[Samba] "force user" option with NT4 domain

Bowie Bailey Bowie_Bailey at BUC.com
Fri Oct 17 14:14:19 MDT 2014 

On 10/17/2014 3:50 PM, Rowland Penny wrote:
> On 17/10/14 20:38, Bowie Bailey wrote:
>> On 10/17/2014 3:24 PM, Rowland Penny wrote:
>>> On 17/10/14 20:15, Bowie Bailey wrote:
>>>> I noticed that there were some fixes for "force user" problems in
>>>> Samba 4.1.6.  CentOS 7 is still providing 4.1.1.  Could that be the
>>>> issue?  I am investigating alternate sources for a newer package.
>>>>
>>> It could be, what OS are you using and in the mean time please post your
>>> smb.conf.
>> The OS is CentOS 7.  I currently have it set with "security = user"
>> for testing.  Once I get it working, it will need to be "security =
>> domain" and connected to an NT domain.  Either way, the problem was
>> exactly the same.
>>
>> Normally, I connect to the shares from a Windows box.  If I connect
>> from linux with smbclient, I see this error:
>>
>> tree connect failed: NT_STATUS_INVALID_SID
>>
>> If I remove the "force user" option, the error goes away and I get
>> access to the share.
>>
>> Here is the smb.conf.  I have edited out a bunch of share definitions
>> that do not relate to this discussion.
>>
>> [global]
>>          workgroup = BUCINTL
>>          server string = Network Storage Server
>>          netbios name = BNIFSTORE2
>>          hosts allow = 10.8.0. 172.16. except 172.16.17.
>>          hosts deny = 172.16.17.
>>          log file = /var/log/samba/log.%m
>>          max log size = 5000
>>          log level = 1
>>          security = user
>>          passdb backend = tdbsam
>>         domain master = no
>>         local master = no
>>         preferred master = no
>>         wins support = no
>>         wins server = 172.16.1.12
>>         dns proxy = no
>>
>> [homes]
>>          comment = Home Directories
>>          path = /home/shares/private/%S
>>          browseable = no
>>          writable = yes
>>          create mask = 600
>>          directory mask = 700
>>          valid users = %S
>>
>> [public]
>>     comment = Public Share
>>     path = /home/shares/public/public
>>     public = yes
>>     guest ok = yes
>>     only guest = yes
>>     writeable = yes
>>     browsable = yes
>>     printable = no
>>
>> [test]
>>     path = /home/shares/test
>>     public = yes
>>     writeable = yes
>>     browseable = yes
>>     force user = bowieb, pcguest
>>     valid users = bowieb
>>
> Firstly, you are not using a NT4 domain, you have a standalone server,
> secondly, does the user pcguest exist in /etc/passwd AND the samba
> database. Does the group pcguest exist in /etc/group AND the samba database.
>
> I also do not think that it is going to work setting it up like this and
> then altering 'security =', you need to set the machine up as a domain
> member and then try again.

The machine was originally set up as a domain member and connected to 
the domain.  Everything worked except for the "force user" problem.  I 
switched it to a standalone server to remove the NT4 domain from the 
equation and attempt to simply things.

The pcguest user did not exist in the samba database.  I added it and 
that solved the problem for the standalone server case.

I switched it back to the domain member setup and it continues to 
work...  Now I'm confused.  I previously added pcguest as a domain user 
without any effect.  Apparently it is still using the samba database for 
this user.  If I remove pcguest from the samba database, it stops 
working.  Is this expected behavior?  My login is still being 
authenticated by the domain, so the domain setup is working.  The only 
user in the samba database is pcguest.

-- 
Bowie

More information about the samba mailing list