN on the QNAP NAS from Windows it will be treated like a local drive. I'm using iSCSI LUN's defined on my QNAP box both as 'shared disks' to support Failover Clustering and also as the storage targets for the database files associated with my Windows Certificate Authority. Trying to use a 'regular' QNAP shared folder as storage for my CA got me the same permissions problem that is the topic of this thread, but creating an iSCSI LUN instead and using that works like a charm.
Terminology if you're not familiar with iSCSI (like I wasn't before today).
An iSCSI Target is analogous to a server end point.
An iSCSI LUN is equivalent to a disk.
Therefore, a single iSCSI Target(server) may provide access to multiple LUN's (disks).
Pretty cool stuff.
Bear
- OneCD
- Guru
- Posts: 12155
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: SYSTEM or Service Account Access
Hi Bear.
Unfortunately, your solution does not solve this problem. iSCSI has absolutely nothing to do with shared folders on the QNAP. It's a completely different network service. Your method will not allow a user to access the existing shared folders - instead, you've created your own network drive.
And please don't revive old threads. This thread was started over 7 years ago with a question about a much earlier firmware. The person who asked this question found a solution and moved-on with their life.
Unfortunately, your solution does not solve this problem. iSCSI has absolutely nothing to do with shared folders on the QNAP. It's a completely different network service. Your method will not allow a user to access the existing shared folders - instead, you've created your own network drive.
And please don't revive old threads. This thread was started over 7 years ago with a question about a much earlier firmware. The person who asked this question found a solution and moved-on with their life.
-
- Starting out
- Posts: 24
- Joined: Tue Apr 11, 2017 12:17 pm
Re: SYSTEM or Service Account Access
Well, just because it was an old thread does not mean it's not relevant. It sure would have been nice if, after they'd solved it, that they posted the solution. I'm still having a similar problem: how to authorize the various built-in windows accounts for shared folder access.
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: SYSTEM or Service Account Access
Only solution I can think of is a domain environment ... but with 1 1/2 years in between posts we will be long dead before this is solved
Or at least explain why service accounts need to access NAS shares
Or at least explain why service accounts need to access NAS shares
-
- Starting out
- Posts: 24
- Joined: Tue Apr 11, 2017 12:17 pm
Re: SYSTEM or Service Account Access
Easy to explain why. I want to be able to run Windows Backup (on Windows 7 machines) and have them write their backups to the NAS. Problem is, they fail every time with an "ACCESS DENIED" result code. I believe this might be happening because the mechanism that Windows Backup uses to perform the write is actually a Windows Service: Block Level Backup Engine Service, that just happens to run under the builtin local system account which is NT AUTHORITY\System. I say "believe" because nothing in the failure event record in Windows or anywhere in the NAS logs (yes I have connection logging turned on) tells me access to WHAT, or by WHOM, so I have to guess at that. I -could- change the properties on that service and run it under an AD account that the NAS knows about and probably get it to work, but I'd prefer not to have to do that because besides making things 'non-standard' it also would require me making that change on every workstation in my network, which would be a significant amount of work not to mention something I'd have to 'remember to deal with' every time I upgraded windows, put on a new service pack, etc.
And besides... it really "frosts my cookies" when someone responds to a problem with a "why do you want to do that?" answer instead of with a solution.
And besides... it really "frosts my cookies" when someone responds to a problem with a "why do you want to do that?" answer instead of with a solution.
- OneCD
- Guru
- Posts: 12155
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: SYSTEM or Service Account Access
This usually happens because someone wants to fix a problem in a particularly weird way. And it's usually so weird, the person may be unaware of a much simpler fix that works better. They have become fixated on a single solution that they believe is the only solution. It's important to consider alternatives too.
But, we can only suggest alternatives if we know why you want to do a thing.
If the aforementioned cookie-frosting is the inevitable result of you being questioned on something you haven't adequately explained, then please consider posting a full description of the issue the first time.
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: SYSTEM or Service Account Access
how about starting that backup process under a user account ? (can be set in the task scheduler)
for testing your theory
for testing your theory
-
- Starting out
- Posts: 24
- Joined: Tue Apr 11, 2017 12:17 pm
Re: SYSTEM or Service Account Access
The backup task itself already does run under a user account. I chased down that rabbit-hole for a good long while before I found out about the Windows service that backup uses, which runs under the built-in system account. This whole problem could be solved easily if QNAP would support adding permissions to the built-accounts with well known SID's that exist on every Windows machine.
They are all documented here:
https://support.microsoft.com/nl-nl/hel ... ng-systems
For example, SYSTEM is always SID: S-1-5-18
They are all documented here:
https://support.microsoft.com/nl-nl/hel ... ng-systems
For example, SYSTEM is always SID: S-1-5-18