[Samba] Samba CIFS Mounts with Kerberos Security: Write Access denied

Robert Schetterer rs at sys4.de
Tue Nov 6 09:27:37 UTC 2018 

Am 06.11.2018 um 09:37 schrieb Kraus, Sebastian via samba:
> Hi all,
> 
> 
> I am testing different setups for Samba home share mounts via the
> 
> CIFS protocol on Linux clients with and without Keberos security (both
> 
> krb5 and krb5i). I am experiencing some strange behaviour in case of
> 
> Kerberos authentication:
> 
> 
> In case of mounts (by root or the user itself) without Kerberos security (only
> 
> NTLMv2 authentication), local root and the owning user on the Linux client is
> 
> granted read and write access for the files within the mounted tree. However,
> 
> while using Kerberos security, ever user - even the owner of the files on the
> 
> mount - is denied write access to the files on the mount. Reading access is still
> 
> granted as expected/supposed.
> 
> The logging for the client machine on the Samba server side shows errors of
> 
> the following type, while a user owned smbd process tries to access files in a
> 
> writing manner:
> 
> 
> [2018/11/06 08:39:49.839769,  5, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access)
>    check_parent_access: access check on directory . for path yess for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED
> [...]
> [2018/11/06 08:39:49.840334,  3, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set)
>    NT error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
> 
> 
> Any suggestions about the possible root cause of the problem?

Hi

we had problems too, while upgrading to ubuntu 18.04 changed behave of 
cifs-upcall and kerberos tickets, "perhaps" this is your problem too

if you want to do cifs (auto)mount with kerberos
check logs how cifs-upcall looks for your kerberos tickets

a ticket i.e looks like this

/tmp/krb5cc_3449004_1Kyv9d

where 3449004 is uid

with cifs upcall 16.04 ubuntu "searches" for the "right" ticket

Nov  6 10:21:51 tueilnt-lab11 cifs.upcall: find_krb5_cc: 
FILE:/tmp/krb5cc_3449004_WOMgon is valid ccache

in ubuntu 18.04 its hardcoded to look only for krb5cc_3449004

  cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_3449004


Regards
> 
> 
> Best
> 
> Sebastian
> 
> 
> 
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
> 
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
> 
> Email: sebastian.kraus at tu-berlin.de
> 


-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the samba mailing list