Bug 1390 - "force user" has no effect with "security = domain"
Summary: "force user" has no effect with "security = domain"
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.4
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
Depends on:
Reported: 2004-05-27 03:18 UTC by Christoffer Hammarström
Modified: 2004-05-29 22:02 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Christoffer Hammarström 2004-05-27 03:18:37 UTC
I want to authenticate users against my password server "loke" for the domain
"imcode", but i want them to all use the local unix user "samba". I thought
"force user" would let me do this, but i can't get it to work.

I can see in the logs that it is forcing user samba when i list shares
anonymously with "smbclient -L kvaser": "Forced user samba".
However, i see no such thing when trying to access the share "//kvaser/www" as
user "chrham", only "User chrham does not exist, trying to add it".

If i add a local unix user "chrham", i can access the share, but i don't want to
have to add local accounts for all my domain users, and i don't think it should
be necessary to set up winbindd.

# smb.conf
netbios name = kvaser
workgroup = IMCODE
security = domain
password server = loke
encrypt passwords = yes
log level = 3
log file= /var/log/samba/%m.log

force user = samba

path = /home/www
force group = www
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-05-27 04:08:25 UTC
This is not how force user works.  Please reread the docs.
You could possibly  set 'map to guest = bad user' and the 'force user'.
Comment 2 Christoffer Hammarström 2004-05-27 13:42:23 UTC
For "map to guest = bad user" to be of use, i have to set "guest ok = yes", and
something like "guest account = samba". This opens up the share for anyone
without a valid domain user or password, which makes the whole "security =
domain" thing pointless. Am i right?

I (simply?) want to authenticate users against domain controller "loke", without
them needing a local unix user account.

Could you please point me in the general direction of the correct/"best
practices" docs/"TFM" for something like this?
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-05-27 16:11:09 UTC
The best practice in this case is to make the users available 
via nss (either nss_ldap or nss_winbind).  Samba *must* be able 
to get a uid for each user (even if the authentication is done
via a remote DC) and a gid for each group.
Comment 4 Christoffer Hammarström 2004-05-27 17:05:04 UTC
I see, thank you very much for your assistance.

(I just got winbind working... seems i was bitten by bug 1315, which i solved
with "client schannel = no".)

However, i'm wondering, wouldn't it be good if one *could* use "force user" for
this purpose in some future version of samba?

Again, thanks!
Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-05-29 22:02:26 UTC
Nope.  Force user is not intended for that purpose.
However, another alternative would be a username map.