Unable to connect to samba share with "force user = unix_user"

Rowland Penny repenny241155 at gmail.com
Wed Oct 15 05:15:46 MDT 2014

On 15/10/14 12:05, Quentin Gibeaux wrote:
> On 15/10/2014 12:34, Rowland Penny wrote:
>> On 15/10/14 10:46, Quentin Gibeaux wrote:
>>> Hi,
>>> I've encountered a bug on samba 4.1.12 (and below in 4.1), running 
>>> with Active Directory.
>>> I've a samba share configured like this :
>>> [someshare]
>>> comment = Some comment
>>> browsable = yes
>>> path = /path/to/somename
>>> writable = yes
>>> valid users = +somename
>>> force user = somename
>>> force group = somename
>>> create mode = 0775
>>> force create mode = 0775
>>> directory  mode = 2775
>>> force directory  mode = 2775
>>> "somename" is both : unix-only user and an AD group :
>>> # id somename
>>> uid=121(somename) gid=955(somename) groupes=955(somename)
>>> # getent group | grep somename
>>> somename:*:955:onemember
>>> But I'm unable to connect to someshare, I'm rejected with error :
>>> tree connect failed: NT_STATUS_NO_SUCH_USER
>>> I've tried to replace the "force user" parameter with :
>>> one user that exists in AD
>>> one user that hasn't a group (in AD) with the same name
>>> -> it works
>>> => I think there's a bug with "force user" parameter with unix-only 
>>> user that has a group in AD with same name.
>>> Thanks,
>>> Quentin Gibeaux.
>> No Quentin, I do not think that you have found a bug, I think that 
>> you are hitting the 'you cannot have a user & group with the same 
>> name in AD' problem.
>> In your case, the user is only a unix-user (no doubt 'getent passwd 
>> somename' shows the user) but the same name also appears in AD as a 
>> group, so how does AD know user 'somename' is a member of the 
>> 'somename' group ?
>> I would suggest that you only use local users to carry local 
>> administration, if you do need to create an AD group, you only add AD 
>> users and do not try to create any user with the same name as a group.
>> As '121' is below '500' it is what is known as a 'system user' and as 
>> such, should not be in AD or have anything to do with AD.
>> Rowland
> This makes sense.
> But what about an unix user only there to have clean ownerships on 
> files and folder of the share, that has the same name than the AD's 
> group used to grant access ? This unix user would'nt be member of the 
> group (or can be, but no care).
> Like so :
> root at server:~# id somename
> uid=122(somename) gid=65534(nogroup) groupes=65534(nogroup)
> root at server:~# getent group | grep somename
> somename:*:951:user1
> Still having tree connect failed: NT_STATUS_NO_SUCH_USER
A unix only user cannot be a member of an AD group, only an AD user can 
be a member of an AD group. This means that when you try to connect to a 
samba share (on a machine that is joined to the domain) as a local unix 
user, then samba is not going to know who your user is.
If you run samba as a 'classic' PDC then you could & should have users 
both as local & domain users, but with AD this is no longer allowed, you 
also cannot have a user & a group with the same name.


More information about the samba-technical mailing list