[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Fri Jan 26 16:48:32 UTC 2024 

On 1/26/24 02:35, Rowland Penny via samba wrote:
> On Thu, 25 Jan 2024 18:45:52 -0800
> Peter Carlson via samba<samba at lists.samba.org>  wrote:
>
>> I am getting a permission denied when trying to ls as a domain user a
>> samba mount with windows ACLs (sigh I thought I had this figured
>> out). I tried to include self descriptive server names and include
>> them in the info below (fs1: file server, nc: addc, u2gui: ubuntu
>> desktop)
>>
>>      CARLSON\peter at u2gui:~$ ls -l /mnt
>>      ls: cannot access '/mnt/test': Permission denied
>>      total 0
>>      d????????? ? ? ? ?            ? test
>>
>> I followed the wiki
>> here:https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs  
>> ... well at least I think I did.
>>
>>
>> CARLSON\peter at fs1:/data$ getfacl test
>>
>>      # file: test
>>      # owner: root
>>      # group: CARLSON\\videousers
> Where on the wiki page does it say to use 'videousers' as the group ?

So the wiki is not clear.  It uses the terms: "for instance"

Select a user or group from the list, Domain Users **for instance**.
Select permissions to grant, Full control **for instance**.

This leaves the impression that it can be something else.  If it needs 
to be Domain Users / Admins that should be stated as such. It would also 
be helpful in the wiki to show the full permissions that are suggested 
for the share, perhaps using the advanced view: 
https://pasteboard.co/m6j9vYkRkt3q.png

In any case I redid the share and set it as shown in the paste. I tested 
access both through windows and gio mount.

>> The share mounts and I am a member of the correct groups
>>
>>      CARLSON\peter at u2gui:~$ cat /etc/fstab
>>      //fs.carlson.lab/test /mnt/test cifs
>>      credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0
> I think that could be part of your problem, even though you are using
> 'multiuser', you are mounting as root. try reading 'man mount.cifs' and
> pay particular attention to 'sec=krb5' and 'multiuser', that way you
> will not require a password.
>
> Rowland
>
I thought that the multiuser mount could be made with ntlmssp as well 
using a creds file, however I will go and set it up using krb and then 
report back

More information about the samba mailing list