[Samba] Cannot access shared home directories from linux machine

isofx ea4ml3f at gmx.at
Thu Jul 10 09:17:01 MDT 2014 

Am 05.07.2014 15:33, schrieb steve:
> On Thu, 2014-07-03 at 14:46 +0200, L.P.H. van Belle wrote:
>> i see :
>>
>>> other::---
>>
>> what are the rights on
>> /home	
>> and
>> /home/DOMAIN
>>
>> try set it in linux on 755 ( both )
>> and try again.

root at dc01:/media/data01# ls -lha
drwxr-xr-x 4 root root 4,0K Jul 3 11:05 .
drwxr-xr-x 4 root root 4,0K Jun 28 16:15 ..
drwxrwxr-x+ 3 root root 4,0K Jul 3 13:53 home

root at dc01:/media/data01/home# ls -lha
insgesamt 20K
drwxrwxr-x+ 3 root root 4,0K Jul 3 13:53 .
drwxr-xr-x 4 root root 4,0K Jul 3 11:05 ..
drwxrwxr-x+ 2 3000000 users 4,0K Jul 10 15:53 demo

I set the permission to 755 and ssh with domain accounts is now 
possible. However there's still a problem with the permissions as the 
users can't write to their own home-directory:

login as: demo
demo at 192.168.10.53's password:
Linux ts01 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 10 15:33:37 2014 from 192.168.49.112
demo at ts01:~$
demo at ts01:~$ pwd
/home/DOMAIN/demo
demo at ts01:~$ mkdir test
mkdir: cannot create directory „test“ : Permission Denied
> -----Oorspronkelijk bericht-----
> Van: ea4ml3f at gmx.at [mailto:samba-bounces at lists.samba.org] Namens isofx
> Verzonden: donderdag 3 juli 2014 14:35
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Cannot access shared home directories from
> linux machine
>
> Hi,
>
> I configured a share for home-directories on my Debian Samba
> PDC (4.1.9)
> and connected the share on another linux machine (terminal server) via
> /etc/fstab:
>
> //192.168.10.51/home    /home/DOMAIN/       cifs
> credentials=/root/.smbcredentials,iocharset=utf8        0       0
>
> The .smbcredentials file contains the Domain Administrators
> username/password. The share is mounted successfully, however
> users can
> not log into their home directories.
>
> Nope, I don't think you can. Before commiting to /etc/fstab, make sure
> you can mount it manually on the DC:
> (lose the ts for a while and work on the DC. Assuming you are on the DC
> called ts01.domain.intern)

I'm a little confused. I've got these two machines:

dc01.domain.intern ... the domain controller running samba 4
ts01.domain.intern ... the terminal server mounting the share via /etc/fstab

On which machine do you want me to execute the commands?

> 1. make sure you have a recent cifs-utils installed

root at dc01:/media/data01/home# apt-cache policy cifs-utils
cifs-utils:
Installed: 2:5.5-1
Candidate: 2:5.5-1
Version table:
*** 2:5.5-1 0
500 http://ftp.at.debian.org/debian/ wheezy/main amd64 Packages
100 /var/lib/dpkg/status

> 2. samba-tool domain exportkeytab /etc/krb5.keytab --principal=TS01$

I did this on dc01.domain.intern

> 3. mount -t cifs //ts01.domain.intern/home /mnt -osec=krb5,username=TS01
> $

root at dc01:/media/data01/home# mount -t cifs //dc01.domain.intern/home 
/mnt -osec=krb5,username=TS01$

This worked fine:

root at dc01:/media/data01/home# cd /mnt/
root at dc01:/mnt# ls
demo

> what do you have in /etc/request-key.conf
> We can get it working as you wish when we know the dns and krb5 stuff is
> OK.
> HTH
> Steve
>

There's no /etc/request-key.conf on the dc01, here's the output for ts01:

#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== 
===============================
create dns_resolver * * /sbin/key.dns_resolver %k
create user debug:* negate /bin/keyctl negate %k 30 %S
create user debug:* rejected /bin/keyctl reject %k 30 %c %S
create user debug:* expired /bin/keyctl reject %k 30 %c %S
create user debug:* revoked /bin/keyctl reject %k 30 %c %S
create user debug:loop:* * |/bin/cat
create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
create cifs.spnego * * /usr/sbin/cifs.upcall -c %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
negate * * * /bin/keyctl negate %k 30 %S

Here's the output in /var/log/auth.log when logging in via ssh as demo 
(domain user):

Jul 10 16:43:04 ts01 sshd[12571]: pam_winbind(sshd:auth): getting 
password (0x00000000)
Jul 10 16:43:04 ts01 sshd[12571]: pam_winbind(sshd:auth): user 'demo' 
granted access
Jul 10 16:43:04 ts01 sshd[12571]: Accepted password for demo from 
192.168.49.112 port 28015 ssh2
Jul 10 16:43:04 ts01 sshd[12571]: pam_unix(sshd:session): session opened 
for user demo by (uid=0)

I begin to think there's either a problem with PAM or Kerberos. Here's 
the /etc/pam.d/common-auth for ts01:

auth sufficient pam_winbind.so

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass

auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

The configuration was mostly created by pam-auth-update after installing 
winbind. However, I needed to add the first line - otherwise domain 
users are not able to login (not even via SSH).

Here's the /var/log/auth.log output for a failed login in without the 
"auth sufficient pam_winbind.so" line:

Jul 10 17:10:08 ts01 sshd[20427]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.49.112 user=demo
Jul 10 17:10:08 ts01 sshd[20427]: pam_winbind(sshd:auth): getting 
password (0x00000388)
Jul 10 17:10:08 ts01 sshd[20427]: pam_winbind(sshd:auth): pam_get_item 
returned a password
Jul 10 17:10:08 ts01 sshd[20427]: pam_winbind(sshd:auth): request 
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), 
NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: 
NT_STATUS_CONNECTION_DISCONNECTED
Jul 10 17:10:08 ts01 sshd[20427]: pam_winbind(sshd:auth): internal 
module error (retval = PAM_SYSTEM_ERR(4), user = 'demo')
Jul 10 17:10:11 ts01 sshd[20427]: Failed password for demo from 
192.168.49.112 port 28118 ssh2
Jul 10 17:10:12 ts01 sshd[20427]: Received disconnect from 
192.168.49.112: 13: Unable to authenticate [preauth]

Best regards,
Rainhard

More information about the samba mailing list