On 1/28/24 10:06, Rowland Penny via samba wrote:> On Sun, 28 Jan 2024 09:40:22 -0800 > Peter Carlson via samba<samba at lists.samba.org> wrote: > >> On 1/28/24 09:27, Rowland Penny via samba wrote: >>> On Sun, 28 Jan 2024 08:47:28 -0800 >>> Peter Carlson via samba<samba at lists.samba.org> wrote: >>> >>>> On 1/27/24 03:19, Rowland Penny via samba wrote: >>>>> You are close, but are missing a parameter, try opening a terminal >>>>> on u2gui (which I take it is the hostname for the domain joined >>>>> client you are trying to mount the share to). Then type this: >>>>> >>>>> sudo mount -t cifs //fs.carlson.lab/test /mnt/test -o >>>>> sec=krb5,username=U2GUI$,multiuser >>>>> >>>>> Now go and look at /mnt/test >>>>> >>>>> Rowland >>>>> >>>> I am still getting permission denied.? Does the machine need a user >>>> account? I thought that with multiuser it just needed a computer >>>> account >>> It does just need a computer account and a computer account is just >>> a user account with an extra objectclass. >> except that the computer isn't normally a member of Domain Users, but >> Domain Computers...so...that got me thinking and I added the computer >> to Domain Users and now it can mount.? But is that the right thing to >> do? > I come back to the fact that it works for myself without doing anything > like that: > sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b > dc=samdom,dc=example,dc=com > '(&(objectCategory=computer)(primaryGroupID=515))' dn | grep TESTDM12 > dn: CN=TESTDM12,CN=Computers,DC=samdom,DC=example,DC=com > > Rowland >By any chance does your share permission for the share allow Domain Computers?? Mine is only setup for Domain Admins and Domain Users so here goes with a huge dump of data.? Let's see if there is something bizarre in all of this (BTW, I have a 2nd VM that is only cli and it behaves the same way.? Its config is similar except it does KDC via DNS lookup). root at nc1:/var/log/samba# ldbsearch -H /var/lib/samba/private/sam.ldb -P -b dc=carlson,dc=lab '(&(objectCategory=computer)(primaryGroupID=515))' dn memberOf ... # record 2 dn: CN=U2GUI,CN=Computers,DC=carlson,DC=lab memberOf: CN=Domain Users,CN=Users,DC=carlson,DC=lab root at u2gui:~# klist Ticket cache: FILE:/tmp/krb5cc_2001107 Default principal: U2GUI$@CARLSON.LAB Valid starting?????? Expires????????????? Service principal 01/28/2024 08:37:39? 01/28/2024 18:37:39 krbtgt/CARLSON.LAB at CARLSON.LAB ?? ?renew until 01/29/2024 08:37:38 ---------------------------------------------------------------------------- root at u2gui:~# cat /etc/samba/smb.conf [global] server string = %h server (Samba, Ubuntu) ?? log file = /var/log/samba/log.%m ?? max log size = 1000 ?? logging = file ?? panic action = /usr/share/samba/panic-action %d kerberos method = secrets and keytab realm = CARLSON.LAB workgroup = CARLSON template homedir = /home/%U@%D template shell = /bin/bash security = ads idmap config CARLSON : range = 2000000-2999999 idmap config CARLSON : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb vfs objects = acl_xattr map acl inherit = yes winbind use default domain = no winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no apply group policies = yes -------------------------------------------------------------------------- root at u2gui:~# cat /etc/krb5.conf [libdefaults] ?? ?default_realm = CARLSON.LAB ?? ?dns_lookup_realm = false ?? ?dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. ?? ?kdc_timesync = 1 ?? ?ccache_type = 4 ?? ?forwardable = true ?? ?proxiable = true ??? default_ccache_name = FILE:/tmp/krb5cc_%{euid} # The following libdefaults parameters are only for Heimdal Kerberos. ?? ?fcc-mit-ticketflags = true [realms] ?? ?CARLSON.LAB = { ?? ???? kdc = nc1.carlson.lab ?? ?} [domain_realm] --------------------------------------- File Server Config ------------------------------------------------ root at fs1:/var/log/samba# cat /etc/samba/smb.conf [global] server string = %h server (Samba, Ubuntu) ?? log file = /var/log/samba/log.