[Samba] force user gives access denied unless SAM entry?
Michael Evans
michael.evans at nor-consult.com
Thu Nov 18 06:37:58 UTC 2021
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kip
> Kennedy via samba
> Sent: Wednesday, November 17, 2021 9:46 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] force user gives access denied unless SAM entry?
>
> To repeat again: I am authenticating fine as 'alice'. I can list files,
> read files and change directories but there is an error on write. This
> is a permissions issue well after authentication.
>
>
> I can consistently reproduce a 'NT_STATUS_ACCESS_DENIED deleting remote
> file' with the following:
>
>
> [global]
> server role = standalone
> create mask = 0640
> directory mask = 0750
> [share]
> path = /home/bob/shared
> read only = no
> force user = bob
>
> f: /home/bob/shared
> drwxr-xr-x root root /
> drwxr-xr-x root root home
> drwxr-x--- bob bob bob
> drwxr-x--- bob bob shared
>
> -adduser alice,bob
> -smbpasswd alice,bob
> -touch a couple files as bob in /home/bob/shared
> -smbclient //test1/share -U bob, disconnect (caches bob's user SID).
> -pdbedit -xu bob
> -smbclient //test1/share -U alice, writes/deletes give error
> 'NT_STATUS_ACCESS_DENIED DENIED'
>
>
> Not sure what the best fix is. Maybe 'pdbedit -xu' should flush any
> relevant cache entries? I still don't understand why Samba is looking up
> SIDs for the force user, I would think any SID checks should be using
> the authenticated user and not the force user.
>
Samba ultimately stores files in the Unix filesystem you're using. Even
with ACLs extending the traditional unix model, everything is just a uid or
a gid. That's what the idmap config block in smb.conf is for managing.
If you were to E.G.
getfacl /home/bob/shared
it might show only unix privileges
# file: home/example/example
# owner: root
# group: root
user::rwx
group::r-x
other::---
Or it might show more complicated output (if you don't include -n to have it
print the bare numbers, instead of looking up IDs)
# file: home/example/michael.evans/
# owner: root
# group: root
user::rwx
user:michael.evans:rwx
group::---
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:michael.evans:rwx
default:group::---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
So when Samba tries to go work with the files that bob created with bob's
userID/groupID attached, or which were previously owned by bob, it will only
work if Samba know's bob's UID and GID to force.
You delete bob's UID/GID with the user, thus force user has nothing to force
the data to.
If you run E.G. getfacl -n /path/to/file that bob made and get the numeric
UID you may be able use it as an argument to force user.
man smb.conf
force user (S)
This specifies a UNIX user name that will be assigned as the
default user for all users connecting to this service. This is useful for
sharing files. You should also use it carefully as using it incorrectly can
cause security problems.
This user name only gets used once a connection is established.
Thus clients still need to connect as a valid user and supply a valid
password. Once connected, all file operations will be performed as the
"forced user", no matter what username the client connected as. This can be
very useful.
In Samba 2.0.5 and above this parameter also causes the primary
group of the forced user to be used as the primary group for all file
activity. Prior to 2.0.5 the primary group was left as the primary group of
the connecting user (this was a bug).
Default: force user =
Example: force user = auser
The manual only gives an example of a Named user, but it's probably possible
to specify the UID, even of a user that doesn't exist anymore.
You could also use chmod and/or setfacl to modify, recursively even, file
ownership from the unix side if you decide to change which user is forced.
More information about the samba
mailing list