Samba as AD member: "force user" confused by identical local & domain user names

1

I am running Samba 4.9.1 on RHEL7, joined to a Win AD domain. In one share, I set

force user = foo

, hoping to force the local user foo. However, the same user name also exists in the AD, and Samba actually uses the AD user e.g. upon file creation.

getent passwd foo

returns the local user, as expected, since /etc/nsswitch.conf reads

passwd: files winbind
group: files winbind

Obviously, I set the option

winbind use default domain = yes

in smb.conf, and I would prefer not to change that, since I am not sure how many things I would need to change elsewhere then...

Any hints how to force Samba to look for local users first?

Regards, Eric

Eric

Posted 2019-11-06T14:56:26.483

Reputation: 11

Fyi, I now "solved" this by removing 'force user' altogether and going for (default) ACLs on the shared directory, which is probably the cleanest way to do it. This also allows to see which user created which new file. Leaving the question open however, since that might not be a feasible way for others (e.g. on filesystems without ACL support). – Eric – 2019-11-06T15:17:19.097

Please add this as an answer and accept it so that others can easily find your solution in the future. – Worthwelle – 2019-11-06T16:02:25.777

Answers

0

Well, as Worthweile asked for it, I will post my workaround as an answer.

  1. Remove "force user" directive from share definition. This will make newly created files owned by the currently authenticated share user and his/her primary group.
  2. If necessary, e.g. on ext2/3 file systems, enable ACLs via mount options. In my case (xfs), ACLs are always available by default.
  3. setfactl -R -m u:foo:rwX <share_dir> setfactl -R -d -m u:foo:rwX <share_dir>

The first command will grant user foo read, write and execute permissions to all files and directories within the share. The capital X will set execute permissions only if it is a directory or someone else already has execute permission, as stated in man setfactl.

The second one will add the same permission as default for new files within the share.

Probably, Samba's force user option is in most cases actually a workaround for insufficient priviledge management, so this should be the cleanest way (the Linux equivalent to 'pythonic', maybe?). However, there will probably still be situations where ACLs are not applicable, so the question about force user's behaviour remains.

Eric

Posted 2019-11-06T14:56:26.483

Reputation: 11

Asked: 2019-11-06T14:56:26.483

Viewed: 60 times

Active: 2019-11-07T22:59:18.897