[Samba] force user vs read list

John H Terpstra jht at samba.org
Thu Mar 11 22:15:06 GMT 2004

On Thu, 11 Mar 2004, William R. Knox wrote:

> I am in the process of expanding access to a share that currently has the
> following configuration:
> [uniqname]
>    comment = Unique comment
>    path = /path/to/the/stuff
>    public = no
>    writable = yes
>    printable = no
>    valid users = user1,user2,user3
>    force user = cooluser

The 'force user' directive means that at the point of connection the real
users identity is lost and the user now is 'cooluser'.

> I want to add read-only access to an additional set of users. The smb.conf
> man page and the Samba-HOWTO are not clear (to me) about the precedence of
> the "force user" option versus the "read list" option - if I add user4 to
> a read list parameter entry, will they also get logged on as that user and
> have write permissions (as determined by the underlying filesystem)? I
> wanted to ask before even trying just to make sure that any discovery
> isn't later deemed a bug and changed.

This is a poor solution. The 'force user' and 'force group' directives
have serious side-effects and should be avoided if possible,

A better way to handle this is to use directory permissions to control who
can write and who can read. In this case you could set the directory as
read only to 'others' and writable to the group that owns the directory.
Then, if you set the SGID bit on the directory all files created within it
will always be owned by the group that owns the directory.

Alternately, as documented in the Samba-HOWTO-Collection you could jst as
well use Share level permissions to limit which groups can write and who
gets read-only access. In fact, you can ensure that no-one except members
of those groups can even access the share. If you use Share level
permissions (ACLs) then you do not need to set in smb.conf the 'valid
users' parameter either.

> If the force user overrides the read list, I suppose I can just set up an
> alternate share pointing to the samba path that is read only with a
> different set of valid users, but that just feels so kludgey...
> The samba version in use is 2.2.8a, but I will be upgrading to 3.0.2a in
> the very near future, in case there is any difference.

The Samba-HOWTO-Collection is available from:

The chapter "File, Directory and Share Access Controls" applies to both
Samba-2.2.x and Samba-3.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list