[Samba] force user gives access denied unless SAM entry?

Kip Kennedy kiptonk at gmail.com
Tue Nov 16 21:56:58 UTC 2021

> The user must be authenticated before it gets anywhere near the share
> and with your setup if the user is authenticated and is allowed
> read/write access to the share everything will be saved as your 'forced
> user'
> However, 'bob' will never be allowed access by Samba (not unless guest
> access is set up correctly) because Samba hasn't got a clue who 'bob'
> is.

Sorry if it wasn't clear, I am authenticating and connecting fine as 
'alice'. I can then change directories and list files without error 
(file system reading as 'bob'). Only when I try and write do I receive 
an Access Denied (file system writing as 'bob').

Why should 'bob' need Samba authentication? As I read it, force user is 
used only for Linux file permissions. Shouldn't 'bob' need only exist as 
a local Linux account?

The log is showing an error about a SID / SAM lookup for 'bob'. Unless 
force user is also attempting to force SID mappings shouldn't the 
connected 'alice' be used for those SID lookups, not 'bob'? If I add 
'bob' to the SAM - even as a disabled account - the write will succeed.

More information about the samba mailing list