thr3ads.net - samba - [Samba] permission denied with windows acls [Jan 2024]

If this information is useful, please help other people find it:
Share via:

Peter Carlson

2024-Jan-26 17:34 UTC

[Samba] permission denied with windows acls

On 1/26/24 02:35, Rowland Penny via samba wrote:> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba 
> <samba at lists.samba.org> wrote:
>> The share mounts and I am a member of the correct groups 
>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test
/mnt/test
>> cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 
> I think that could be part of your problem, even though you are using 
> 'multiuser', you are mounting as root. try reading 'man
mount.cifs'
> and pay particular attention to 'sec=krb5' and 'multiuser',
that way
> you will not require a password. Rowland ok I am a bit confused on mounting using service tickets and krb5. I 
created the ticket on the client linux machine:

    root at u2gui:~# kinit -k U2GUI$
    root at u2gui:~# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: U2GUI$@CARLSON.LAB

    Valid starting?????? Expires????????????? Service principal
    01/26/2024 09:13:19? 01/26/2024 19:13:19 krbtgt/CARLSON.LAB at CARLSON.LAB
     ?? ?renew until 01/27/2024 09:13:18

and the fstab:

    //fs.carlson.lab/test /mnt/test cifs
    vers=3.0,multiuser,sec=krb5,_netdev 0 0


then when I mount:

    root at u2gui:~# mount -a
    mount error(126): Required key not available
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
    kernel log messages (dmesg)

    root at u2gui:~# mount -t cifs -o multiuser,sec=krb5
    //192.168.1.52/Test /mnt/test
    mount error(126): Required key not available
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
    kernel log messages (dmesg)

The log seems to indicate it is getting a service ticket for the file 
server.? I think I am missing an important step somewhere, but I feel a 
bit like I'm stabbing.? Information on the highly reliable web 
</sarcasm> conflicts, some say it works with a computer service account 
others say you need a user account added to the keytab.? is there a 
reliable guide that helps a starter like me?


LOG:

Jan 26 09:24:56 u2gui kernel: [1214460.606344] CIFS: Attempting to mount 
\\fs.carlson.lab\test
Jan 26 09:24:56 u2gui cifs.upcall: key description: 
cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x24e63
Jan 26 09:24:56 u2gui cifs.upcall: ver=2
Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52
Jan 26 09:24:56 u2gui cifs.upcall: sec=1
Jan 26 09:24:56 u2gui cifs.upcall: uid=0
Jan 26 09:24:56 u2gui cifs.upcall: creduid=0
Jan 26 09:24:56 u2gui cifs.upcall: user=root
Jan 26 09:24:56 u2gui cifs.upcall: pid=151139
Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pid == 0
Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is 
FILE:/tmp/krb5cc_0
Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: getting service 
ticket for fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: cifs_krb5_get_req: unable to get 
credentials for fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: failed to obtain 
service ticket (-1765328377)
Jan 26 09:24:56 u2gui cifs.upcall: Unable to obtain service ticket
Jan 26 09:24:56 u2gui cifs.upcall: Exit status -1765328377
Jan 26 09:24:56 u2gui kernel: [1214460.675126] CIFS: VFS: Verify user 
has a krb5 ticket and keyutils is installed
Jan 26 09:24:56 u2gui kernel: [1214460.675136] CIFS: VFS: 
\\fs.carlson.lab Send error in SessSetup = -126
Jan 26 09:24:56 u2gui kernel: [1214460.675166] CIFS: VFS: cifs_mount 
failed w/return code = -126
Jan 26 09:24:56 u2gui kernel: [1214460.677668] CIFS: Attempting to mount 
\\fs.carlson.lab\test
Jan 26 09:24:56 u2gui cifs.upcall: key description: 
cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x1e88d3;user=root;pid=0x24e63
Jan 26 09:24:56 u2gui cifs.upcall: ver=2
Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52
Jan 26 09:24:56 u2gui cifs.upcall: sec=1
Jan 26 09:24:56 u2gui cifs.upcall: uid=0
Jan 26 09:24:56 u2gui cifs.upcall: creduid=2001107
Jan 26 09:24:56 u2gui cifs.upcall: user=root
Jan 26 09:24:56 u2gui cifs.upcall: pid=151139
Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: 
pathname=/proc/151139/environ
Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is 
FILE:/tmp/krb5cc_2001107
Jan 26 09:24:56 u2gui cifs.upcall: get_tgt_time: unable to get principal
Jan 26 09:24:56 u2gui cifs.upcall: krb5_get_init_creds_keytab: -1765328378
Jan 26 09:24:56 u2gui cifs.upcall: Exit status 1
Jan 26 09:24:56 u2gui kernel: [1214461.218431] CIFS: VFS: Verify user 
has a krb5 ticket and keyutils is installed
Jan 26 09:24:56 u2gui kernel: [1214461.218443] CIFS: VFS: 
\\fs.carlson.lab Send error in SessSetup = -126
Jan 26 09:24:56 u2gui kernel: [1214461.218466] CIFS: VFS: cifs_mount 
failed w/return code = -126
Jan 26 09:30:01 u2gui CRON[151161]: (root) CMD ([ -x /etc/init.d/anacron 
] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron
start >/dev/null; fi)
Jan 26 09:31:28 u2gui systemd[1]: Started Run anacron jobs.
Jan 26 09:31:28 u2gui anacron[151162]: Anacron 2.3 started on 2024-01-26
Jan 26 09:31:28 u2gui anacron[151162]: Normal exit (0 jobs run)
Jan 26 09:31:28 u2gui systemd[1]: anacron.service: Deactivated successfully.

