thr3ads.net - samba - [Samba] Strange behaviour with "force user" parameter [Aug 2014]

If this information is useful, please help other people find it:
Share via:

Bruno MACADRÉ

2014-Aug-12 12:58 UTC

[Samba] Strange behaviour with "force user" parameter

Hi,

I'm in trouble with a share, I found that the problem comes from the 
"force user" parameter in my smb.conf.

This is my smb.conf :
[global]
    netbios name = filserv
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.FR
    encrypt passwords = yes

    log level = 8
    log file = /var/log/samba/log.%m

    idmap config *:backend = tdb
    idmap config *:range = 70000-80000
    idmap config DPTINFO:backend = ad
    idmap config DPTINFO:schema = rfc2307
    idmap config DPTINFO:range = 10000-60000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes

    # Tunning
    strict locking = No
    strict sync = No
    sync always = No
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
SO_RCVBUF=8192 SO_SNDBUF=8192
    lanman auth = No
    lm announce = No

    kernel oplocks = yes
    read raw = yes
    write raw = yes

    max xmit = 65535
    dead time = 15
    getwd cache = yes

    invalid users = root

    case sensitive = yes

[Admins]
         comment = Admins Share
         path = /Shares/Admins
         force user = administrator
         force group = "domain admins"
         read only = no
         valid users = +"domain admins"
         create mask = 0640
         directory mask = 0750
         oplocks = Yes


On my workstation, logged with root user, I do : "mount -t cifs -o 
user=administrator //filserv/Admins foo" the mount works.

I do an 'ls -l foo' :
total 4
drwxr-x--- 5 10500 50512    0 ao?t  12 14:32 .
drwx------ 5 root  root  4096 ao?t   4 09:18 ..
drwxr-x--- 4 10500 50512    0 ao?t  12 14:33 Linux
drwxr-x--- 6 10500 50512    0 ao?t   7 17:27 Windows

Where 10500 is the UID of user administrator and 50512 is the GID of 
group "Domain Admins".

I enter into 'foo' and do 'touch bar' I get a "Permission
Denied"....

If I comment the "force group" parameter (and restart smbd) :

'touch bar' => works
'ls -al':
total 4
drwxr-x--- 5 10500 50512    0 ao?t  12 14:45 ./
drwx------ 5 root  root  4096 ao?t   4 09:18 ../
-rw-r----- 1 10500 50512    0 ao?t  12 14:45 bar
drwxr-x--- 4 10500 50512    0 ao?t  12 14:33 Linux/
drwxr-x--- 6 10500 50512    0 ao?t   7 17:27 Windows/

The file bar is here with good permissions, owner and groups.... and is 
editable

If I uncomment again the 'force user' parameter (and restart samba), if 
I want to remove file, I get a "Permission Denied"

I don't understand.... In my memories this parameter worked in 4.1.9....

Regards,
Bruno


-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ing?nieur Syst?mes et R?seau     | Systems and Network Engineer
  D?partement Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Universit? de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonn?es / Contact :
	Universit? de Rouen
	Facult? des Sciences et Techniques - Madrillet
	Avenue de l'Universit?
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	T?l : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

steve

2014-Aug-12 13:07 UTC

head link

[Samba] Strange behaviour with "force user" parameter

On Tue, 2014-08-12 at 14:58 +0200, Bruno MACADR? wrote:> Hi,
> 
> I'm in trouble with a share, I found that the problem comes from the 
> "force user" parameter in my smb.conf.
> 
> This is my smb.conf :
> [global]
>     netbios name = filserv
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.FR
>     encrypt passwords = yes
> 
>     log level = 8
>     log file = /var/log/samba/log.%m
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 70000-80000
>     idmap config DPTINFO:backend = ad
>     idmap config DPTINFO:schema = rfc2307
>     idmap config DPTINFO:range = 10000-60000
> 
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     # Tunning
>     strict locking = No
>     strict sync = No
>     sync always = No
>     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
> SO_RCVBUF=8192 SO_SNDBUF=8192
>     lanman auth = No
>     lm announce = No
> 
>     kernel oplocks = yes
>     read raw = yes
>     write raw = yes
> 
>     max xmit = 65535
>     dead time = 15
>     getwd cache = yes
> 
>     invalid users = root
> 
>     case sensitive = yes
> 
> [Admins]
>          comment = Admins Share
>          path = /Shares/Admins
>          force user = administrator
>          force group = "domain admins"
>          read only = no
>          valid users = +"domain admins"
>          create mask = 0640
>          directory mask = 0750
>          oplocks = Yes
> 
> 
> On my workstation, logged with root user, I do : "mount -t cifs -o 
> user=administrator //filserv/Admins foo" the mount works.
> 
> I do an 'ls -l foo' :
> total 4
> drwxr-x--- 5 10500 50512    0 ao?t  12 14:32 .
> drwx------ 5 root  root  4096 ao?t   4 09:18 ..
> drwxr-x--- 4 10500 50512    0 ao?t  12 14:33 Linux
> drwxr-x--- 6 10500 50512    0 ao?t   7 17:27 Windows
> 
> Where 10500 is the UID of user administrator and 50512 is the GID of 
> group "Domain Admins".
> 
> I enter into 'foo' and do 'touch bar' I get a
"Permission Denied"....
> 
> If I comment the "force group" parameter (and restart smbd) :
> 
> 'touch bar' => works
> 'ls -al':
> total 4
> drwxr-x--- 5 10500 50512    0 ao?t  12 14:45 ./
> drwx------ 5 root  root  4096 ao?t   4 09:18 ../
> -rw-r----- 1 10500 50512    0 ao?t  12 14:45 bar
> drwxr-x--- 4 10500 50512    0 ao?t  12 14:33 Linux/
> drwxr-x--- 6 10500 50512    0 ao?t   7 17:27 Windows/
> 
> The file bar is here with good permissions, owner and groups.... and is 
> editable
> 
> If I uncomment again the 'force user' parameter (and restart
samba), if
> I want to remove file, I get a "Permission Denied"
> 
> I don't understand.... In my memories this parameter worked in
4.1.9....
Hi
So you've not started winbind? What does /etc/nsswitch.conf have and
what is the output of getfacl /Shares/Admins

