Kip Kennedy
2021-Nov-16 18:06 UTC
[Samba] force user gives access denied unless SAM entry?
Anyone else seeing this behavior: Server is Samba 4.13.5, standalone under Debian 11. One service "share" with one valid user "alice" different from the force user "bob". The user alice is a Debian user and has an entry in SAM (added via smbpasswd). The user bob is a Debian user but does not have an smb login or SAM entry. The user bob is the file system owner of the shared directory with owner write access. The directory does not have group write access or world access (750). Local writes to the directory as bob succeed. Client is Windows 10 with a mapped drive, connecting successfully as alice. When I try to save a file from Windows I get an access denied error. I turned logging up to 5 and noticed an error that USER_bob was being looked up in some sort of passdb SAM database. Not sure why this is the case, isn't "force user" only used for file system checks? If I add bob via smbpasswd, everything works. It also continues to work if the disabled flag is set on the bob account via pdbedit. Note if trying to replicate: adding group write access to the directory also allows the write to succeed. Maybe successful group or world attempts to write the file mask this user lookup issue.
Rowland Penny
2021-Nov-16 18:33 UTC
[Samba] force user gives access denied unless SAM entry?
On Tue, 2021-11-16 at 10:06 -0800, Kip Kennedy via samba wrote:> Anyone else seeing this behavior: > > Server is Samba 4.13.5, standalone under Debian 11. One service > "share" with one valid user "alice" different from the force user > "bob". The user alice is a Debian user and has an entry in SAM (added > via smbpasswd). The user bob is a Debian user but does not have an > smb login or SAM entry. The user bob is the file system owner of the > shared directory with owner write access. The directory does not have > group write access or world access (750). Local writes to the > directory as bob succeed. > > Client is Windows 10 with a mapped drive, connecting successfully as > alice. > > When I try to save a file from Windows I get an access denied error. > I turned logging up to 5 and noticed an error that USER_bob was being > looked up in some sort of passdb SAM database. Not sure why this is > the case, isn't "force user" only used for file system checks? If I > add bob via smbpasswd, everything works. It also continues to work if > the disabled flag is set on the bob account via pdbedit. > > Note if trying to replicate: adding group write access to the > directory also allows the write to succeed. Maybe successful group or > world attempts to write the file mask this user lookup issue.The user must be authenticated before it gets anywhere near the share and with your setup if the user is authenticated and is allowed read/write access to the share everything will be saved as your 'forced user' However, 'bob' will never be allowed access by Samba (not unless guest access is set up correctly) because Samba hasn't got a clue who 'bob' is. Rowland