Applies to: Centrify-Enabled Samba 3.3.9-4.3.1 on all platforms
Using Centrify-Enabled Samba 3.3.9-4.3.1, users are not able to access the share on Windows box if "force user" directive is used for the share definition in smb.conf. You might see the below error message in the samba logs:
[2010/03/12 11:04:27, 1] auth/auth_util.c:create_token_from_username(1006) sid_to_gid(S-1-5-21-1848583262-513) failed
[2010/03/12 11:04:27, 3] smbd/error.c:error_packet_set(61) error packet at smbd/reply.c(729) cmd=117 (SMBtconX) NT_STATUS_NO_SUCH_USER
S-1-5-21--1848583262-513 failed! (-513 is the well known RID of the Domain Users group for the domain S-1-5-21-1848583262)
However, if you commented out the "force user" in smb.conf, then samba share is accessible.
Samba successfully is able to find the AD user defined for "force user" directive in Active Directory, but fails to convert its primary group's sid to gid so it fakes it up as a "Domain Users" group which leads to access denied error message.
Add the "Domain Users" group into the zone and assign a gid. Note make sure the force user and group do not have the same name. If both force user and group have the same name, then adbindd will treat it as user, never group. This is because when adbindd look up name, we assume it is a user first, if not found, then assume it is a group.
The problem exists with stock samba today. Please follow the workaround until this issue is resolved by samba org