[Samba] permission denied with windows acls
Rowland Penny
rpenny at samba.org
Fri Jan 26 10:35:53 UTC 2024
On Thu, 25 Jan 2024 18:45:52 -0800
Peter Carlson via samba <samba at lists.samba.org> wrote:
> I am getting a permission denied when trying to ls as a domain user a
> samba mount with windows ACLs (sigh I thought I had this figured
> out). I tried to include self descriptive server names and include
> them in the info below (fs1: file server, nc: addc, u2gui: ubuntu
> desktop)
>
> CARLSON\peter at u2gui:~$ ls -l /mnt
> ls: cannot access '/mnt/test': Permission denied
> total 0
> d????????? ? ? ? ? ? test
>
> I followed the wiki
> here:https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> ... well at least I think I did.
>
>
> CARLSON\peter at fs1:/data$ getfacl test
>
> # file: test
> # owner: root
> # group: CARLSON\\videousers
Where on the wiki page does it say to use 'videousers' as the group ?
> root at fs1:/data# samba-tool ntacl get /data/test --as-sddl
>
> O:S-1-22-1-0G:S-1-5-21-33300784-995546578-3414580312-1121D:AI(A;OICI;FA;;;S-1-22-1-0)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;DA)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;DA)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)
>
I take that 'S-1-5-21-33300784-995546578-3414580312-1121' is the SID
for 'videousers'.
> The share mounts and I am a member of the correct groups
>
> CARLSON\peter at u2gui:~$ cat /etc/fstab
> //fs.carlson.lab/test /mnt/test cifs
> credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0
I think that could be part of your problem, even though you are using
'multiuser', you are mounting as root. try reading 'man mount.cifs' and
pay particular attention to 'sec=krb5' and 'multiuser', that way you
will not require a password.
Rowland
More information about the samba
mailing list