Peter Carlson

2024-Jan-26 20:27 UTC

head link

[Samba] permission denied with windows acls

On 1/26/24 09:34, Peter Carlson via samba wrote:>
> On 1/26/24 02:35, Rowland Penny via samba wrote:
>> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba 
>> <samba at lists.samba.org> wrote:
>>> The share mounts and I am a member of the correct groups 
>>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test 
>>> /mnt/test cifs 
>>> credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 
>> I think that could be part of your problem, even though you are using 
>> 'multiuser', you are mounting as root. try reading 'man
mount.cifs'
>> and pay particular attention to 'sec=krb5' and
'multiuser', that way
>> you will not require a password. Rowland 
> ok I am a bit confused on mounting using service tickets and krb5. I 
> created the ticket on the client linux machine:
>
> ?? root at u2gui:~# kinit -k U2GUI$
> ?? root at u2gui:~# klist
> ?? Ticket cache: FILE:/tmp/krb5cc_0
> ?? Default principal: U2GUI$@CARLSON.LAB
>
> ?? Valid starting?????? Expires????????????? Service principal
> ?? 01/26/2024 09:13:19? 01/26/2024 19:13:19 
> krbtgt/CARLSON.LAB at CARLSON.LAB
> ??? ?? ?renew until 01/27/2024 09:13:18
>
> and the fstab:
>
> ?? //fs.carlson.lab/test /mnt/test cifs
> ?? vers=3.0,multiuser,sec=krb5,_netdev 0 0
>
>ok, I did figure out the required key not available, but now it's 
permission denied

    root at u2gui:~# mount -a
    mount error(13): Permission denied

The logs seem to indicate that it is trying to connect as user u2gui.? I 
thought it mounted with a service account?


