[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Sun Jan 28 18:23:35 UTC 2024 

On 1/28/24 10:06, Rowland Penny via samba wrote:
> On Sun, 28 Jan 2024 09:40:22 -0800
> Peter Carlson via samba<samba at lists.samba.org>  wrote:
>
>> On 1/28/24 09:27, Rowland Penny via samba wrote:
>>> On Sun, 28 Jan 2024 08:47:28 -0800
>>> Peter Carlson via samba<samba at lists.samba.org>   wrote:
>>>
>>>> On 1/27/24 03:19, Rowland Penny via samba wrote:
>>>>> You are close, but are missing a parameter, try opening a terminal
>>>>> on u2gui (which I take it is the hostname for the domain joined
>>>>> client you are trying to mount the share to). Then type this:
>>>>>
>>>>> sudo mount -t cifs //fs.carlson.lab/test /mnt/test -o
>>>>> sec=krb5,username=U2GUI$,multiuser
>>>>>
>>>>> Now go and look at /mnt/test
>>>>>
>>>>> Rowland
>>>>>
>>>> I am still getting permission denied.  Does the machine need a user
>>>> account? I thought that with multiuser it just needed a computer
>>>> account
>>> It does just need a computer account and a computer account is just
>>> a user account with an extra objectclass.
>> except that the computer isn't normally a member of Domain Users, but
>> Domain Computers...so...that got me thinking and I added the computer
>> to Domain Users and now it can mount.  But is that the right thing to
>> do?
> I come back to the fact that it works for myself without doing anything
> like that:
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b
> dc=samdom,dc=example,dc=com
> '(&(objectCategory=computer)(primaryGroupID=515))' dn | grep TESTDM12
> dn: CN=TESTDM12,CN=Computers,DC=samdom,DC=example,DC=com
>
> Rowland
>
By any chance does your share permission for the share allow Domain 
Computers?  Mine is only setup for Domain Admins and Domain Users

so here goes with a huge dump of data.  Let's see if there is something 
bizarre in all of this (BTW, I have a 2nd VM that is only cli and it 
behaves the same way.  Its config is similar except it does KDC via DNS 
lookup).

root at nc1:/var/log/samba# ldbsearch -H /var/lib/samba/private/sam.ldb -P 
-b dc=carlson,dc=lab '(&(objectCategory=computer)(primaryGroupID=515))' 
dn memberOf
...

# record 2
dn: CN=U2GUI,CN=Computers,DC=carlson,DC=lab
memberOf: CN=Domain Users,CN=Users,DC=carlson,DC=lab


root at u2gui:~# klist
Ticket cache: FILE:/tmp/krb5cc_2001107
Default principal: U2GUI$@CARLSON.LAB

Valid starting       Expires              Service principal
01/28/2024 08:37:39  01/28/2024 18:37:39 krbtgt/CARLSON.LAB at CARLSON.LAB
     renew until 01/29/2024 08:37:38

----------------------------------------------------------------------------

root at u2gui:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    panic action = /usr/share/samba/panic-action %d

kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

vfs objects = acl_xattr
map acl inherit = yes

winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

apply group policies = yes

--------------------------------------------------------------------------

root at u2gui:~# cat /etc/krb5.conf
[libdefaults]
     default_realm = CARLSON.LAB
     dns_lookup_realm = false
     dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
     kdc_timesync = 1
     ccache_type = 4
     forwardable = true
     proxiable = true

     default_ccache_name = FILE:/tmp/krb5cc_%{euid}
# The following libdefaults parameters are only for Heimdal Kerberos.
     fcc-mit-ticketflags = true

[realms]
     CARLSON.LAB = {
         kdc = nc1.carlson.lab
     }


[domain_realm]


--------------------------------------- File Server Config 
------------------------------------------------

root at fs1:/var/log/samba# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    panic action = /usr/share/samba/panic-action %d
log level = 3

kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

vfs objects = acl_xattr
map acl inherit = yes

winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

apply group policies = yes

#======================= Share Definitions =======================
[Test]
     path = /data/test
     comment = test
     writable = yes

getfacl: Removing leading '/' from absolute path names
# file: data/test
# owner: root
# group: CARLSON\\domain\040admins
# flags: --t
user::rwx
user:root:rwx
user:CARLSON\\domain\040admins:rwx
user:CARLSON\\domain\040users:r-x
group::rwx
group:CARLSON\\domain\040admins:rwx
group:CARLSON\\domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:CARLSON\\domain\040admins:rwx
default:user:CARLSON\\domain\040users:r-x
default:group::---
default:group:CARLSON\\domain\040admins:rwx
default:group:CARLSON\\domain\040users:r-x
default:mask::rwx
default:other::---

More information about the samba mailing list