[Samba] Is 'force user/group' misbehaving?

António Oliveira to.oliveira at gmail.com
Sat Dec 15 19:05:42 GMT 2007


Hello list,

I'm running ubuntu server 7.10 amd64 and trying to set up a samba server for
a LAN.
Samba version is 3.0.26a IIRC (I can't access the machine ATM)

I'm stumped with a problem and I believe it's related, somehow, with the
'force user' parameter, so I created this testcase to seek for help...

In the example smb.conf I'm trying to create one share accessible to
everyone with a valid account in the server (people inside an office)

-----------8<--------------------------
[global]
# This is mostly what came default in the ubuntu smb.conf file
   workgroup   = blarghhhh
   netbios name = houston-we
   server string = got-a-problem
   dns proxy = no
# machine has also eth1 and eth2, both down ATM
   interfaces = 127.0.0.0/8 eth0
   bind interfaces only = true
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   debug level = 2
   security = user
   null passwords = yes
   encrypt passwords = true
   passdb backend = tdbsam
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n
*passwd:*password\supdated\ssuccessfully* .
   socket options = TCP_NODELAY

[public]
   path = /example
   browseable = yes
   writable = yes
   create mask = 777
   directory mask = 777
   force user = to
   force group = to

------------8<-----------------------------------------

/example is owned by root and has 777 permissions.

NB: This is just for testing with a farily simple smb.conf file and to set
any file access permission problems aside.

I have users 'to' and 'ti' created in both the "system" and the samba db and
also (-e)nabled in samba...

With the exact smb.conf shown, when I try to enter "public", I'm asked a
user/pass. Wether I to/pass or ti/pass, i can't even see the contents of
public and the client complains that the resource/directory does not exist.

If I comment out the force user and group declarations, both to/pass and
ti/pass have access to the share with read and write permissions.

Should'n this work even with those force user / group declarations in
place?? I'm clueless right now :(

This is what shows up in log.(machine) when the share fails:
------------------8<------------------------------------
[2007/12/14 15:55:55, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [to] -> [to] -> [to]
succeeded
[2007/12/14 15:55:55, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2007/12/14 15:55:55, 2] auth/auth_util.c:create_local_nt_token(914)
  create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2007/12/14 15:55:55, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2007/12/14 15:55:55, 2] auth/auth_util.c:create_local_nt_token(941)
  create_local_nt_token: Failed to create BUILTIN\Users group!
[2007/12/14 15:55:55, 1] auth/auth_util.c:create_token_from_username(1110)
  sid_to_uid for to (S-1-5-21-133238273-2997305703-2950841162-3000) failed
------------8<-------------------------------------------

And, well, in case it's usefull, here's what shows up when accessing the
share works (no declaration of force user / group) :
-------------------8<--------------------------------------------------------------
[2007/12/14 16:30:12, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [to] -> [to] -> [to]
succeeded
[2007/12/14 16:30:12, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2007/12/14 16:30:12, 2] auth/auth_util.c:create_local_nt_token(914)
  create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2007/12/14 16:30:12, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2007/12/14 16:30:12, 2] auth/auth_util.c:create_local_nt_token(941)
  create_local_nt_token: Failed to create BUILTIN\Users group!
[2007/12/14 16:30:12, 1] smbd/service.c:make_connection_snum(1033)
  withus-mobile1 (192.168.250.4) connect to service public initially as user
to (uid=1000, gid=1000) (pid 8601)
----------------------------------8<--------------------------------------------------

Any help would be very apreciated
Cheers,
--to


More information about the samba mailing list