Unable to connect to samba share with "force user = unix_user"
Rowland Penny
repenny241155 at gmail.com
Wed Oct 15 05:38:28 MDT 2014
On 15/10/14 12:28, Quentin Gibeaux wrote:
> On 15/10/2014 13:15, Rowland Penny wrote:
>> On 15/10/14 12:05, Quentin Gibeaux wrote:
>>> On 15/10/2014 12:34, Rowland Penny wrote:
>>>> On 15/10/14 10:46, Quentin Gibeaux wrote:
>>>>> Hi,
>>>>>
>>>>> I've encountered a bug on samba 4.1.12 (and below in 4.1), running
>>>>> with Active Directory.
>>>>>
>>>>> I've a samba share configured like this :
>>>>> [someshare]
>>>>> comment = Some comment
>>>>> browsable = yes
>>>>> path = /path/to/somename
>>>>> writable = yes
>>>>> valid users = +somename
>>>>> force user = somename
>>>>> force group = somename
>>>>> create mode = 0775
>>>>> force create mode = 0775
>>>>> directory mode = 2775
>>>>> force directory mode = 2775
>>>>>
>>>>> "somename" is both : unix-only user and an AD group :
>>>>> # id somename
>>>>> uid=121(somename) gid=955(somename) groupes=955(somename)
>>>>>
>>>>> # getent group | grep somename
>>>>> somename:*:955:onemember
>>>>>
>>>>> But I'm unable to connect to someshare, I'm rejected with error :
>>>>> tree connect failed: NT_STATUS_NO_SUCH_USER
>>>>>
>>>>> I've tried to replace the "force user" parameter with :
>>>>> one user that exists in AD
>>>>> one user that hasn't a group (in AD) with the same name
>>>>> -> it works
>>>>>
>>>>> => I think there's a bug with "force user" parameter with
>>>>> unix-only user that has a group in AD with same name.
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Quentin Gibeaux.
>>>> No Quentin, I do not think that you have found a bug, I think that
>>>> you are hitting the 'you cannot have a user & group with the same
>>>> name in AD' problem.
>>>>
>>>> In your case, the user is only a unix-user (no doubt 'getent passwd
>>>> somename' shows the user) but the same name also appears in AD as a
>>>> group, so how does AD know user 'somename' is a member of the
>>>> 'somename' group ?
>>>>
>>>> I would suggest that you only use local users to carry local
>>>> administration, if you do need to create an AD group, you only add
>>>> AD users and do not try to create any user with the same name as a
>>>> group.
>>>>
>>>> As '121' is below '500' it is what is known as a 'system user' and
>>>> as such, should not be in AD or have anything to do with AD.
>>>>
>>>> Rowland
>>> This makes sense.
>>>
>>> But what about an unix user only there to have clean ownerships on
>>> files and folder of the share, that has the same name than the AD's
>>> group used to grant access ? This unix user would'nt be member of
>>> the group (or can be, but no care).
>>> Like so :
>>> root at server:~# id somename
>>> uid=122(somename) gid=65534(nogroup) groupes=65534(nogroup)
>>> root at server:~# getent group | grep somename
>>> somename:*:951:user1
>>>
>>> Still having tree connect failed: NT_STATUS_NO_SUCH_USER
>>>
>>>
>>>
>> A unix only user cannot be a member of an AD group, only an AD user
>> can be a member of an AD group. This means that when you try to
>> connect to a samba share (on a machine that is joined to the domain)
>> as a local unix user, then samba is not going to know who your user is.
>> If you run samba as a 'classic' PDC then you could & should have
>> users both as local & domain users, but with AD this is no longer
>> allowed, you also cannot have a user & a group with the same name.
>>
>> Rowland
>>
> Sorry, i've forgotten to say that I'm not trying to connect to the
> share with this 'somename' user, but with whatever AD's user that is
> member of the AD's group (valid users = +somename).
>
> Haven't the "force user" parameter nothing to do with the connection
> proccess ? The documentation says it's only used for the fs accesses
> (read/write/ownerships).
>
> Quentin
Shouldn't +somename be @somename ?
Rowland
More information about the samba-technical
mailing list