samba - Nov 2018 - Samba CIFS Mounts with Kerberos Security: Write Access denied

Hi all,


I am testing different setups for Samba home share mounts via the

CIFS protocol on Linux clients with and without Keberos security (both

krb5 and krb5i). I am experiencing some strange behaviour in case of

Kerberos authentication:


In case of mounts (by root or the user itself) without Kerberos security (only

NTLMv2 authentication), local root and the owning user on the Linux client is

granted read and write access for the files within the mounted tree. However,

while using Kerberos security, ever user - even the owner of the files on the

mount - is denied write access to the files on the mount. Reading access is
still

granted as expected/supposed.

The logging for the client machine on the Samba server side shows errors of

the following type, while a user owned smbd process tries to access files in a

writing manner:


[2018/11/06 08:39:49.839769,  5, pid=15886, effective(1166435, 8875),
real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access)
  check_parent_access: access check on directory . for path yess for mask 0x2
returned (0x2) NT_STATUS_ACCESS_DENIED
[...]
[2018/11/06 08:39:49.840334,  3, pid=15886, effective(1166435, 8875),
real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED


Any suggestions about the possible root cause of the problem?


Best

Sebastian



Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin

Email: sebastian.kraus at tu-berlin.de

Am 06.11.2018 um 09:37 schrieb Kraus, Sebastian via
samba:
> Hi all,
> 
> 
> I am testing different setups for Samba home share mounts via the
> 
> CIFS protocol on Linux clients with and without Keberos security (both
> 
> krb5 and krb5i). I am experiencing some strange behaviour in case of
> 
> Kerberos authentication:
> 
> 
> In case of mounts (by root or the user itself) without Kerberos security
(only
> 
> NTLMv2 authentication), local root and the owning user on the Linux client
is
> 
> granted read and write access for the files within the mounted tree.
However,
> 
> while using Kerberos security, ever user - even the owner of the files on
the
> 
> mount - is denied write access to the files on the mount. Reading access is
still
> 
> granted as expected/supposed.
> 
> The logging for the client machine on the Samba server side shows errors of
> 
> the following type, while a user owned smbd process tries to access files
in a
> 
> writing manner:
> 
> 
> [2018/11/06 08:39:49.839769,  5, pid=15886, effective(1166435, 8875),
real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access)
>    check_parent_access: access check on directory . for path yess for mask
0x2 returned (0x2) NT_STATUS_ACCESS_DENIED
> [...]
> [2018/11/06 08:39:49.840334,  3, pid=15886, effective(1166435, 8875),
real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set)
>    NT error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED
> 
> 
> Any suggestions about the possible root cause of the problem?
Hi

we had problems too, while upgrading to ubuntu 18.04 changed behave of 
cifs-upcall and kerberos tickets, "perhaps" this is your problem too

if you want to do cifs (auto)mount with kerberos
check logs how cifs-upcall looks for your kerberos tickets

a ticket i.e looks like this

/tmp/krb5cc_3449004_1Kyv9d

where 3449004 is uid

with cifs upcall 16.04 ubuntu "searches" for the "right"
ticket

Nov  6 10:21:51 tueilnt-lab11 cifs.upcall: find_krb5_cc: 
FILE:/tmp/krb5cc_3449004_WOMgon is valid ccache

in ubuntu 18.04 its hardcoded to look only for krb5cc_3449004

  cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_3449004


Regards
> 
> 
> Best
> 
> Sebastian
> 
> 
> 
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
> 
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
> 
> Email: sebastian.kraus at tu-berlin.de
> 

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

On Tue, 6 Nov 2018 08:37:29 +0000
"Kraus, Sebastian via samba" <samba at lists.samba.org> wrote:
> Hi all,
> 
> 
> I am testing different setups for Samba home share mounts via the
> CIFS protocol on Linux clients with and without Keberos security (both
> krb5 and krb5i). I am experiencing some strange behaviour in case of
> Kerberos authentication:
> 
> In case of mounts (by root or the user itself) without Kerberos
> security (only
> NTLMv2 authentication), local root and the owning user on the Linux
> client is
> granted read and write access for the files within the mounted tree.
> However,
> while using Kerberos security, ever user - even the owner of the
> files on the
> mount - is denied write access to the files on the mount. Reading
> access is still
> granted as expected/supposed.
> 
> The logging for the client machine on the Samba server side shows
> errors of
> the following type, while a user owned smbd process tries to access
> files in a
> writing manner:
> 
> [2018/11/06 08:39:49.839769,  5, pid=15886, effective(1166435, 8875),
> real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access)
> check_parent_access: access check on directory . for path yess for
> mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED [...] [2018/11/06
> 08:39:49.840334,  3, pid=15886, effective(1166435, 8875),
> real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set) NT
> error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2)
> NT_STATUS_ACCESS_DENIED
> 
> 
> Any suggestions about the possible root cause of the problem?
> 
A bit more info might help ;-)

What OS ?
What version of Samba ?
Packages or self-compiled ?
What is in smb.conf ?
Anything else you think might be relevant.

Rowland