On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote:> I am getting a permission denied when trying to ls as a domain user a > samba mount with windows ACLs (sigh I thought I had this figured > out). I tried to include self descriptive server names and include > them in the info below (fs1: file server, nc: addc, u2gui: ubuntu > desktop) > > CARLSON\peter at u2gui:~$ ls -l /mnt > ls: cannot access '/mnt/test': Permission denied > total 0 > d????????? ? ? ? ???????????? ? test > > I followed the wiki > here:https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > ... well at least I think I did. > > > CARLSON\peter at fs1:/data$ getfacl test > > # file: test > # owner: root > # group: CARLSON\\videousersWhere on the wiki page does it say to use 'videousers' as the group ?> root at fs1:/data# samba-tool ntacl get /data/test --as-sddl > > O:S-1-22-1-0G:S-1-5-21-33300784-995546578-3414580312-1121D:AI(A;OICI;FA;;;S-1-22-1-0)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;DA)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;DA)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) >I take that 'S-1-5-21-33300784-995546578-3414580312-1121' is the SID for 'videousers'.> The share mounts and I am a member of the correct groups > > CARLSON\peter at u2gui:~$ cat /etc/fstab > //fs.carlson.lab/test /mnt/test cifs > credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0I think that could be part of your problem, even though you are using 'multiuser', you are mounting as root. try reading 'man mount.cifs' and pay particular attention to 'sec=krb5' and 'multiuser', that way you will not require a password. Rowland
On 1/26/24 02:35, Rowland Penny via samba wrote:> On Thu, 25 Jan 2024 18:45:52 -0800 > Peter Carlson via samba<samba at lists.samba.org> wrote: > >> I am getting a permission denied when trying to ls as a domain user a >> samba mount with windows ACLs (sigh I thought I had this figured >> out). I tried to include self descriptive server names and include >> them in the info below (fs1: file server, nc: addc, u2gui: ubuntu >> desktop) >> >> CARLSON\peter at u2gui:~$ ls -l /mnt >> ls: cannot access '/mnt/test': Permission denied >> total 0 >> d????????? ? ? ? ???????????? ? test >> >> I followed the wiki >> here:https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> ... well at least I think I did. >> >> >> CARLSON\peter at fs1:/data$ getfacl test >> >> # file: test >> # owner: root >> # group: CARLSON\\videousers > Where on the wiki page does it say to use 'videousers' as the group ?So the wiki is not clear.? It uses the terms: "for instance" Select a user or group from the list, Domain Users **for instance**. Select permissions to grant, Full control **for instance**. This leaves the impression that it can be something else.? If it needs to be Domain Users / Admins that should be stated as such. It would also be helpful in the wiki to show the full permissions that are suggested for the share, perhaps using the advanced view: https://pasteboard.co/m6j9vYkRkt3q.png In any case I redid the share and set it as shown in the paste. I tested access both through windows and gio mount.>> The share mounts and I am a member of the correct groups >> >> CARLSON\peter at u2gui:~$ cat /etc/fstab >> //fs.carlson.lab/test /mnt/test cifs >> credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 > I think that could be part of your problem, even though you are using > 'multiuser', you are mounting as root. try reading 'man mount.cifs' and > pay particular attention to 'sec=krb5' and 'multiuser', that way you > will not require a password. > > Rowland >I thought that the multiuser mount could be made with ntlmssp as well using a creds file, however I will go and set it up using krb and then report back
