Kraus, Sebastian
2018-Nov-06 08:37 UTC
[Samba] Samba CIFS Mounts with Kerberos Security: Write Access denied
Hi all, I am testing different setups for Samba home share mounts via the CIFS protocol on Linux clients with and without Keberos security (both krb5 and krb5i). I am experiencing some strange behaviour in case of Kerberos authentication: In case of mounts (by root or the user itself) without Kerberos security (only NTLMv2 authentication), local root and the owning user on the Linux client is granted read and write access for the files within the mounted tree. However, while using Kerberos security, ever user - even the owner of the files on the mount - is denied write access to the files on the mount. Reading access is still granted as expected/supposed. The logging for the client machine on the Samba server side shows errors of the following type, while a user owned smbd process tries to access files in a writing manner: [2018/11/06 08:39:49.839769, 5, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access) check_parent_access: access check on directory . for path yess for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED [...] [2018/11/06 08:39:49.840334, 3, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED Any suggestions about the possible root cause of the problem? Best Sebastian Sebastian Kraus Team IT am Institut für Chemie Gebäude C, Straße des 17. Juni 115, Raum C7 Technische Universität Berlin Fakultät II Institut für Chemie Sekretariat C3 Straße des 17. Juni 135 10623 Berlin Email: sebastian.kraus at tu-berlin.de
Robert Schetterer
2018-Nov-06 09:27 UTC
[Samba] Samba CIFS Mounts with Kerberos Security: Write Access denied
Am 06.11.2018 um 09:37 schrieb Kraus, Sebastian via samba:> Hi all, > > > I am testing different setups for Samba home share mounts via the > > CIFS protocol on Linux clients with and without Keberos security (both > > krb5 and krb5i). I am experiencing some strange behaviour in case of > > Kerberos authentication: > > > In case of mounts (by root or the user itself) without Kerberos security (only > > NTLMv2 authentication), local root and the owning user on the Linux client is > > granted read and write access for the files within the mounted tree. However, > > while using Kerberos security, ever user - even the owner of the files on the > > mount - is denied write access to the files on the mount. Reading access is still > > granted as expected/supposed. > > The logging for the client machine on the Samba server side shows errors of > > the following type, while a user owned smbd process tries to access files in a > > writing manner: > > > [2018/11/06 08:39:49.839769, 5, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access) > check_parent_access: access check on directory . for path yess for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED > [...] > [2018/11/06 08:39:49.840334, 3, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED > > > Any suggestions about the possible root cause of the problem?Hi we had problems too, while upgrading to ubuntu 18.04 changed behave of cifs-upcall and kerberos tickets, "perhaps" this is your problem too if you want to do cifs (auto)mount with kerberos check logs how cifs-upcall looks for your kerberos tickets a ticket i.e looks like this /tmp/krb5cc_3449004_1Kyv9d where 3449004 is uid with cifs upcall 16.04 ubuntu "searches" for the "right" ticket Nov 6 10:21:51 tueilnt-lab11 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_3449004_WOMgon is valid ccache in ubuntu 18.04 its hardcoded to look only for krb5cc_3449004 cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_3449004 Regards> > > Best > > Sebastian > > > > Sebastian Kraus > Team IT am Institut für Chemie > Gebäude C, Straße des 17. Juni 115, Raum C7 > > Technische Universität Berlin > Fakultät II > Institut für Chemie > Sekretariat C3 > Straße des 17. Juni 135 > 10623 Berlin > > Email: sebastian.kraus at tu-berlin.de >-- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Rowland Penny
2018-Nov-06 09:32 UTC
[Samba] Samba CIFS Mounts with Kerberos Security: Write Access denied
On Tue, 6 Nov 2018 08:37:29 +0000 "Kraus, Sebastian via samba" <samba at lists.samba.org> wrote:> Hi all, > > > I am testing different setups for Samba home share mounts via the > CIFS protocol on Linux clients with and without Keberos security (both > krb5 and krb5i). I am experiencing some strange behaviour in case of > Kerberos authentication: > > In case of mounts (by root or the user itself) without Kerberos > security (only > NTLMv2 authentication), local root and the owning user on the Linux > client is > granted read and write access for the files within the mounted tree. > However, > while using Kerberos security, ever user - even the owner of the > files on the > mount - is denied write access to the files on the mount. Reading > access is still > granted as expected/supposed. > > The logging for the client machine on the Samba server side shows > errors of > the following type, while a user owned smbd process tries to access > files in a > writing manner: > > [2018/11/06 08:39:49.839769, 5, pid=15886, effective(1166435, 8875), > real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access) > check_parent_access: access check on directory . for path yess for > mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED [...] [2018/11/06 > 08:39:49.840334, 3, pid=15886, effective(1166435, 8875), > real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set) NT > error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2) > NT_STATUS_ACCESS_DENIED > > > Any suggestions about the possible root cause of the problem? >A bit more info might help ;-) What OS ? What version of Samba ? Packages or self-compiled ? What is in smb.conf ? Anything else you think might be relevant. Rowland
Apparently Analagous Threads
- No write access on new shares until smbd is restarted
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- No write access on new shares until smbd is restarted
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients