Unable to connect to samba share with "force user = unix_user"
Quentin Gibeaux
qgibeaux at iris-tech.fr
Wed Oct 15 06:20:21 MDT 2014
On 15/10/2014 14:16, Rowland Penny wrote:
> On 15/10/14 12:46, Quentin Gibeaux wrote:
>> On 15/10/2014 13:38, Rowland Penny wrote:
>>> On 15/10/14 12:28, Quentin Gibeaux wrote:
>>>> On 15/10/2014 13:15, Rowland Penny wrote:
>>>>> A unix only user cannot be a member of an AD group, only an AD
>>>>> user can be a member of an AD group. This means that when you try
>>>>> to connect to a samba share (on a machine that is joined to the
>>>>> domain) as a local unix user, then samba is not going to know who
>>>>> your user is.
>>>>> If you run samba as a 'classic' PDC then you could & should have
>>>>> users both as local & domain users, but with AD this is no longer
>>>>> allowed, you also cannot have a user & a group with the same name.
>>>>>
>>>>> Rowland
>>>>>
>>>> Sorry, i've forgotten to say that I'm not trying to connect to the
>>>> share with this 'somename' user, but with whatever AD's user that
>>>> is member of the AD's group (valid users = +somename).
>>>>
>>>> Haven't the "force user" parameter nothing to do with the
>>>> connection proccess ? The documentation says it's only used for the
>>>> fs accesses (read/write/ownerships).
>>>>
>>>> Quentin
>>> Shouldn't +somename be @somename ?
>>>
>>> Rowland
>>>
>> Indeed, but it doesn't change the result, even if I comment the valid
>> users line (so it is accessible to any user), I still have the
>> NO_SUCH_USER.
>>
>> Quentin
> If you are trying to connect as the user 'somename' then as I have
> already said this user is not an AD user and samba does not know who
> he is.
>
> I take it that you have something similar to this in /etc/nsswitch.conf
>
> passwd: compat winbind
> group: compat winbind
>
> When you run getent passwd <username> , the local files are search and
> if found the user info is returned, if not found winbind is searched.
> The same goes for getent group <groupname>. So when you search for
> your user, it is returned from the local files (because that it is
> where it is found), when you search for the group, it is returned by
> winbind.
>
> When you try to connect to your samba share as the local user, winbind
> is searched, cannot find your user and the rest you know.
>
> Rowland
>
I'm trying to connect with user1, that is in AD, and member of AD's
group somename.
More information about the samba-technical
mailing list