Bruno MACADRÉ

2014-Aug-13 07:33 UTC

head link

[Samba] Strange behaviour with "force user" parameter

Hi,

I confirm that there is a bug with the force user parameter, I've tried 
with a windows 7 workstation joined to the domain.

I have this simple homes share :
[homes]
     comment = Home dir for %S
     force user = %S
     force group = %G
     create mask = 0600
     directory mask = 0700
     read only = No

The home dir of user 'foo' is /home/foo. The rights for this path are :

drwxr-xr-x 6 root root 81 ao?t  12 17:33 /home/

drwx------ 3 foo domain users 25 ao?t  13 09:22 /home/foo/


When I connect my user on the Win7 workstation and want to go to his 
home dir (mapped in Z:) I get a "permission denied" error message.

If I do the same with "force user" commented all work like a charm.

Am I the only one to have this bug ? Can I open a bug report about it or 
anybody knows a mysterious undocumented mechanism that lead to this 
behaviour ?

Thanks,
Regards,
Bruno



Le 12/08/2014 14:58, Bruno MACADR? a ?crit :> Hi,
>
> I'm in trouble with a share, I found that the problem comes from the 
> "force user" parameter in my smb.conf.
>
> This is my smb.conf :
[cut for readability]> On my workstation, logged with root user, I do : "mount -t cifs -o 
> user=administrator //filserv/Admins foo" the mount works.
>
> I do an 'ls -l foo' :
> total 4
> drwxr-x--- 5 10500 50512    0 ao?t  12 14:32 .
> drwx------ 5 root  root  4096 ao?t   4 09:18 ..
> drwxr-x--- 4 10500 50512    0 ao?t  12 14:33 Linux
> drwxr-x--- 6 10500 50512    0 ao?t   7 17:27 Windows
>
> Where 10500 is the UID of user administrator and 50512 is the GID of 
> group "Domain Admins".
>
> I enter into 'foo' and do 'touch bar' I get a
"Permission Denied"....
>
> If I comment the "force group" parameter (and restart smbd) :
>
> 'touch bar' => works
> 'ls -al':
> total 4
> drwxr-x--- 5 10500 50512    0 ao?t  12 14:45 ./
> drwx------ 5 root  root  4096 ao?t   4 09:18 ../
> -rw-r----- 1 10500 50512    0 ao?t  12 14:45 bar
> drwxr-x--- 4 10500 50512    0 ao?t  12 14:33 Linux/
> drwxr-x--- 6 10500 50512    0 ao?t   7 17:27 Windows/
>
> The file bar is here with good permissions, owner and groups.... and 
> is editable
>
> If I uncomment again the 'force user' parameter (and restart
samba),
> if I want to remove file, I get a "Permission Denied"
>
> I don't understand.... In my memories this parameter worked in
4.1.9....
>
> Regards,
> Bruno
>
>
-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ing?nieur Syst?mes et R?seau     | Systems and Network Engineer
  D?partement Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Universit? de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonn?es / Contact :
	Universit? de Rouen
	Facult? des Sciences et Techniques - Madrillet
	Avenue de l'Universit?
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	T?l : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

Maybe Matching Threads

Search for more reasonably related threads

samba - Aug 2014 - Strange behaviour with "force user" parameter

[Samba] Strange behaviour with "force user" parameter

[Samba] Strange behaviour with "force user" parameter

[Samba] Strange behaviour with "force user" parameter

Maybe Matching Threads