Unable to connect to samba share with "force user = unix_user"
Rowland Penny
repenny241155 at gmail.com
Wed Oct 15 05:15:46 MDT 2014
On 15/10/14 12:05, Quentin Gibeaux wrote:
> On 15/10/2014 12:34, Rowland Penny wrote:
>> On 15/10/14 10:46, Quentin Gibeaux wrote:
>>> Hi,
>>>
>>> I've encountered a bug on samba 4.1.12 (and below in 4.1), running
>>> with Active Directory.
>>>
>>> I've a samba share configured like this :
>>> [someshare]
>>> comment = Some comment
>>> browsable = yes
>>> path = /path/to/somename
>>> writable = yes
>>> valid users = +somename
>>> force user = somename
>>> force group = somename
>>> create mode = 0775
>>> force create mode = 0775
>>> directory mode = 2775
>>> force directory mode = 2775
>>>
>>> "somename" is both : unix-only user and an AD group :
>>> # id somename
>>> uid=121(somename) gid=955(somename) groupes=955(somename)
>>>
>>> # getent group | grep somename
>>> somename:*:955:onemember
>>>
>>> But I'm unable to connect to someshare, I'm rejected with error :
>>> tree connect failed: NT_STATUS_NO_SUCH_USER
>>>
>>> I've tried to replace the "force user" parameter with :
>>> one user that exists in AD
>>> one user that hasn't a group (in AD) with the same name
>>> -> it works
>>>
>>> => I think there's a bug with "force user" parameter with unix-only
>>> user that has a group in AD with same name.
>>>
>>>
>>> Thanks,
>>>
>>> Quentin Gibeaux.
>> No Quentin, I do not think that you have found a bug, I think that
>> you are hitting the 'you cannot have a user & group with the same
>> name in AD' problem.
>>
>> In your case, the user is only a unix-user (no doubt 'getent passwd
>> somename' shows the user) but the same name also appears in AD as a
>> group, so how does AD know user 'somename' is a member of the
>> 'somename' group ?
>>
>> I would suggest that you only use local users to carry local
>> administration, if you do need to create an AD group, you only add AD
>> users and do not try to create any user with the same name as a group.
>>
>> As '121' is below '500' it is what is known as a 'system user' and as
>> such, should not be in AD or have anything to do with AD.
>>
>> Rowland
> This makes sense.
>
> But what about an unix user only there to have clean ownerships on
> files and folder of the share, that has the same name than the AD's
> group used to grant access ? This unix user would'nt be member of the
> group (or can be, but no care).
> Like so :
> root at server:~# id somename
> uid=122(somename) gid=65534(nogroup) groupes=65534(nogroup)
> root at server:~# getent group | grep somename
> somename:*:951:user1
>
> Still having tree connect failed: NT_STATUS_NO_SUCH_USER
>
>
>
A unix only user cannot be a member of an AD group, only an AD user can
be a member of an AD group. This means that when you try to connect to a
samba share (on a machine that is joined to the domain) as a local unix
user, then samba is not going to know who your user is.
If you run samba as a 'classic' PDC then you could & should have users
both as local & domain users, but with AD this is no longer allowed, you
also cannot have a user & a group with the same name.
Rowland
More information about the samba-technical
mailing list