Created attachment 12920 [details] samba log debug level 10 I'm trying to use the 'force user' feature on a share in an AD environment and it fails, I cannot access the share from a windows domain member as user 'toon', neither with user 'stel' (see below). When I remove the 'force user', then the share is available. I want files stored on the share(by other domain users, such as user 'stel', see below), to obtain the uid/gid of the 'force user = toon'. I know this bug/error has been discussed before, however, the related posts do not solve this problem for me. I have tried: 1) remove 'force user' and the share is available 2) added 'force group' does not change things, share still not available 3) 'winbind use default domain = no' and 'force user = VONDERKAMP\toon', does not change things, share still not available 4) tested with other users, no change Using samba 4.2.14-Debian in Debian-Lenny, It was working previously in Debian-Wheezy. The log (at debug level = 10) shows: 2017/02/13 08:49:05.153857, 1, pid=31911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:396(SamInfo3_handle_sids) The primary group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) does not match the domain sid(S-1-5-21-437306792-4118923543-1308149834) for toon(S-1-22-1-1001) My configuration: [global] security = ADS workgroup = VONDERKAMP realm = VONDERKAMP.XX.XXXXXX.COM netbios name = LENO log file = /var/log/samba/%m.log log level = 10 # use the winbind 'ad' backend. (see https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Preparing_the_host_for_the_domain_join ) # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 100-999 # idmap config for domain VONDERKAMP idmap config VONDERKAMP:backend = ad idmap config VONDERKAMP:schema_mode = rfc2307 idmap config VONDERKAMP:range = 1000-99999 username map = /etc/samba/user.map kerberos method = secrets and keytab # Use settings from AD for login shell and home directory winbind nss info = rfc2307 [svn] writeable = yes valid users = stel,toon,@guepin write list = guepin path = /home/toon/svn force group = guepin force user = toon The samba server LENO : root@leno:/etc/samba# net getdomainsid SID for local machine LENO is: S-1-5-21-437306792-4118923543-1308149834 SID for domain VONDERKAMP is: S-1-5-21-2784292050-724950362-990980605 The mapping toon(S-1-22-1-1001) seems to be correct. The mapping group domain sid(S-1-5-21-2784292050-724950362-990980605-3001) seems correct (toon belongs to this group). What occurs awkward to me is that the domain sid(S-1-5-21-437306792-4118923543-1308149834) in the error matches the SID of the local machine. Is this a bug or a configuration error ?