[2024/01/26 20:19:59.402444,? 3] 
../../source3/auth/auth_generic.c:173(auth3_generate_session_info_pac)
 ? Kerberos ticket principal name is [U2GUI$@CARLSON.LAB]
[2024/01/26 20:19:59.404439,? 3] 
../../source3/param/loadparm.c:3998(lp_load_ex)
 ? lp_load_ex: refreshing parameters
[2024/01/26 20:19:59.404550,? 3] 
../../source3/param/loadparm.c:560(init_globals)
 ? Initialising global parameters
[2024/01/26 20:19:59.404675,? 3] 
../../source3/param/loadparm.c:2900(lp_do_section)
 ? Processing section "[global]"
[2024/01/26 20:19:59.404926,? 2] 
../../source3/param/loadparm.c:2917(lp_do_section)
 ? Processing section "[Test]"
[2024/01/26 20:19:59.404992,? 3] 
../../source3/param/loadparm.c:1684(lp_add_ipc)
 ? adding IPC service
[2024/01/26 20:19:59.405125,? 3] 
../../source3/smbd/password.c:84(register_homes_share)
 ? Adding homes service for user 'CARLSON\u2gui$' using home directory: 
'/home/u2gui_ at CARLSON'
[2024/01/26 20:19:59.405903,? 3] ../../lib/util/access.c:372(allow_access)
 ? Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/26 20:19:59.405993,? 3] 
../../source3/smbd/smb2_service.c:584(make_connection_snum)
 ? make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/01/26 20:19:59.406045,? 3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
 ? Initialising default vfs hooks
[2024/01/26 20:19:59.406058,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/26 20:19:59.406066,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [acl_xattr]
[2024/01/26 20:19:59.407376,? 3] 
../../lib/util/modules.c:167(load_module_absolute_path)
 ? load_module_absolute_path: Module 
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2024/01/26 20:19:59.407438,? 2] 
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
 ? connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service IPC$
[2024/01/26 20:19:59.407562,? 3] 
../../source3/smbd/smb2_service.c:814(make_connection_snum)
 ? 192.168.1.54 (ipv4:192.168.1.54:57442) signed connect to service IPC$ 
initially as user CARLSON\u2gui$ (uid=2001115, gid=2000515) (pid 42056)
[2024/01/26 20:19:59.408091,? 3] ../../lib/util/access.c:372(allow_access)
 ? Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/26 20:19:59.408163,? 3] 
../../source3/smbd/smb2_service.c:584(make_connection_snum)
 ? make_connection_snum: Connect path is '/data/test' for service [Test]
[2024/01/26 20:19:59.408185,? 3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
 ? Initialising default vfs hooks
[2024/01/26 20:19:59.408194,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/26 20:19:59.408201,? 3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
 ? Initialising custom vfs hooks from [acl_xattr]
[2024/01/26 20:19:59.408212,? 2] 
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
 ? connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service Test
[2024/01/26 20:19:59.408321,? 2] 
../../source3/smbd/smb2_service.c:814(make_connection_snum)
 ? 192.168.1.54 (ipv4:192.168.1.54:57442) signed connect to service Test 
initially as user CARLSON\u2gui$ (uid=2001115, gid=2000515) (pid 42056)
[2024/01/26 20:19:59.408773,? 0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
 ? chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115 
2000515 10003 10004 10006
[2024/01/26 20:19:59.408817,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.409054,? 3] 
../../source3/smbd/msdfs.c:984(get_referred_path)
 ? get_referred_path: |test| in dfs path \fs1.carlson.lab\test is not a 
dfs root.
[2024/01/26 20:19:59.409083,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/01/26 20:19:59.409380,? 0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
 ? chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115 
2000515 10003 10004 10006
[2024/01/26 20:19:59.409436,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.409825,? 0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
 ? chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115 
2000515 10003 10004 10006
[2024/01/26 20:19:59.409882,? 3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.410197,? 3] 
../../source3/smbd/smb2_service.c:907(close_cnum)
 ? 192.168.1.54 (ipv4:192.168.1.54:57442) closed connection to service IPC$
[2024/01/26 20:19:59.410303,? 2] 
../../source3/smbd/smb2_service.c:907(close_cnum)
 ? 192.168.1.54 (ipv4:192.168.1.54:57442) closed connection to service Test
[2024/01/26 20:19:59.546220,? 3] 
../../source3/smbd/server_exit.c:229(exit_server_common)
 ? Server exit (NT_STATUS_END_OF_FILE)

Apparently Analagous Threads

Search for more reasonably related threads

samba - Jan 2024 - permission denied with windows acls

[Samba] permission denied with windows acls

[Samba] permission denied with windows acls

Apparently Analagous Threads