[Samba] "force user" option with NT4 domain

Bowie Bailey Bowie_Bailey at BUC.com
Fri Oct 17 13:15:13 MDT 2014 

On 10/17/2014 3:07 PM, Rowland Penny wrote:
> On 17/10/14 19:51, Bowie Bailey wrote:
>> On 10/17/2014 2:39 PM, Rowland Penny wrote:
>>> On 17/10/14 19:32, Bowie Bailey wrote:
>>>> On 10/17/2014 2:25 PM, steve wrote:
>>>>> On 17/10/14 20:14, Bowie Bailey wrote:
>>>>>> On 10/17/2014 1:02 PM, steve wrote:
>>>>>>> On 17/10/14 18:20, Bowie Bailey wrote:
>>>>>>>       it doesn't make them readable by
>>>>>>>> whichever user happens to connect unless I also change the
>>>>>>>> permissions
>>>>>>>> to 777.
>>>>>>> What is the acl on the share?
>>>>>> I have not intentionally set any acls.
>>>>>>
>>>>> Sorry mate. We can't guess.
>>>> Let me be a bit clearer.  I have not set any acls on the files and I
>>>> do not know how to either set the acls or list them.  If you give me
>>>> the command to show the acls, I'll take a look.
>>>>
>>>> Since I was the one who set up the original file share, there should
>>>> not be any acls unless they were created automatically in some way.
>>>>
>>> OK, make sure that you have the 'attr' package installed and then run
>>> 'getfacl /home/shares/public/public' , post the output of this command.
>> # getfacl /home/shares/public/public
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shares/public/public
>> # owner: pcguest
>> # group: pcguest
>> user::rwx
>> group::r-x
>> other::r-x
>>
>> I also created a brand new share as a test case with the exact same
>> results:
>>
>> [test]
>>     path = /home/shares/test
>>     public = yes
>>     writeable = yes
>>     browseable = yes
>>     force user = pcguest
>>
>> # getfacl /home/shares/test
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/shares/test
>> # owner: pcguest
>> # group: pcguest
>> user::rwx
>> group::rwx
>> other::rwx
>>
>> It doesn't seem to be related to file permissions.  If the permissions
>> are wrong, I get "access denied".  I only see the error about the
>> security ID structure when the I add the "force user" option to the
>> share.
>>
> Can you please post your smb.conf so that we can see what you are
> authenticating to and how.

I noticed that there were some fixes for "force user" problems in Samba 
4.1.6.  CentOS 7 is still providing 4.1.1.  Could that be the issue?  I 
am investigating alternate sources for a newer package.

-- 
Bowie

More information about the samba mailing list