Unable to connect to samba share with "force user = unix_user"

Quentin Gibeaux qgibeaux at iris-tech.fr
Wed Oct 15 06:20:21 MDT 2014

On 15/10/2014 14:16, Rowland Penny wrote:
> On 15/10/14 12:46, Quentin Gibeaux wrote:
>> On 15/10/2014 13:38, Rowland Penny wrote:
>>> On 15/10/14 12:28, Quentin Gibeaux wrote:
>>>> On 15/10/2014 13:15, Rowland Penny wrote:
>>>>> A unix only user cannot be a member of an AD group, only an AD 
>>>>> user can be a member of an AD group. This means that when you try 
>>>>> to connect to a samba share (on a machine that is joined to the 
>>>>> domain) as a local unix user, then samba is not going to know who 
>>>>> your user is.
>>>>> If you run samba as a 'classic' PDC then you could & should have 
>>>>> users both as local & domain users, but with AD this is no longer 
>>>>> allowed, you also cannot have a user & a group with the same name.
>>>>> Rowland
>>>> Sorry, i've forgotten to say that I'm not trying to connect to the 
>>>> share with this 'somename' user, but with whatever AD's user that 
>>>> is member of the AD's group (valid users = +somename).
>>>> Haven't the "force user" parameter nothing to do with the 
>>>> connection proccess ? The documentation says it's only used for the 
>>>> fs accesses (read/write/ownerships).
>>>> Quentin
>>> Shouldn't +somename be @somename ?
>>> Rowland
>> Indeed, but it doesn't change the result, even if I comment the valid 
>> users line (so it is accessible to any user), I still have the 
>> Quentin
> If you are trying to connect as the user 'somename' then as I have 
> already said this user is not an AD user and samba does not know who 
> he is.
> I take it that you have  something similar to this in /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> When you run getent passwd <username> , the local files are search and 
> if found the user info is returned, if not found winbind is searched. 
> The same goes for getent group <groupname>. So when you search for 
> your user, it is returned from the local files (because that it is 
> where it is found), when you search for the group, it is returned by 
> winbind.
> When you try to connect to your samba share as the local user, winbind 
> is searched, cannot find your user and the rest you know.
> Rowland
I'm trying to connect with user1, that is in AD, and member of AD's 
group somename.

More information about the samba-technical mailing list