%m ?? max log size = 1000 ?? logging = file ?? panic action = /usr/share/samba/panic-action %d log level = 3 kerberos method = secrets and keytab realm = CARLSON.LAB workgroup = CARLSON template homedir = /home/%U@%D template shell = /bin/bash security = ads idmap config CARLSON : range = 2000000-2999999 idmap config CARLSON : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb vfs objects = acl_xattr map acl inherit = yes winbind use default domain = no winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no apply group policies = yes #======================= Share Definitions ======================[Test] ??? path = /data/test ??? comment = test ??? writable = yes getfacl: Removing leading '/' from absolute path names # file: data/test # owner: root # group: CARLSON\\domain\040admins # flags: --t user::rwx user:root:rwx user:CARLSON\\domain\040admins:rwx user:CARLSON\\domain\040users:r-x group::rwx group:CARLSON\\domain\040admins:rwx group:CARLSON\\domain\040users:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:CARLSON\\domain\040admins:rwx default:user:CARLSON\\domain\040users:r-x default:group::--- default:group:CARLSON\\domain\040admins:rwx default:group:CARLSON\\domain\040users:r-x default:mask::rwx default:other::---
Ok, so I started with a clean slate.? Same thing, only works if I add the computer account to Domain users.? smbd Version 4.15.13-Ubuntu root at u2cli:~# getent passwd CARLSON\\peter CARLSON\peter:*:2001107:2000513::/home/peter at CARLSON:/bin/bash root at u2cli:~# mkdir -m 1777 /mnt/test root at u2cli:~# kinit -V -k U2CLI$ Using default cache: /tmp/krb5cc_0 Using principal: U2CLI$@CARLSON.LAB Authenticated to Kerberos v5 root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o sec=krb5,username=U2CLI$,multiuser mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) root at u2cli:~# reboot root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o sec=krb5,username=U2CLI$,multiuser mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) ------------? add U2CLI to Domain Users ------------------ root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o sec=krb5,username=U2CLI$,multiuser root at u2cli:~# mount | grep fs1 //fs1.carlson.lab/test on /mnt/test type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.52,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1) root at u2cli:~# ------------------ Full History ------------------------- ??? 1? apt update && apt upgrade ??? 2? apt install htop qemu-guest-agent mlocate ??? 3? apt install acl attr samba winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils python3-setproctitle smbclient cifs-utils ??? 4? vi /etc/hosts ??? 5? cat > /etc/samba/smb.conf ??? 6? cat > /etc/krb5.conf ??? 7? net ads join -U peter ??? 8? pam-auth-update ??? 9? systemctl restart smbd.service nmbd.service winbind.service ?? 10? wbinfo --ping-dc ?? 11? getent passwd CARLSON\\peter ?? 12? history ?? 13? getent passwd CARLSON\\peter ?? 14? vi /etc/nsswitch.conf ?? 15? getent passwd CARLSON\\peter ?? 16? mkdir -m 1777 /mnt/test ?? 17? kinit -V -k U2CLI$ ?? 18? mount -t cifs //fs1.carlson.lab/test /mnt/test -o sec=krb5,username=U2CLI$,multiuser ?? 19? reboot ?? 20? mount -t cifs //fs1.carlson.lab/test /mnt/test -o sec=krb5,username=U2CLI$,multiuser ?? 21? mount | grep fs1 ?? 22? history --------------- Configs --------------------------------- root at u2cli:~# cat /etc/samba/smb.conf [global] server string = %h server (Samba, Ubuntu) ?? log file = /var/log/samba/log.%m ?? max log size = 1000 ?? logging = file ?? panic action = /usr/share/samba/panic-action %d kerberos method = secrets and keytab realm = CARLSON.LAB workgroup = CARLSON template homedir = /home/%U@%D template shell = /bin/bash security = ads idmap config CARLSON : range = 2000000-2999999 idmap config CARLSON : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb vfs objects = acl_xattr map acl inherit = yes winbind use default domain = no winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no apply group policies = yes root at u2cli:~# root at u2cli:~# root at u2cli:~# cat /etc/krb5.conf [libdefaults] ?? ?default_realm = CARLSON.LAB ?? ?dns_lookup_realm = false ?? ?dns_lookup_kdc = true root at u2cli:~# root at u2cli:~# root at u2cli:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? files winbind systemd group:????????? files winbind systemd shadow:???????? files gshadow:??????? files hosts:????????? files dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis