[Samba] force user gives access denied unless SAM entry?

[Kip Kennedy]

> The user must be authenticated by Samba (either as a Samba user, or by
> being a 'guest' user as described above. 

>> Sorry if it wasn't clear, I am authenticating and connecting fine as 
>> 'alice'. 

To repeat again: I am authenticating fine as 'alice'. I can list files, 
read files and change directories but there is an error on write. This 
is a permissions issue well after authentication.


I finally tracked this down. A cached user SID is interfering with write 
access via force user. TLDR: run 'net cache flush' if you've deleted a 
user with 'pdbedit -xu' and are using force user with a directory where 
only owner can write (or wait a week for cache expiration). Note 
restarting Samba is not sufficient to clear the cache.


I can consistently reproduce a 'NT_STATUS_ACCESS_DENIED deleting remote 
file' with the following:


[global]
    server role = standalone
    create mask = 0640
    directory mask = 0750
[share]
    path = /home/bob/shared
    read only = no
    force user = bob

f: /home/bob/shared
  drwxr-xr-x root root /
  drwxr-xr-x root root home
  drwxr-x--- bob  bob  bob
  drwxr-x--- bob  bob  shared

-adduser alice,bob
-smbpasswd alice,bob
-touch a couple files as bob in /home/bob/shared
-smbclient //test1/share -U bob, disconnect (caches bob's user SID).
-pdbedit -xu bob
-smbclient //test1/share -U alice, writes/deletes give error 
'NT_STATUS_ACCESS_DENIED DENIED'


Not sure what the best fix is. Maybe 'pdbedit -xu' should flush any 
relevant cache entries? I still don't understand why Samba is looking up 
SIDs for the force user, I would think any SID checks should be using 
the authenticated user and not the force user.