[Samba] force user gives access denied unless SAM entry?
kiptonk at gmail.com
Thu Nov 18 05:46:18 UTC 2021
> The user must be authenticated by Samba (either as a Samba user, or by
> being a 'guest' user as described above.
>> Sorry if it wasn't clear, I am authenticating and connecting fine as
To repeat again: I am authenticating fine as 'alice'. I can list files,
read files and change directories but there is an error on write. This
is a permissions issue well after authentication.
I finally tracked this down. A cached user SID is interfering with write
access via force user. TLDR: run 'net cache flush' if you've deleted a
user with 'pdbedit -xu' and are using force user with a directory where
only owner can write (or wait a week for cache expiration). Note
restarting Samba is not sufficient to clear the cache.
I can consistently reproduce a 'NT_STATUS_ACCESS_DENIED deleting remote
file' with the following:
server role = standalone
create mask = 0640
directory mask = 0750
path = /home/bob/shared
read only = no
force user = bob
drwxr-xr-x root root /
drwxr-xr-x root root home
drwxr-x--- bob bob bob
drwxr-x--- bob bob shared
-touch a couple files as bob in /home/bob/shared
-smbclient //test1/share -U bob, disconnect (caches bob's user SID).
-pdbedit -xu bob
-smbclient //test1/share -U alice, writes/deletes give error
Not sure what the best fix is. Maybe 'pdbedit -xu' should flush any
relevant cache entries? I still don't understand why Samba is looking up
SIDs for the force user, I would think any SID checks should be using
the authenticated user and not the force user.
More information about the samba