[Samba] Samba 3.0.23 + ADS + 'valid users' + 'force user' does not work

Andrei Nazarenko a.nazarenko at gmail.com
Tue Jul 11 16:25:57 GMT 2006 

Just upgraded Samba to 3.0.23 and can no longer map any non-anonymous shares.

Here is my smb.conf file:

[global]
 map to guest = Bad User
 guest account = nobody
 syslog = 0
 log level = 3
 workgroup = OAAD
 realm = OA.PNRAD.NET
 security = ADS

[intranet]
 path = /srv/www/intranet
 valid users = nazaand
 write list = nazaand
 force user = intranet
 force group = intranet
 create mask = 0660
 directory mask = 0770
 browseable = No

Unix user 'nazaand' exists with UID:1000 and GID:100.
The ADS authentication also works fine, I get the following entries in
the log file:

[2006/07/11 17:53:18, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine FRPDC003.OA.PNRAD.NET pipe \NETLOGON
fnum 0xa bind request returned ok.
[2006/07/11 17:53:18, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038)
  store_gid_sid_cache: gid 100 in cache ->
S-1-5-21-2802976709-2047762053-2842697490-1201
[2006/07/11 17:53:18, 3] passdb/lookup_sid.c:fetch_gid_from_cache(999)
  fetch gid from cache 100 -> S-1-5-21-2802976709-2047762053-2842697490-1201
[2006/07/11 17:53:18, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [nazaand] succeeded
[2006/07/11 17:53:18, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [nazaand] -> [nazaand]
-> [nazaand] succeeded


But the share cannot be mapped because of this:

[2006/07/11 17:53:18, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038)
  store_gid_sid_cache: gid 2147483404 in cache ->
S-1-5-21-2802976709-2047762053-2842697490-513
[2006/07/11 17:53:18, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/07/11 17:53:18, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xe2088215
[2006/07/11 17:53:18, 3] smbd/password.c:register_vuid(280)
  User name: nazaand    Real name:
[2006/07/11 17:53:18, 3] smbd/password.c:register_vuid(301)
  UNIX uid 1000 is UNIX user nazaand, and will be vuid 103
[2006/07/11 17:53:18, 3] smbd/password.c:register_vuid(332)
  Adding homes service for user 'nazaand' using home directory:
'/srv/www/htdocs'
[2006/07/11 17:53:18, 3] smbd/process.c:process_smb(1110)
  Transaction 7 of length 86
[2006/07/11 17:53:18, 3] smbd/process.c:switch_message(914)
  switch message SMBtconX (pid 16063) conn 0x0
[2006/07/11 17:53:18, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/07/11 17:53:18, 3] lib/util_sid.c:string_to_sid(223)
  string_to_sid: Sid nazaand does not start with 'S-'.
[2006/07/11 17:53:18, 2] smbd/service.c:make_connection_snum(571)
  user 'nazaand' (from session setup) not permitted to access this
share (intranet)
[2006/07/11 17:53:18, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(676) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Why do I get the "not permitted to access this share" error if my user
is in the "valid users" list?

If I remove the "valid users" list completely, then the share can be
mapped, but I cannot write to it. If I use "security = user" then
everything works ok.

Does new Samba version require a different format format for the
'valid users' and 'write list' directives or do I need to specify any
additional parameters for it to work as 3.0.22?

Thanks for your time

More information about the samba mailing list