[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Fri Jan 26 17:34:38 UTC 2024 

On 1/26/24 02:35, Rowland Penny via samba wrote:
> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba 
> <samba at lists.samba.org> wrote:
>> The share mounts and I am a member of the correct groups 
>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test /mnt/test 
>> cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 
> I think that could be part of your problem, even though you are using 
> 'multiuser', you are mounting as root. try reading 'man mount.cifs' 
> and pay particular attention to 'sec=krb5' and 'multiuser', that way 
> you will not require a password. Rowland 
ok I am a bit confused on mounting using service tickets and krb5. I 
created the ticket on the client linux machine:

    root at u2gui:~# kinit -k U2GUI$
    root at u2gui:~# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: U2GUI$@CARLSON.LAB

    Valid starting       Expires              Service principal
    01/26/2024 09:13:19  01/26/2024 19:13:19 krbtgt/CARLSON.LAB at CARLSON.LAB
         renew until 01/27/2024 09:13:18

and the fstab:

    //fs.carlson.lab/test /mnt/test cifs
    vers=3.0,multiuser,sec=krb5,_netdev 0 0


then when I mount:

    root at u2gui:~# mount -a
    mount error(126): Required key not available
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
    kernel log messages (dmesg)

    root at u2gui:~# mount -t cifs -o multiuser,sec=krb5
    //192.168.1.52/Test /mnt/test
    mount error(126): Required key not available
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
    kernel log messages (dmesg)

The log seems to indicate it is getting a service ticket for the file 
server.  I think I am missing an important step somewhere, but I feel a 
bit like I'm stabbing.  Information on the highly reliable web 
</sarcasm> conflicts, some say it works with a computer service account 
others say you need a user account added to the keytab.  is there a 
reliable guide that helps a starter like me?


LOG:

Jan 26 09:24:56 u2gui kernel: [1214460.606344] CIFS: Attempting to mount 
\\fs.carlson.lab\test
Jan 26 09:24:56 u2gui cifs.upcall: key description: 
cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x24e63
Jan 26 09:24:56 u2gui cifs.upcall: ver=2
Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52
Jan 26 09:24:56 u2gui cifs.upcall: sec=1
Jan 26 09:24:56 u2gui cifs.upcall: uid=0
Jan 26 09:24:56 u2gui cifs.upcall: creduid=0
Jan 26 09:24:56 u2gui cifs.upcall: user=root
Jan 26 09:24:56 u2gui cifs.upcall: pid=151139
Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pid == 0
Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is 
FILE:/tmp/krb5cc_0
Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: getting service 
ticket for fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: cifs_krb5_get_req: unable to get 
credentials for fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: failed to obtain 
service ticket (-1765328377)
Jan 26 09:24:56 u2gui cifs.upcall: Unable to obtain service ticket
Jan 26 09:24:56 u2gui cifs.upcall: Exit status -1765328377
Jan 26 09:24:56 u2gui kernel: [1214460.675126] CIFS: VFS: Verify user 
has a krb5 ticket and keyutils is installed
Jan 26 09:24:56 u2gui kernel: [1214460.675136] CIFS: VFS: 
\\fs.carlson.lab Send error in SessSetup = -126
Jan 26 09:24:56 u2gui kernel: [1214460.675166] CIFS: VFS: cifs_mount 
failed w/return code = -126
Jan 26 09:24:56 u2gui kernel: [1214460.677668] CIFS: Attempting to mount 
\\fs.carlson.lab\test
Jan 26 09:24:56 u2gui cifs.upcall: key description: 
cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x1e88d3;user=root;pid=0x24e63
Jan 26 09:24:56 u2gui cifs.upcall: ver=2
Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52
Jan 26 09:24:56 u2gui cifs.upcall: sec=1
Jan 26 09:24:56 u2gui cifs.upcall: uid=0
Jan 26 09:24:56 u2gui cifs.upcall: creduid=2001107
Jan 26 09:24:56 u2gui cifs.upcall: user=root
Jan 26 09:24:56 u2gui cifs.upcall: pid=151139
Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: 
pathname=/proc/151139/environ
Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is 
FILE:/tmp/krb5cc_2001107
Jan 26 09:24:56 u2gui cifs.upcall: get_tgt_time: unable to get principal
Jan 26 09:24:56 u2gui cifs.upcall: krb5_get_init_creds_keytab: -1765328378
Jan 26 09:24:56 u2gui cifs.upcall: Exit status 1
Jan 26 09:24:56 u2gui kernel: [1214461.218431] CIFS: VFS: Verify user 
has a krb5 ticket and keyutils is installed
Jan 26 09:24:56 u2gui kernel: [1214461.218443] CIFS: VFS: 
\\fs.carlson.lab Send error in SessSetup = -126
Jan 26 09:24:56 u2gui kernel: [1214461.218466] CIFS: VFS: cifs_mount 
failed w/return code = -126
Jan 26 09:30:01 u2gui CRON[151161]: (root) CMD ([ -x /etc/init.d/anacron 
] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron 
start >/dev/null; fi)
Jan 26 09:31:28 u2gui systemd[1]: Started Run anacron jobs.
Jan 26 09:31:28 u2gui anacron[151162]: Anacron 2.3 started on 2024-01-26
Jan 26 09:31:28 u2gui anacron[151162]: Normal exit (0 jobs run)
Jan 26 09:31:28 u2gui systemd[1]: anacron.service: Deactivated successfully.

More information about the samba mailing list