Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1570: Access Denied to samba share when 'force user' defined

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:06 AM

Applies to: Centrify-Enabled Samba 3.3.9-4.3.1 on all platforms

Problem:
Using Centrify-Enabled Samba 3.3.9-4.3.1, users are not able to access the share on Windows box if "force user" directive is used for the share definition in smb.conf. You might see the below error message in the samba logs:


[2010/03/12 11:04:27,  1] auth/auth_util.c:create_token_from_username(1006) sid_to_gid(S-1-5-21-1848583262-513) failed
[2010/03/12 11:04:27,  3] smbd/error.c:error_packet_set(61) error packet at smbd/reply.c(729) cmd=117 (SMBtconX) NT_STATUS_NO_SUCH_USER
S-1-5-21--1848583262-513 failed! (-513 is the well known RID of the Domain Users group for the domain S-1-5-21-1848583262)


However, if you commented out the "force user" in smb.conf, then samba share is accessible.

Cause:
Samba successfully is able to find the AD user defined for "force user" directive in Active Directory, but fails to convert its primary group's sid to gid so it fakes it up as a "Domain Users" group which leads to access denied error message.
 
Workaround:

Add the "Domain Users" group into the zone and assign a gid.  Note make sure the force user and group do not have the same name.  If both force user and group have the same name, then adbindd will treat it as user, never group.  This is because when adbindd look up name, we assume it is a user first, if not found, then assume it is a group.

Resolution:
The problem exists with stock samba today. Please follow the workaround until this issue is resolved by samba org 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.