[Samba] force user gives access denied unless SAM entry?

Kip Kennedy kiptonk at gmail.com
Thu Nov 18 05:46:18 UTC 2021

> The user must be authenticated by Samba (either as a Samba user, or by
> being a 'guest' user as described above. 

>> Sorry if it wasn't clear, I am authenticating and connecting fine as 
>> 'alice'. 

To repeat again: I am authenticating fine as 'alice'. I can list files, 
read files and change directories but there is an error on write. This 
is a permissions issue well after authentication.

I finally tracked this down. A cached user SID is interfering with write 
access via force user. TLDR: run 'net cache flush' if you've deleted a 
user with 'pdbedit -xu' and are using force user with a directory where 
only owner can write (or wait a week for cache expiration). Note 
restarting Samba is not sufficient to clear the cache.

I can consistently reproduce a 'NT_STATUS_ACCESS_DENIED deleting remote 
file' with the following:

    server role = standalone
    create mask = 0640
    directory mask = 0750
    path = /home/bob/shared
    read only = no
    force user = bob

f: /home/bob/shared
  drwxr-xr-x root root /
  drwxr-xr-x root root home
  drwxr-x--- bob  bob  bob
  drwxr-x--- bob  bob  shared

-adduser alice,bob
-smbpasswd alice,bob
-touch a couple files as bob in /home/bob/shared
-smbclient //test1/share -U bob, disconnect (caches bob's user SID).
-pdbedit -xu bob
-smbclient //test1/share -U alice, writes/deletes give error 

Not sure what the best fix is. Maybe 'pdbedit -xu' should flush any 
relevant cache entries? I still don't understand why Samba is looking up 
SIDs for the force user, I would think any SID checks should be using 
the authenticated user and not the force user.

More information about the samba mailing list