samba - Nov 2021 - force user gives access denied unless SAM entry?

On Tue, 2021-11-16 at 13:56 -0800, Kip Kennedy via samba
wrote:
> > The user must be authenticated before it gets anywhere near the
> > share
> > and with your setup if the user is authenticated and is allowed
> > read/write access to the share everything will be saved as your
> > 'forced
> > user'
> > However, 'bob' will never be allowed access by Samba (not
unless
> > guest
> > access is set up correctly) because Samba hasn't got a clue who
> > 'bob'
> > is.
> 
> Sorry if it wasn't clear, I am authenticating and connecting fine as 
> 'alice'. I can then change directories and list files without error
> (file system reading as 'bob'). Only when I try and write do I
> receive 
> an Access Denied (file system writing as 'bob').
> 
> Why should 'bob' need Samba authentication? As I read it, force
user
> is 
> used only for Linux file permissions. Shouldn't 'bob' need only
exist
> as 
> a local Linux account?
> 
> The log is showing an error about a SID / SAM lookup for 'bob'.
> Unless 
> force user is also attempting to force SID mappings shouldn't the 
> connected 'alice' be used for those SID lookups, not 'bob'?
If I add
> 'bob' to the SAM - even as a disabled account - the write will
> succeed.
I think it might help if you post the smb.conf from your standalone
server.

If 'bob' is unknown to Samba, then the user 'bob' cannot connect
to the
share via Samba (unless 'map to guest = bad user' is set in [global]
and 'guest ok = yes' or 'public = yes' is set in the share.

The user must be authenticated by Samba (either as a Samba user, or by
being a 'guest' user as described above. All of this authentication
happens before the connecting user is allowed near the share.

If you read 'man smb.conf', under 'force user', it says this:

This user name only gets used once a connection is established.
Thus clients still need to connect as a valid user and supply a valid
password.

Rowland

> The user must be authenticated by Samba (either as a Samba user, or by
> being a 'guest' user as described above. 
>> Sorry if it wasn't clear, I am authenticating and connecting fine
as
>> 'alice'. 
To repeat again: I am authenticating fine as 'alice'. I can list files, 
read files and change directories but there is an error on write. This 
is a permissions issue well after authentication.


I finally tracked this down. A cached user SID is interfering with write 
access via force user. TLDR: run 'net cache flush' if you've deleted
a
user with 'pdbedit -xu' and are using force user with a directory where 
only owner can write (or wait a week for cache expiration). Note 
restarting Samba is not sufficient to clear the cache.


I can consistently reproduce a 'NT_STATUS_ACCESS_DENIED deleting remote 
file' with the following:


[global]
    server role = standalone
    create mask = 0640
    directory mask = 0750
[share]
    path = /home/bob/shared
    read only = no
    force user = bob

f: /home/bob/shared
  drwxr-xr-x root root /
  drwxr-xr-x root root home
  drwxr-x--- bob  bob  bob
  drwxr-x--- bob  bob  shared

-adduser alice,bob
-smbpasswd alice,bob
-touch a couple files as bob in /home/bob/shared
-smbclient //test1/share -U bob, disconnect (caches bob's user SID).
-pdbedit -xu bob
-smbclient //test1/share -U alice, writes/deletes give error 
'NT_STATUS_ACCESS_DENIED DENIED'


Not sure what the best fix is. Maybe 'pdbedit -xu' should flush any 
relevant cache entries? I still don't understand why Samba is looking up 
SIDs for the force user, I would think any SID checks should be using 
the authenticated user and not the force user.