[Samba] permission denied with windows acls
Peter Carlson
peter at howudodat.com
Fri Jan 26 20:27:52 UTC 2024
On 1/26/24 09:34, Peter Carlson via samba wrote:
>
> On 1/26/24 02:35, Rowland Penny via samba wrote:
>> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba
>> <samba at lists.samba.org> wrote:
>>> The share mounts and I am a member of the correct groups
>>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test
>>> /mnt/test cifs
>>> credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0
>> I think that could be part of your problem, even though you are using
>> 'multiuser', you are mounting as root. try reading 'man mount.cifs'
>> and pay particular attention to 'sec=krb5' and 'multiuser', that way
>> you will not require a password. Rowland
> ok I am a bit confused on mounting using service tickets and krb5. I
> created the ticket on the client linux machine:
>
> root at u2gui:~# kinit -k U2GUI$
> root at u2gui:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: U2GUI$@CARLSON.LAB
>
> Valid starting Expires Service principal
> 01/26/2024 09:13:19 01/26/2024 19:13:19
> krbtgt/CARLSON.LAB at CARLSON.LAB
> renew until 01/27/2024 09:13:18
>
> and the fstab:
>
> //fs.carlson.lab/test /mnt/test cifs
> vers=3.0,multiuser,sec=krb5,_netdev 0 0
>
>
ok, I did figure out the required key not available, but now it's
permission denied
root at u2gui:~# mount -a
mount error(13): Permission denied
The logs seem to indicate that it is trying to connect as user u2gui. I
thought it mounted with a service account?
[2024/01/26 20:19:59.402444, 3]
../../source3/auth/auth_generic.c:173(auth3_generate_session_info_pac)
Kerberos ticket principal name is [U2GUI$@CARLSON.LAB]
[2024/01/26 20:19:59.404439, 3]
../../source3/param/loadparm.c:3998(lp_load_ex)
lp_load_ex: refreshing parameters
[2024/01/26 20:19:59.404550, 3]
../../source3/param/loadparm.c:560(init_globals)
Initialising global parameters
[2024/01/26 20:19:59.404675, 3]
../../source3/param/loadparm.c:2900(lp_do_section)
Processing section "[global]"
[2024/01/26 20:19:59.404926, 2]
../../source3/param/loadparm.c:2917(lp_do_section)
Processing section "[Test]"
[2024/01/26 20:19:59.404992, 3]
../../source3/param/loadparm.c:1684(lp_add_ipc)
adding IPC service
[2024/01/26 20:19:59.405125, 3]
../../source3/smbd/password.c:84(register_homes_share)
Adding homes service for user 'CARLSON\u2gui$' using home directory:
'/home/u2gui_ at CARLSON'
[2024/01/26 20:19:59.405903, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/26 20:19:59.405993, 3]
../../source3/smbd/smb2_service.c:584(make_connection_snum)
make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/01/26 20:19:59.406045, 3]
../../source3/smbd/vfs.c:115(vfs_init_default)
Initialising default vfs hooks
[2024/01/26 20:19:59.406058, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/26 20:19:59.406066, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2024/01/26 20:19:59.407376, 3]
../../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2024/01/26 20:19:59.407438, 2]
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2024/01/26 20:19:59.407562, 3]
../../source3/smbd/smb2_service.c:814(make_connection_snum)
192.168.1.54 (ipv4:192.168.1.54:57442) signed connect to service IPC$
initially as user CARLSON\u2gui$ (uid=2001115, gid=2000515) (pid 42056)
[2024/01/26 20:19:59.408091, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/26 20:19:59.408163, 3]
../../source3/smbd/smb2_service.c:584(make_connection_snum)
make_connection_snum: Connect path is '/data/test' for service [Test]
[2024/01/26 20:19:59.408185, 3]
../../source3/smbd/vfs.c:115(vfs_init_default)
Initialising default vfs hooks
[2024/01/26 20:19:59.408194, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/26 20:19:59.408201, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2024/01/26 20:19:59.408212, 2]
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Test
[2024/01/26 20:19:59.408321, 2]
../../source3/smbd/smb2_service.c:814(make_connection_snum)
192.168.1.54 (ipv4:192.168.1.54:57442) signed connect to service Test
initially as user CARLSON\u2gui$ (uid=2001115, gid=2000515) (pid 42056)
[2024/01/26 20:19:59.408773, 0]
../../source3/smbd/smb2_service.c:117(chdir_current_service)
chdir_current_service: vfs_ChDir(/data/test) failed: Permission
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115
2000515 10003 10004 10006
[2024/01/26 20:19:59.408817, 3]
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.409054, 3]
../../source3/smbd/msdfs.c:984(get_referred_path)
get_referred_path: |test| in dfs path \fs1.carlson.lab\test is not a
dfs root.
[2024/01/26 20:19:59.409083, 3]
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/01/26 20:19:59.409380, 0]
../../source3/smbd/smb2_service.c:117(chdir_current_service)
chdir_current_service: vfs_ChDir(/data/test) failed: Permission
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115
2000515 10003 10004 10006
[2024/01/26 20:19:59.409436, 3]
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.409825, 0]
../../source3/smbd/smb2_service.c:117(chdir_current_service)
chdir_current_service: vfs_ChDir(/data/test) failed: Permission
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115
2000515 10003 10004 10006
[2024/01/26 20:19:59.409882, 3]
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.410197, 3]
../../source3/smbd/smb2_service.c:907(close_cnum)
192.168.1.54 (ipv4:192.168.1.54:57442) closed connection to service IPC$
[2024/01/26 20:19:59.410303, 2]
../../source3/smbd/smb2_service.c:907(close_cnum)
192.168.1.54 (ipv4:192.168.1.54:57442) closed connection to service Test
[2024/01/26 20:19:59.546220, 3]
../../source3/smbd/server_exit.c:229(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
More information about the samba
mailing list