thr3ads.net - samba - [Samba] permission denied with windows acls [Jan 2024]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2024-Jan-27 11:19 UTC

[Samba] permission denied with windows acls

On Fri, 26 Jan 2024 12:27:52 -0800
Peter Carlson via samba <samba at lists.samba.org> wrote:
> 
> On 1/26/24 09:34, Peter Carlson via samba wrote:
> >
> > On 1/26/24 02:35, Rowland Penny via samba wrote:
> >> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba 
> >> <samba at lists.samba.org> wrote:
> >>> The share mounts and I am a member of the correct groups 
> >>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test
> >>> /mnt/test cifs 
> >>> credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 
> >> I think that could be part of your problem, even though you are
> >> using 'multiuser', you are mounting as root. try reading
'man
> >> mount.cifs' and pay particular attention to 'sec=krb5'
and
> >> 'multiuser', that way you will not require a password.
Rowland
> > ok I am a bit confused on mounting using service tickets and krb5.
> > I created the ticket on the client linux machine:
> >
> > ?? root at u2gui:~# kinit -k U2GUI$
> > ?? root at u2gui:~# klist
> > ?? Ticket cache: FILE:/tmp/krb5cc_0
> > ?? Default principal: U2GUI$@CARLSON.LAB
> >
> > ?? Valid starting?????? Expires????????????? Service principal
> > ?? 01/26/2024 09:13:19? 01/26/2024 19:13:19 
> > krbtgt/CARLSON.LAB at CARLSON.LAB
> > ??? ?? ?renew until 01/27/2024 09:13:18
> >
> > and the fstab:
> >
> > ?? //fs.carlson.lab/test /mnt/test cifs
> > ?? vers=3.0,multiuser,sec=krb5,_netdev 0 0
> >
> >
> ok, I did figure out the required key not available, but now it's 
> permission denied
> 
>     root at u2gui:~# mount -a
>     mount error(13): Permission denied
> 
> The logs seem to indicate that it is trying to connect as user u2gui.
>  I thought it mounted with a service account?
> 
> 
You are close, but are missing a parameter, try opening a terminal on
u2gui (which I take it is the hostname for the domain joined client you
are trying to mount the share to). Then type this:

sudo mount -t cifs //fs.carlson.lab/test /mnt/test -o
sec=krb5,username=U2GUI$,multiuser

Now go and look at /mnt/test

Rowland

Peter Carlson

2024-Jan-28 16:47 UTC

head link

[Samba] permission denied with windows acls

On 1/27/24 03:19, Rowland Penny via samba wrote:>
> You are close, but are missing a parameter, try opening a terminal on
> u2gui (which I take it is the hostname for the domain joined client you
> are trying to mount the share to). Then type this:
>
> sudo mount -t cifs //fs.carlson.lab/test /mnt/test -o
> sec=krb5,username=U2GUI$,multiuser
>
> Now go and look at /mnt/test
>
> Rowland
>I am still getting permission denied.? Does the machine need a user 
account? I thought that with multiuser it just needed a computer account

    root at u2gui:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o
    sec=krb5,username=U2GUI$,multiuser
    mount error(13): Permission denied
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
    kernel log messages (dmesg)

    root at u2gui:~# !tail
    tail -f /var/log/syslog
    Jan 28 08:43:46 U2GUI cifs.upcall: creduid=0
    Jan 28 08:43:46 U2GUI cifs.upcall: user=U2GUI$
    Jan 28 08:43:46 U2GUI cifs.upcall: pid=1583
    Jan 28 08:43:46 U2GUI cifs.upcall: get_cachename_from_process_env:
    pid == 0
    Jan 28 08:43:46 U2GUI cifs.upcall: get_existing_cc: default ccache
    is FILE:/tmp/krb5cc_0
    Jan 28 08:43:46 U2GUI cifs.upcall: get_tgt_time: unable to get principal
    Jan 28 08:43:48 U2GUI cifs.upcall: handle_krb5_mech: getting service
    ticket for fs1.carlson.lab
    Jan 28 08:43:48 U2GUI cifs.upcall: handle_krb5_mech: obtained
    service ticket
    Jan 28 08:43:48 U2GUI cifs.upcall: Exit status 0
    Jan 28 08:43:50 U2GUI kernel: [? 769.735756] CIFS: VFS: cifs_mount
    failed w/return code = -13

log on file server:

[2024/01/28 16:38:40.621414,? 3] 
../../source3/auth/auth_generic.c:173(auth3_generate_session_info_pac)
 ? Kerberos ticket principal name is [U2GUI$@CARLSON.LAB]
[2024/01/28 16:38:40.622002,? 1] 
../../source3/auth/token_util.c:572(add_local_groups)
 ? FINDME: for user CARLSON\u2gui$ worked
[2024/01/28 16:38:40.624929,? 3] 
../../source3/param/loadparm.c:3998(lp_load_ex)
 ? lp_load_ex: refreshing parameters
[2024/01/28 16:38:40.625066,? 3] 
../../source3/param/loadparm.c:560(init_globals)
 ? Initialising global parameters
[2024/01/28 16:38:40.625221,? 3] 
../../source3/param/loadparm.c:2900(lp_do_section)
 ? Processing section "[global]"
[2024/01/28 16:38:40.625652,? 2] 
../../source3/param/loadparm.c:2917(lp_do_section)
 ? Processing section "[Test]"
[2024/01/28 16:38:40.625769,? 3] 
../../source3/param/loadparm.c:1684(lp_add_ipc)
 ? adding IPC service
[2024/01/28 16:38:40.625960,? 3] 
../../source3/smbd/password.c:84(register_homes_share)
 ? Adding homes service for user 'CARLSON\u2gui$' using home directory: 
'/home/u2gui_ at CARLSON'
[2024/01/28 16:38:40.626945,? 3] ../../lib/util/access.c:372(allow_access)
 ? Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/28 16:38:40.627048,? 3] 
../../source3/smbd/smb2_service.c:584(make_connection_snum)
 ? make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/01/28 16:38:40.627092,? 3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
 ? Initialising default vfs hooks
[2024/01/28 16:38:40.627111,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/28 16:38:40.627121,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [acl_xattr]
[2024/01/28 16:38:40.628705,? 3] 
../../lib/util/modules.c:167(load_module_absolute_path)
 ? load_module_absolute_path: Module 
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2024/01/28 16:38:40.628780,? 2] 
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
 ? connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service IPC$
[2024/01/28 16:38:40.628949,? 3] 
../../source3/smbd/smb2_service.c:814(make_connection_snum)
 ? 192.168.1.54 (ipv4:192.168.1.54:47396) signed connect to service IPC$ 
initially as user CARLSON\u2gui$ (uid=2001123, gid=2000515) (pid 59341)
[2024/01/28 16:38:40.629417,? 3] 
../../source3/smbd/msdfs.c:984(get_referred_path)
 ? get_referred_path: |test| in dfs path \fs1.carlson.lab\test is not a 
dfs root.
[2024/01/28 16:38:40.629475,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/01/28 16:38:40.630006,? 3] ../../lib/util/access.c:372(allow_access)
 ? Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/28 16:38:40.630107,? 3] 
../../source3/smbd/smb2_service.c:584(make_connection_snum)
 ? make_connection_snum: Connect path is '/data/test' for service [Test]
[2024/01/28 16:38:40.630142,? 3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
 ? Initialising default vfs hooks
[2024/01/28 16:38:40.630158,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/28 16:38:40.630167,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [acl_xattr]
[2024/01/28 16:38:40.630202,? 2] 
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
 ? connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service Test
[2024/01/28 16:38:40.630351,? 2] 
../../source3/smbd/smb2_service.c:814(make_connection_snum)
 ? 192.168.1.54 (ipv4:192.168.1.54:47396) signed connect to service Test 
initially as user CARLSON\u2gui$ (uid=2001123, gid=2000515) (pid 59341)
[2024/01/28 16:38:40.630655,? 0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
 ? chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001123, gid=2000515, 5 groups: 2001123 
2000515 10003 10004 10006
[2024/01/28 16:38:40.630692,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/28 16:38:40.630909,? 0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
 ? chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001123, gid=2000515, 5 groups: 2001123 
2000515 10003 10004 10006
[2024/01/28 16:38:40.630938,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/28 16:38:40.631074,? 0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
 ? chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001123, gid=2000515, 5 groups: 2001123 
2000515 10003 10004 10006
[2024/01/28 16:38:40.631094,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/28 16:38:42.665018,? 3] 
../../source3/smbd/smb2_service.c:907(close_cnum)
 ? 192.168.1.54 (ipv4:192.168.1.54:47396) closed connection to service IPC$
[2024/01/28 16:38:42.665160,? 2] 
../../source3/smbd/smb2_service.c:907(close_cnum)
 ? 192.168.1.54 (ipv4:192.168.1.54:47396) closed connection to service Test
[2024/01/28 16:38:42.801101,? 3] 
../../source3/smbd/server_exit.c:229(exit_server_common)
 ? Server exit (NT_STATUS_END_OF_FILE)

samba - Jan 2024 - permission denied with windows acls

[Samba] permission denied with windows acls

[Samba] permission denied with windows acls