On 1/28/24 10:06, Rowland Penny via samba wrote:> On Sun, 28 Jan 2024 09:40:22 -0800
> Peter Carlson via samba<samba at lists.samba.org> wrote:
>
>> On 1/28/24 09:27, Rowland Penny via samba wrote:
>>> On Sun, 28 Jan 2024 08:47:28 -0800
>>> Peter Carlson via samba<samba at lists.samba.org> wrote:
>>>
>>>> On 1/27/24 03:19, Rowland Penny via samba wrote:
>>>>> You are close, but are missing a parameter, try opening a
terminal
>>>>> on u2gui (which I take it is the hostname for the domain
joined
>>>>> client you are trying to mount the share to). Then type
this:
>>>>>
>>>>> sudo mount -t cifs //fs.carlson.lab/test /mnt/test -o
>>>>> sec=krb5,username=U2GUI$,multiuser
>>>>>
>>>>> Now go and look at /mnt/test
>>>>>
>>>>> Rowland
>>>>>
>>>> I am still getting permission denied.? Does the machine need a
user
>>>> account? I thought that with multiuser it just needed a
computer
>>>> account
>>> It does just need a computer account and a computer account is just
>>> a user account with an extra objectclass.
>> except that the computer isn't normally a member of Domain Users,
but
>> Domain Computers...so...that got me thinking and I added the computer
>> to Domain Users and now it can mount.? But is that the right thing to
>> do?
> I come back to the fact that it works for myself without doing anything
> like that:
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b
> dc=samdom,dc=example,dc=com
> '(&(objectCategory=computer)(primaryGroupID=515))' dn | grep
TESTDM12
> dn: CN=TESTDM12,CN=Computers,DC=samdom,DC=example,DC=com
>
> Rowland
>
By any chance does your share permission for the share allow Domain
Computers?? Mine is only setup for Domain Admins and Domain Users
so here goes with a huge dump of data.? Let's see if there is something
bizarre in all of this (BTW, I have a 2nd VM that is only cli and it
behaves the same way.? Its config is similar except it does KDC via DNS
lookup).
root at nc1:/var/log/samba# ldbsearch -H /var/lib/samba/private/sam.ldb -P
-b dc=carlson,dc=lab
'(&(objectCategory=computer)(primaryGroupID=515))'
dn memberOf
...
# record 2
dn: CN=U2GUI,CN=Computers,DC=carlson,DC=lab
memberOf: CN=Domain Users,CN=Users,DC=carlson,DC=lab
root at u2gui:~# klist
Ticket cache: FILE:/tmp/krb5cc_2001107
Default principal: U2GUI$@CARLSON.LAB
Valid starting?????? Expires????????????? Service principal
01/28/2024 08:37:39? 01/28/2024 18:37:39 krbtgt/CARLSON.LAB at CARLSON.LAB
?? ?renew until 01/29/2024 08:37:38
----------------------------------------------------------------------------
root at u2gui:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
?? log file = /var/log/samba/log.%m
?? max log size = 1000
?? logging = file
?? panic action = /usr/share/samba/panic-action %d
kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
apply group policies = yes
--------------------------------------------------------------------------
root at u2gui:~# cat /etc/krb5.conf
[libdefaults]
?? ?default_realm = CARLSON.LAB
?? ?dns_lookup_realm = false
?? ?dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
?? ?kdc_timesync = 1
?? ?ccache_type = 4
?? ?forwardable = true
?? ?proxiable = true
??? default_ccache_name = FILE:/tmp/krb5cc_%{euid}
# The following libdefaults parameters are only for Heimdal Kerberos.
?? ?fcc-mit-ticketflags = true
[realms]
?? ?CARLSON.LAB = {
?? ???? kdc = nc1.carlson.lab
?? ?}
[domain_realm]
--------------------------------------- File Server Config
------------------------------------------------
root at fs1:/var/log/samba# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
?? log file = /var/log/samba/log.%m
?? max log size = 1000
?? logging = file
?? panic action = /usr/share/samba/panic-action %d
log level = 3
kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
apply group policies = yes
#======================= Share Definitions ======================[Test]
??? path = /data/test
??? comment = test
??? writable = yes
getfacl: Removing leading '/' from absolute path names
# file: data/test
# owner: root
# group: CARLSON\\domain\040admins
# flags: --t
user::rwx
user:root:rwx
user:CARLSON\\domain\040admins:rwx
user:CARLSON\\domain\040users:r-x
group::rwx
group:CARLSON\\domain\040admins:rwx
group:CARLSON\\domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:CARLSON\\domain\040admins:rwx
default:user:CARLSON\\domain\040users:r-x
default:group::---
default:group:CARLSON\\domain\040admins:rwx
default:group:CARLSON\\domain\040users:r-x
default:mask::rwx
default:other::---