1390 – "force user" has no effect with "security = domain"

Bug 1390 - "force user" has no effect with "security = domain"

Summary: "force user" has no effect with "security = domain"

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.4
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-05-27 03:18 UTC by Christoffer Hammarström
Modified:	2004-05-29 22:02 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christoffer Hammarström 2004-05-27 03:18:37 UTC

I want to authenticate users against my password server "loke" for the domain
"imcode", but i want them to all use the local unix user "samba". I thought
"force user" would let me do this, but i can't get it to work.

I can see in the logs that it is forcing user samba when i list shares
anonymously with "smbclient -L kvaser": "Forced user samba".
However, i see no such thing when trying to access the share "//kvaser/www" as
user "chrham", only "User chrham does not exist, trying to add it".

If i add a local unix user "chrham", i can access the share, but i don't want to
have to add local accounts for all my domain users, and i don't think it should
be necessary to set up winbindd.

# smb.conf
netbios name = kvaser
workgroup = IMCODE
security = domain
password server = loke
encrypt passwords = yes
log level = 3
log file= /var/log/samba/%m.log

force user = samba

[www]
path = /home/www
force group = www

Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-05-27 04:08:25 UTC

This is not how force user works.  Please reread the docs.
You could possibly  set 'map to guest = bad user' and the 'force user'.

Comment 2 Christoffer Hammarström 2004-05-27 13:42:23 UTC

For "map to guest = bad user" to be of use, i have to set "guest ok = yes", and
something like "guest account = samba". This opens up the share for anyone
without a valid domain user or password, which makes the whole "security =
domain" thing pointless. Am i right?

I (simply?) want to authenticate users against domain controller "loke", without
them needing a local unix user account.

Could you please point me in the general direction of the correct/"best
practices" docs/"TFM" for something like this?

Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-05-27 16:11:09 UTC

The best practice in this case is to make the users available 
via nss (either nss_ldap or nss_winbind).  Samba *must* be able 
to get a uid for each user (even if the authentication is done
via a remote DC) and a gid for each group.

Comment 4 Christoffer Hammarström 2004-05-27 17:05:04 UTC

I see, thank you very much for your assistance.

(I just got winbind working... seems i was bitten by bug 1315, which i solved
with "client schannel = no".)

However, i'm wondering, wouldn't it be good if one *could* use "force user" for
this purpose in some future version of samba?

Again, thanks!

Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-05-29 22:02:26 UTC

Nope.  Force user is not intended for that purpose.
However, another alternative would be a username map.