Unable to connect to samba share with "force user = unix_user"
Quentin Gibeaux
qgibeaux at iris-tech.fr
Wed Oct 15 05:28:52 MDT 2014
On 15/10/2014 13:15, Rowland Penny wrote:
> On 15/10/14 12:05, Quentin Gibeaux wrote:
>> On 15/10/2014 12:34, Rowland Penny wrote:
>>> On 15/10/14 10:46, Quentin Gibeaux wrote:
>>>> Hi,
>>>>
>>>> I've encountered a bug on samba 4.1.12 (and below in 4.1), running
>>>> with Active Directory.
>>>>
>>>> I've a samba share configured like this :
>>>> [someshare]
>>>> comment = Some comment
>>>> browsable = yes
>>>> path = /path/to/somename
>>>> writable = yes
>>>> valid users = +somename
>>>> force user = somename
>>>> force group = somename
>>>> create mode = 0775
>>>> force create mode = 0775
>>>> directory mode = 2775
>>>> force directory mode = 2775
>>>>
>>>> "somename" is both : unix-only user and an AD group :
>>>> # id somename
>>>> uid=121(somename) gid=955(somename) groupes=955(somename)
>>>>
>>>> # getent group | grep somename
>>>> somename:*:955:onemember
>>>>
>>>> But I'm unable to connect to someshare, I'm rejected with error :
>>>> tree connect failed: NT_STATUS_NO_SUCH_USER
>>>>
>>>> I've tried to replace the "force user" parameter with :
>>>> one user that exists in AD
>>>> one user that hasn't a group (in AD) with the same name
>>>> -> it works
>>>>
>>>> => I think there's a bug with "force user" parameter with unix-only
>>>> user that has a group in AD with same name.
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Quentin Gibeaux.
>>> No Quentin, I do not think that you have found a bug, I think that
>>> you are hitting the 'you cannot have a user & group with the same
>>> name in AD' problem.
>>>
>>> In your case, the user is only a unix-user (no doubt 'getent passwd
>>> somename' shows the user) but the same name also appears in AD as a
>>> group, so how does AD know user 'somename' is a member of the
>>> 'somename' group ?
>>>
>>> I would suggest that you only use local users to carry local
>>> administration, if you do need to create an AD group, you only add
>>> AD users and do not try to create any user with the same name as a
>>> group.
>>>
>>> As '121' is below '500' it is what is known as a 'system user' and
>>> as such, should not be in AD or have anything to do with AD.
>>>
>>> Rowland
>> This makes sense.
>>
>> But what about an unix user only there to have clean ownerships on
>> files and folder of the share, that has the same name than the AD's
>> group used to grant access ? This unix user would'nt be member of the
>> group (or can be, but no care).
>> Like so :
>> root at server:~# id somename
>> uid=122(somename) gid=65534(nogroup) groupes=65534(nogroup)
>> root at server:~# getent group | grep somename
>> somename:*:951:user1
>>
>> Still having tree connect failed: NT_STATUS_NO_SUCH_USER
>>
>>
>>
> A unix only user cannot be a member of an AD group, only an AD user
> can be a member of an AD group. This means that when you try to
> connect to a samba share (on a machine that is joined to the domain)
> as a local unix user, then samba is not going to know who your user is.
> If you run samba as a 'classic' PDC then you could & should have users
> both as local & domain users, but with AD this is no longer allowed,
> you also cannot have a user & a group with the same name.
>
> Rowland
>
Sorry, i've forgotten to say that I'm not trying to connect to the share
with this 'somename' user, but with whatever AD's user that is member of
the AD's group (valid users = +somename).
Haven't the "force user" parameter nothing to do with the connection
proccess ? The documentation says it's only used for the fs accesses
(read/write/ownerships).
Quentin
More information about the samba-technical
mailing list