On 1/26/24 02:35, Rowland Penny via samba wrote:> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba > <samba at lists.samba.org> wrote: >> The share mounts and I am a member of the correct groups >> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test /mnt/test >> cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 > I think that could be part of your problem, even though you are using > 'multiuser', you are mounting as root. try reading 'man mount.cifs' > and pay particular attention to 'sec=krb5' and 'multiuser', that way > you will not require a password. Rowlandok I am a bit confused on mounting using service tickets and krb5. I created the ticket on the client linux machine: root at u2gui:~# kinit -k U2GUI$ root at u2gui:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: U2GUI$@CARLSON.LAB Valid starting?????? Expires????????????? Service principal 01/26/2024 09:13:19? 01/26/2024 19:13:19 krbtgt/CARLSON.LAB at CARLSON.LAB ?? ?renew until 01/27/2024 09:13:18 and the fstab: //fs.carlson.lab/test /mnt/test cifs vers=3.0,multiuser,sec=krb5,_netdev 0 0 then when I mount: root at u2gui:~# mount -a mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) root at u2gui:~# mount -t cifs -o multiuser,sec=krb5 //192.168.1.52/Test /mnt/test mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) The log seems to indicate it is getting a service ticket for the file server.? I think I am missing an important step somewhere, but I feel a bit like I'm stabbing.? Information on the highly reliable web </sarcasm> conflicts, some say it works with a computer service account others say you need a user account added to the keytab.? is there a reliable guide that helps a starter like me? LOG: Jan 26 09:24:56 u2gui kernel: [1214460.606344] CIFS: Attempting to mount \\fs.carlson.lab\test Jan 26 09:24:56 u2gui cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x24e63 Jan 26 09:24:56 u2gui cifs.upcall: ver=2 Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52 Jan 26 09:24:56 u2gui cifs.upcall: sec=1 Jan 26 09:24:56 u2gui cifs.upcall: uid=0 Jan 26 09:24:56 u2gui cifs.upcall: creduid=0 Jan 26 09:24:56 u2gui cifs.upcall: user=root Jan 26 09:24:56 u2gui cifs.upcall: pid=151139 Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pid == 0 Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: getting service ticket for fs.carlson.lab Jan 26 09:24:56 u2gui cifs.upcall: cifs_krb5_get_req: unable to get credentials for fs.carlson.lab Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jan 26 09:24:56 u2gui cifs.upcall: Unable to obtain service ticket Jan 26 09:24:56 u2gui cifs.upcall: Exit status -1765328377 Jan 26 09:24:56 u2gui kernel: [1214460.675126] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed Jan 26 09:24:56 u2gui kernel: [1214460.675136] CIFS: VFS: \\fs.carlson.lab Send error in SessSetup = -126 Jan 26 09:24:56 u2gui kernel: [1214460.675166] CIFS: VFS: cifs_mount failed w/return code = -126 Jan 26 09:24:56 u2gui kernel: [1214460.677668] CIFS: Attempting to mount \\fs.carlson.lab\test Jan 26 09:24:56 u2gui cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x1e88d3;user=root;pid=0x24e63 Jan 26 09:24:56 u2gui cifs.upcall: ver=2 Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52 Jan 26 09:24:56 u2gui cifs.upcall: sec=1 Jan 26 09:24:56 u2gui cifs.upcall: uid=0 Jan 26 09:24:56 u2gui cifs.upcall: creduid=2001107 Jan 26 09:24:56 u2gui cifs.upcall: user=root Jan 26 09:24:56 u2gui cifs.upcall: pid=151139 Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pathname=/proc/151139/environ Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_2001107 Jan 26 09:24:56 u2gui cifs.upcall: get_tgt_time: unable to get principal Jan 26 09:24:56 u2gui cifs.upcall: krb5_get_init_creds_keytab: -1765328378 Jan 26 09:24:56 u2gui cifs.upcall: Exit status 1 Jan 26 09:24:56 u2gui kernel: [1214461.218431] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed Jan 26 09:24:56 u2gui kernel: [1214461.218443] CIFS: VFS: \\fs.carlson.lab Send error in SessSetup = -126 Jan 26 09:24:56 u2gui kernel: [1214461.218466] CIFS: VFS: cifs_mount failed w/return code = -126 Jan 26 09:30:01 u2gui CRON[151161]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi) Jan 26 09:31:28 u2gui systemd[1]: Started Run anacron jobs. Jan 26 09:31:28 u2gui anacron[151162]: Anacron 2.3 started on 2024-01-26 Jan 26 09:31:28 u2gui anacron[151162]: Normal exit (0 jobs run) Jan 26 09:31:28 u2gui systemd[1]: anacron.service: Deactivated successfully.