Unable to connect to samba share with "force user = unix_user"

Rowland Penny repenny241155 at gmail.com
Wed Oct 15 06:16:00 MDT 2014

On 15/10/14 12:46, Quentin Gibeaux wrote:
> On 15/10/2014 13:38, Rowland Penny wrote:
>> On 15/10/14 12:28, Quentin Gibeaux wrote:
>>> On 15/10/2014 13:15, Rowland Penny wrote:
>>>> A unix only user cannot be a member of an AD group, only an AD user 
>>>> can be a member of an AD group. This means that when you try to 
>>>> connect to a samba share (on a machine that is joined to the 
>>>> domain) as a local unix user, then samba is not going to know who 
>>>> your user is.
>>>> If you run samba as a 'classic' PDC then you could & should have 
>>>> users both as local & domain users, but with AD this is no longer 
>>>> allowed, you also cannot have a user & a group with the same name.
>>>> Rowland
>>> Sorry, i've forgotten to say that I'm not trying to connect to the 
>>> share with this 'somename' user, but with whatever AD's user that is 
>>> member of the AD's group (valid users = +somename).
>>> Haven't the "force user" parameter nothing to do with the connection 
>>> proccess ? The documentation says it's only used for the fs accesses 
>>> (read/write/ownerships).
>>> Quentin
>> Shouldn't +somename be @somename ?
>> Rowland
> Indeed, but it doesn't change the result, even if I comment the valid 
> users line (so it is accessible to any user), I still have the 
> Quentin
If you are trying to connect as the user 'somename' then as I have 
already said this user is not an AD user and samba does not know who he is.

I take it that you have  something similar to this in /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind

When you run getent passwd <username> , the local files are search and 
if found the user info is returned, if not found winbind is searched. 
The same goes for getent group <groupname>. So when you search for your 
user, it is returned from the local files (because that it is where it 
is found), when you search for the group, it is returned by winbind.

When you try to connect to your samba share as the local user, winbind 
is searched, cannot find your user and the rest you know.


More information about the samba-technical mailing list