[Samba] Strange behaviour with "force user" parameter

steve steve at steve-ss.com
Tue Aug 12 07:07:01 MDT 2014 

On Tue, 2014-08-12 at 14:58 +0200, Bruno MACADRÉ wrote:
> Hi,
> 
> I'm in trouble with a share, I found that the problem comes from the 
> "force user" parameter in my smb.conf.
> 
> This is my smb.conf :
> [global]
>     netbios name = filserv
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.FR
>     encrypt passwords = yes
> 
>     log level = 8
>     log file = /var/log/samba/log.%m
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 70000-80000
>     idmap config DPTINFO:backend = ad
>     idmap config DPTINFO:schema = rfc2307
>     idmap config DPTINFO:range = 10000-60000
> 
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     # Tunning
>     strict locking = No
>     strict sync = No
>     sync always = No
>     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
> SO_RCVBUF=8192 SO_SNDBUF=8192
>     lanman auth = No
>     lm announce = No
> 
>     kernel oplocks = yes
>     read raw = yes
>     write raw = yes
> 
>     max xmit = 65535
>     dead time = 15
>     getwd cache = yes
> 
>     invalid users = root
> 
>     case sensitive = yes
> 
> [Admins]
>          comment = Admins Share
>          path = /Shares/Admins
>          force user = administrator
>          force group = "domain admins"
>          read only = no
>          valid users = +"domain admins"
>          create mask = 0640
>          directory mask = 0750
>          oplocks = Yes
> 
> 
> On my workstation, logged with root user, I do : "mount -t cifs -o 
> user=administrator //filserv/Admins foo" the mount works.
> 
> I do an 'ls -l foo' :
> total 4
> drwxr-x--- 5 10500 50512    0 août  12 14:32 .
> drwx------ 5 root  root  4096 août   4 09:18 ..
> drwxr-x--- 4 10500 50512    0 août  12 14:33 Linux
> drwxr-x--- 6 10500 50512    0 août   7 17:27 Windows
> 
> Where 10500 is the UID of user administrator and 50512 is the GID of 
> group "Domain Admins".
> 
> I enter into 'foo' and do 'touch bar' I get a "Permission Denied"....
> 
> If I comment the "force group" parameter (and restart smbd) :
> 
> 'touch bar' => works
> 'ls -al':
> total 4
> drwxr-x--- 5 10500 50512    0 août  12 14:45 ./
> drwx------ 5 root  root  4096 août   4 09:18 ../
> -rw-r----- 1 10500 50512    0 août  12 14:45 bar
> drwxr-x--- 4 10500 50512    0 août  12 14:33 Linux/
> drwxr-x--- 6 10500 50512    0 août   7 17:27 Windows/
> 
> The file bar is here with good permissions, owner and groups.... and is 
> editable
> 
> If I uncomment again the 'force user' parameter (and restart samba), if 
> I want to remove file, I get a "Permission Denied"
> 
> I don't understand.... In my memories this parameter worked in 4.1.9....

Hi
So you've not started winbind? What does /etc/nsswitch.conf have and
what is the output of getfacl /Shares/Admins

More information about the samba mailing list