CIFS/SMB shares and the Windows "Local System" account

Status
Not open for further replies.

Jon Godfrey

Cadet
Joined
Apr 15, 2017
Messages
6
Hi all,
I've been digging through resources for days-- google, the forum search, and rewatched m0nkey_'s awesome vids once more to make sure I didn't miss the bit I'm after--to no avail.

Scenario:
FreeNAS 9.10.2 U2. I have a Windows VM that I'm successfully able to access a shared CIFS/SMB share on using my username. I followed m0nkey_'s video previously in setting this up. The issue I'm trying to solve is giving the local system account write privs. There's a service (PlayOn) running as the Local System account, and it does not behave correctly if I change it to run as my user instead. When I'm logged in, I can write to the share perfectly as expected, but the service fails to write (permission denied) when it needs to. Based on everything I've read, this just seems to be some basic mapping of a user into the FreeNAS group associated with the share, but I have not been able to figure out what user properties to create to make it map up properly.

Can anyone point me in the correct direction? Many thanks!
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
Can't you just have the service use a specific set of credentials that you can manage? That seems like the right way to do it, but I've never needed to explicitly give a Windows service access to an SMB share.
 

Jon Godfrey

Cadet
Joined
Apr 15, 2017
Messages
6
Unfortunately, no. That's where it starts to not behave incorrectly. Instead of the permission denied message, I get one that states the feature is "...only available if you configure PlayOn to run as a Local System service, and not with a user account login." Oddly enough, the service starts fine as a user and can serve the media properly. It just won't write or schedule.
 

Jon Godfrey

Cadet
Joined
Apr 15, 2017
Messages
6
A little update from the PlayOn team regarding their product and the way it needs to operate:
PlayOn must run under the local system account so please restore the settings to default.

Because of how PlayOn runs as a system service, you would need to ensure that your NAS provides open access to either the local SYSTEM account or allow 'anonymous' access to the shared folder. If that is impossible, you can force PlayOn to run under your user account using the steps below.

As a long time UNIX guy, anonymous sounds an awful lot like 777-permissions..... and a pretty poor suggestion/solution. So I guess I'm back to asking if anyone has ever mapped a system account or if it's even possible?
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
As a long time UNIX guy, anonymous sounds an awful lot like 777-permissions..... and a pretty poor suggestion/solution.
Absolutely horrible.

What does this software do, anyway?
 

Jon Godfrey

Cadet
Joined
Apr 15, 2017
Messages
6
PlayOn is a Windows service application that acts as a DVR for multiple media websites, like Network television, HBO Go, Netflix, etc. Subscriptions all req'd where applicable. It started out life as a media proxy, for when the media companies thought that watching a stream in a web browser wasn't the same as watching from a Google TV or Roku. It's been running fine on my desktop pc for years. Ive been trying to offload that function to a dedicated vm on my ESX server.
 

Jon Godfrey

Cadet
Joined
Apr 15, 2017
Messages
6
BTW, they did provide steps to run as my user, which works, but there is hoop jumping installed and it does not persist across reboots. Ugh.
 

Jon Godfrey

Cadet
Joined
Apr 15, 2017
Messages
6
Sorry, their steps were for starting their application in some weird, user-run mode. It also opens a CMD-based crypted logging window. The best comparison to the *nix sid would be to run a service in non-daemon, debug mode.
1) Stop the PlayOn Server, if it's running, by clicking the Stop button inside PlayOn Settings
2) Press and hold the CTRL key on your keyboard while clicking the Start button in PlayOn Settings
3) The Status should show as "User Run"
This does run as my Windows user and allows the writes to occur to the FreeNAS share. It doesn't give me much info on how I could possibly fiddle with the storage side.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Sorry, their steps were for starting their application in some weird, user-run mode. It also opens a CMD-based crypted logging window. The best comparison to the *nix sid would be to run a service in non-daemon, debug mode.

This does run as my Windows user and allows the writes to occur to the FreeNAS share. It doesn't give me much info on how I could possibly fiddle with the storage side.

If security is not an issue on this share, then you should change the dataset so that it is owned by your FreeNAS guest user (or otherwise grant that user access to the share), then check the boxes "allow guest access" and "only allow guest access" in your share config in FreeNAS. This should allow the software to access the samba share.
 
Status
Not open for further replies.
Top