Unable to connect to samba share with "force user = unix_user"
Rowland Penny
repenny241155 at gmail.com
Wed Oct 15 04:34:51 MDT 2014
On 15/10/14 10:46, Quentin Gibeaux wrote:
> Hi,
>
> I've encountered a bug on samba 4.1.12 (and below in 4.1), running
> with Active Directory.
>
> I've a samba share configured like this :
> [someshare]
> comment = Some comment
> browsable = yes
> path = /path/to/somename
> writable = yes
> valid users = +somename
> force user = somename
> force group = somename
> create mode = 0775
> force create mode = 0775
> directory mode = 2775
> force directory mode = 2775
>
> "somename" is both : unix-only user and an AD group :
> # id somename
> uid=121(somename) gid=955(somename) groupes=955(somename)
>
> # getent group | grep somename
> somename:*:955:onemember
>
> But I'm unable to connect to someshare, I'm rejected with error :
> tree connect failed: NT_STATUS_NO_SUCH_USER
>
> I've tried to replace the "force user" parameter with :
> one user that exists in AD
> one user that hasn't a group (in AD) with the same name
> -> it works
>
> => I think there's a bug with "force user" parameter with unix-only
> user that has a group in AD with same name.
>
>
> Thanks,
>
> Quentin Gibeaux.
No Quentin, I do not think that you have found a bug, I think that you
are hitting the 'you cannot have a user & group with the same name in
AD' problem.
In your case, the user is only a unix-user (no doubt 'getent passwd
somename' shows the user) but the same name also appears in AD as a
group, so how does AD know user 'somename' is a member of the 'somename'
group ?
I would suggest that you only use local users to carry local
administration, if you do need to create an AD group, you only add AD
users and do not try to create any user with the same name as a group.
As '121' is below '500' it is what is known as a 'system user' and as
such, should not be in AD or have anything to do with AD.
Rowland
More information about the samba-technical
mailing list