[Samba] force user gives access denied unless SAM entry?

Michael Evans michael.evans at nor-consult.com
Thu Nov 18 06:37:58 UTC 2021

> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kip
> Kennedy via samba
> Sent: Wednesday, November 17, 2021 9:46 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] force user gives access denied unless SAM entry?
> To repeat again: I am authenticating fine as 'alice'. I can list files,
> read files and change directories but there is an error on write. This
> is a permissions issue well after authentication.
> I can consistently reproduce a 'NT_STATUS_ACCESS_DENIED deleting remote
> file' with the following:
> [global]
>     server role = standalone
>     create mask = 0640
>     directory mask = 0750
> [share]
>     path = /home/bob/shared
>     read only = no
>     force user = bob
> f: /home/bob/shared
>   drwxr-xr-x root root /
>   drwxr-xr-x root root home
>   drwxr-x--- bob  bob  bob
>   drwxr-x--- bob  bob  shared
> -adduser alice,bob
> -smbpasswd alice,bob
> -touch a couple files as bob in /home/bob/shared
> -smbclient //test1/share -U bob, disconnect (caches bob's user SID).
> -pdbedit -xu bob
> -smbclient //test1/share -U alice, writes/deletes give error
> Not sure what the best fix is. Maybe 'pdbedit -xu' should flush any
> relevant cache entries? I still don't understand why Samba is looking up
> SIDs for the force user, I would think any SID checks should be using
> the authenticated user and not the force user.

Samba ultimately stores files in the Unix filesystem you're using.  Even
with ACLs extending the traditional unix model, everything is just a uid or
a gid.  That's what the idmap config block in smb.conf is for managing.

If you were to E.G.

getfacl /home/bob/shared

it might show only unix privileges

# file: home/example/example
# owner: root
# group: root

Or it might show more complicated output (if you don't include -n to have it
print the bare numbers, instead of looking up IDs)

# file: home/example/michael.evans/
# owner: root
# group: root

So when Samba tries to go work with the files that bob created with bob's
userID/groupID attached, or which were previously owned by bob, it will only
work if Samba know's bob's UID and GID to force.

You delete bob's UID/GID with the user, thus force user has nothing to force
the data to.

If you run E.G. getfacl -n /path/to/file that bob made and get the numeric
UID you may be able use it as an argument to force user.

man smb.conf

       force user (S)

           This specifies a UNIX user name that will be assigned as the
default user for all users connecting to this service. This is useful for
sharing files. You should also use it carefully as using it incorrectly can
cause security problems.

           This user name only gets used once a connection is established.
Thus clients still need to connect as a valid user and supply a valid
password. Once connected, all file operations will be performed as the
"forced user", no matter what username the client connected as. This can be
very useful.

           In Samba 2.0.5 and above this parameter also causes the primary
group of the forced user to be used as the primary group for all file
activity. Prior to 2.0.5 the primary group was left as the primary group of
the connecting user (this was a bug).

           Default: force user =

           Example: force user = auser

The manual only gives an example of a Named user, but it's probably possible
to specify the UID, even of a user that doesn't exist anymore.

You could also use chmod and/or setfacl to modify, recursively even, file
ownership from the unix side if you decide to change which user is forced.

More information about the samba mailing list