The Samba-Bugzilla – Bug 1390
"force user" has no effect with "security = domain"
Last modified: 2004-05-29 22:02:26 UTC
I want to authenticate users against my password server "loke" for the domain
"imcode", but i want them to all use the local unix user "samba". I thought
"force user" would let me do this, but i can't get it to work.
I can see in the logs that it is forcing user samba when i list shares
anonymously with "smbclient -L kvaser": "Forced user samba".
However, i see no such thing when trying to access the share "//kvaser/www" as
user "chrham", only "User chrham does not exist, trying to add it".
If i add a local unix user "chrham", i can access the share, but i don't want to
have to add local accounts for all my domain users, and i don't think it should
be necessary to set up winbindd.
netbios name = kvaser
workgroup = IMCODE
security = domain
password server = loke
encrypt passwords = yes
log level = 3
log file= /var/log/samba/%m.log
force user = samba
path = /home/www
force group = www
This is not how force user works. Please reread the docs.
You could possibly set 'map to guest = bad user' and the 'force user'.
For "map to guest = bad user" to be of use, i have to set "guest ok = yes", and
something like "guest account = samba". This opens up the share for anyone
without a valid domain user or password, which makes the whole "security =
domain" thing pointless. Am i right?
I (simply?) want to authenticate users against domain controller "loke", without
them needing a local unix user account.
Could you please point me in the general direction of the correct/"best
practices" docs/"TFM" for something like this?
The best practice in this case is to make the users available
via nss (either nss_ldap or nss_winbind). Samba *must* be able
to get a uid for each user (even if the authentication is done
via a remote DC) and a gid for each group.
I see, thank you very much for your assistance.
(I just got winbind working... seems i was bitten by bug 1315, which i solved
with "client schannel = no".)
However, i'm wondering, wouldn't it be good if one *could* use "force user" for
this purpose in some future version of samba?
Nope. Force user is not intended for that purpose.
However, another alternative would be a username map.