samba - Jan 2024 - permission denied with windows acls

ok, I have gone back to my original recipe after working though this 
piece by piece and the only thing I had wrong was that the machine is 
not a member of Domain Users (or Domain Computers didn't have 
permissions on the root of the share).

Thanks for all the help!!!

Now for my next task, NFSV4 and AD permissions

Peter

On 1/28/24 13:57, Rowland Penny via samba wrote:
> On Sun, 28 Jan 2024 13:51:54 -0800
> Peter Carlson via samba<samba at lists.samba.org>  wrote:
>
>> On 1/28/24 13:27, Rowland Penny via samba wrote:
>>> On Sun, 28 Jan 2024 12:56:49 -0800
>>> Peter Carlson via samba<samba at lists.samba.org>   wrote:
>>>
>>>> On 1/28/24 12:39, Rowland Penny via samba wrote:
>>>>> On Sun, 28 Jan 2024 12:18:34 -0800
>>>>> Peter Carlson via samba<samba at lists.samba.org>   
wrote:
>>>>>
>>>>>> Ok, so I started with a clean slate.? Same thing, only
works if I
>>>>>> add the computer account to Domain users.? smbd Version
>>>>>> 4.15.13-Ubuntu
>>>>>>
>>>>>> root at u2cli:~# getent passwd CARLSON\\peter
>>>>>> CARLSON\peter:*:2001107:2000513::/home/peter at
CARLSON:/bin/bash
>>>>>>
>>>>>> root at u2cli:~# mkdir -m 1777 /mnt/test
>>>>>>
>>>>>> root at u2cli:~# kinit -V -k U2CLI$
>>>>>> Using default cache: /tmp/krb5cc_0
>>>>>> Usingprincipal:U2CLI$@CARLSON.LAB
>>>>>> Authenticated to Kerberos v5
>>>>> I think running kinit might be your problem, I don't do
that.
>>>>> I just started my VM, logged in as rowland, opened a
terminal and
>>>>> ran the mount command.
>>>>>     
>>>>> Rowland
>>>>>
>>>> ok, so I can do that too as a domain user, but this needs to be
>>>> mounted in fstab, so it seems that I either
>>> OK, so you now seem to be saying the mount is now working from the
>>> command line, so try unmounting the share. Then add this to fstab:
>>>
>>> //fs1.carlson.lab/test /mnt/test cifs
>>> sec=krb5,username=U2CLI$,multiuser
>>>
>>> Now reboot and then log in again, is there anything in /mnt/test ?
>>>
>>> Rowland
>>>
>> it is mounting through fstab....yay....but I'm confused, I thought
I
>> would have to retrieve a ticket using kinit -k prior to the mount
>> working.
> Well, yes you need a ticket, but winbind is obtaining it for you, the
> machine ticket.
>
> Rowland
>

On Sun, 28 Jan 2024 15:06:38 -0800
Peter Carlson via samba <samba at lists.samba.org> wrote:
> ok, I have gone back to my original recipe after working though this 
> piece by piece and the only thing I had wrong was that the machine is 
> not a member of Domain Users (or Domain Computers didn't have 
> permissions on the root of the share).
> 
The problem with that statement is, in my domain there is no connection
between computers and the Domain Users group and Domain Computers
doesn't have permissions on the share, but it works.

Rowland