Unable to connect to samba share with "force user = unix_user"

Quentin Gibeaux qgibeaux at iris-tech.fr
Wed Oct 15 05:05:04 MDT 2014 

On 15/10/2014 12:34, Rowland Penny wrote:
> On 15/10/14 10:46, Quentin Gibeaux wrote:
>> Hi,
>>
>> I've encountered a bug on samba 4.1.12 (and below in 4.1), running 
>> with Active Directory.
>>
>> I've a samba share configured like this :
>> [someshare]
>> comment = Some comment
>> browsable = yes
>> path = /path/to/somename
>> writable = yes
>> valid users = +somename
>> force user = somename
>> force group = somename
>> create mode = 0775
>> force create mode = 0775
>> directory  mode = 2775
>> force directory  mode = 2775
>>
>> "somename" is both : unix-only user and an AD group :
>> # id somename
>> uid=121(somename) gid=955(somename) groupes=955(somename)
>>
>> # getent group | grep somename
>> somename:*:955:onemember
>>
>> But I'm unable to connect to someshare, I'm rejected with error :
>> tree connect failed: NT_STATUS_NO_SUCH_USER
>>
>> I've tried to replace the "force user" parameter with :
>> one user that exists in AD
>> one user that hasn't a group (in AD) with the same name
>> -> it works
>>
>> => I think there's a bug with "force user" parameter with unix-only 
>> user that has a group in AD with same name.
>>
>>
>> Thanks,
>>
>> Quentin Gibeaux.
> No Quentin, I do not think that you have found a bug, I think that you 
> are hitting the 'you cannot have a user & group with the same name in 
> AD' problem.
>
> In your case, the user is only a unix-user (no doubt 'getent passwd 
> somename' shows the user) but the same name also appears in AD as a 
> group, so how does AD know user 'somename' is a member of the 
> 'somename' group ?
>
> I would suggest that you only use local users to carry local 
> administration, if you do need to create an AD group, you only add AD 
> users and do not try to create any user with the same name as a group.
>
> As '121' is below '500' it is what is known as a 'system user' and as 
> such, should not be in AD or have anything to do with AD.
>
> Rowland
This makes sense.

But what about an unix user only there to have clean ownerships on files 
and folder of the share, that has the same name than the AD's group used 
to grant access ? This unix user would'nt be member of the group (or can 
be, but no care).
Like so :
root at server:~# id somename
uid=122(somename) gid=65534(nogroup) groupes=65534(nogroup)
root at server:~# getent group | grep somename
somename:*:951:user1

Still having tree connect failed: NT_STATUS_NO_SUCH_USER

More information about the samba-technical mailing list