The Samba-Bugzilla – Bug 4210
Domain prefix on "force user" value fails
Last modified: 2008-07-01 15:55:48 UTC
Environment: Fedora Core 5 with all updates, Samba 3.0.23c, winbind is mapping domain users and groups (idmap rid).
We have a share with a definition like:
path = /home/D13/computerclub
valid users = "D13\administrator" "D13\computerclub" "D13\cmueller"
force user = "D13\computerclub"
writeable = yes
This works in as expected in 3.0.23a. In 3.0.23c, we get an error when trying to access the share from Windows. When we try using smbclient we get:
$ smbclient //wfserver/computerclub -U computerclub
Domain=[D13] OS=[Unix] Server=[Samba 3.0.23c-1.fc5]
tree connect failed: Call returned zero bytes (EOF)
The problem is associated with the "force user" statement. If I comment it out, I can connect. Pointing it to a "real" Linux user (e.g., "nobody") works. valid users working correctly. It appears as though the problem is having a domain prefix on the forced user.
ls -l shows the directory and everything in it as owned by D13\computerclub, so the host side is seeing the user correctly.
I saw this just last night in 3.0.28a on Ubuntu 8.04. Both the and "force group" and "valid users=@DOMAIN\group" directives failed to be evaluated. The group was not expanded to its members, so if a valid member of a group tried to access a share, access was denied. If "valid users = DOMAIN\user" was used, the user could access the share. Because it was 3:30AM when we realized what was going on, I reverted back to 3.0.24 and everything seems to be working. I can file a new bug report on this if necessary and try to make a test system to replicate it.
John Terpstra actually discovered the problem.