Unable to connect to samba share with "force user = unix_user"

Rowland Penny repenny241155 at gmail.com
Wed Oct 15 06:31:14 MDT 2014

On 15/10/14 13:20, Quentin Gibeaux wrote:
> On 15/10/2014 14:16, Rowland Penny wrote:
>> On 15/10/14 12:46, Quentin Gibeaux wrote:
>>> On 15/10/2014 13:38, Rowland Penny wrote:
>>>> On 15/10/14 12:28, Quentin Gibeaux wrote:
>>>>> On 15/10/2014 13:15, Rowland Penny wrote:
>>>>>> A unix only user cannot be a member of an AD group, only an AD 
>>>>>> user can be a member of an AD group. This means that when you try 
>>>>>> to connect to a samba share (on a machine that is joined to the 
>>>>>> domain) as a local unix user, then samba is not going to know who 
>>>>>> your user is.
>>>>>> If you run samba as a 'classic' PDC then you could & should have 
>>>>>> users both as local & domain users, but with AD this is no longer 
>>>>>> allowed, you also cannot have a user & a group with the same name.
>>>>>> Rowland
>>>>> Sorry, i've forgotten to say that I'm not trying to connect to the 
>>>>> share with this 'somename' user, but with whatever AD's user that 
>>>>> is member of the AD's group (valid users = +somename).
>>>>> Haven't the "force user" parameter nothing to do with the 
>>>>> connection proccess ? The documentation says it's only used for 
>>>>> the fs accesses (read/write/ownerships).
>>>>> Quentin
>>>> Shouldn't +somename be @somename ?
>>>> Rowland
>>> Indeed, but it doesn't change the result, even if I comment the 
>>> valid users line (so it is accessible to any user), I still have the 
>>> Quentin
>> If you are trying to connect as the user 'somename' then as I have 
>> already said this user is not an AD user and samba does not know who 
>> he is.
>> I take it that you have  something similar to this in /etc/nsswitch.conf
>> passwd:         compat winbind
>> group:          compat winbind
>> When you run getent passwd <username> , the local files are search 
>> and if found the user info is returned, if not found winbind is 
>> searched. The same goes for getent group <groupname>. So when you 
>> search for your user, it is returned from the local files (because 
>> that it is where it is found), when you search for the group, it is 
>> returned by winbind.
>> When you try to connect to your samba share as the local user, 
>> winbind is searched, cannot find your user and the rest you know.
>> Rowland
> I'm trying to connect with user1, that is in AD, and member of AD's 
> group somename.
OK, in which case try this:

valid users = +somename
force user = somename
force group = somename

valid users = @somename
#force user = somename
#force group = somename

restart samba daemons

This should only allow members of the group 'somename' to connect, if 
this works, uncomment the two lines, one by one, starting with the group 
line first.


More information about the samba-technical mailing list