[Samba] mount.cfs mount error(13): Permission denied

Paul Griffith paulg at eecs.yorku.ca
Mon Apr 29 15:16:03 UTC 2019 

On 4/22/19 2:01 PM, Paul Griffith via samba wrote:
> On 4/22/19 10:18 AM, Rowland Penny via samba wrote:
>> On Mon, 22 Apr 2019 09:48:31 -0400
>> Paul Griffith via samba <samba at lists.samba.org> wrote:
>>
>>> Hi All,
>>>
>>>      I am running into an issue mounting a Samba share from our Linux
>>> server. We are running Samba 4.8.8 on CentOS  7.6.1810. I have done a
>>> some testing, and I can't get the root cause of the error.
>>>
>>> Testing:
>>>
>>> CentOS 7.6 client -> Samba server, mounting fails - mount.cfs mount
>>> error(13): Permission denied
>>> CentOS 7.6 client -> Win10 desktop share, mounting works
>>>
>>> Fedora 29 client  -> Samba  server, mounting fails - mount.cfs mount
>>> error(13): Permission denied
>>> Fedora 29 client  -> Win10 desktop share, mounting works
>>>
>> Are you using sssd ?
>>
>> If so, then I suggest asking on the sssd-users mailing list, Samba
>> isn't doing the authentication.
>>
>> If you aren't using sssd, then the Unix domain members smb.conf is
>> missing all the 'idmap config' lines, see here:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> Rowland
>>
> Thank you Rowland,
>
> We are not using sssd, I was handed this Samba server. It  seems I 
> some home work to do to make it work
>
>
> Paul
>

I went away and followed the wiki on setting up Samba as a Domain 
Member. Connecting from Windows works. Linux is another story, it 
doesn't work. Updated Samba config at the end of the e-mail.

sudo mount -t cifs //xxx.xxx.yorku.ca/homes /tmp/1 -o 
user=paulg,domain=ad.xxxx.yorku.ca,uid=2381,gid=1000
[sudo] password for paulg:
Password for paulg@//xxx.xxxx.yorku.ca/homes:  *********
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


I don't undertand this error in the log file

SID S-1-5-21-1981678738-1545235886-4256466701-2508 -> getpwuid(12508) failed

The wbinfo command line util works as expected.

wbinfo -s 'S-1-5-21-1981678738-1545235886-4256466701-2508'
XXXXYORKUCA\paulg 1


A similar post on 
https://serverfault.com/questions/848660/samba-login-failure-getpwuid-failed 
points to SSSD as a solution.  I guess something is missing in my config 
file or sssd is causing a conflict.


I don't have sss in /etc/nsswitch.conf, do I still need to remove all 
SSSD rpms from my system to make windbind work?

rpm -qa | grep -i sssd
sssd-proxy-1.16.2-13.el7_6.5.x86_64
sssd-client-1.16.2-13.el7_6.5.x86_64
sssd-ad-1.16.2-13.el7_6.5.x86_64
sssd-krb5-common-1.16.2-13.el7_6.5.x86_64
sssd-krb5-1.16.2-13.el7_6.5.x86_64
sssd-ipa-1.16.2-13.el7_6.5.x86_64
sssd-common-1.16.2-13.el7_6.5.x86_64
sssd-1.16.2-13.el7_6.5.x86_64
sssd-ldap-1.16.2-13.el7_6.5.x86_64
sssd-common-pac-1.16.2-13.el7_6.5.x86_64
python-sssdconfig-1.16.2-13.el7_6.5.noarch



check_ntlm_password:  Checking password for unmapped user 
[ad.xxx.xxx.ca]\[paulg]@[] with the new password interface
check_ntlm_password:  mapped user is: [ad.xxxx.yorku.ca]\[paulg]@[]
auth_check_ntlm_password: winbind authentication for user [paulg] succeeded
  Auth: [SMB2,(null)] user [ad.xxxx.yorku.ca]\[paulg] at [Mon, 29 Apr 
2019 10:48:33.964845 EDT] with [NTLMv2] status [NT_STATUS_OK] 
workstation [] remote host [ipv4:130.63.xx.xxx52088] became 
[XXXXXXXX\[paulg] [S-1-5-21-1981678738-1545235886-4256466701-2508]. 
local host [ipv4:130.63.XX.XX:445]
   {"timestamp": "2019-04-29T10:48:33.965180-0400", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:130.63.XX.XX:445", 
"remoteAddress": "ipv4:130.63.XX.XX:52088", "serviceDescription": 
"SMB2", "authDescription": null, "clientDomain": "ad.eecs.yorku.ca", 
"clientAccount": "paulg", "workstation": "", "becameAccount": "paulg", 
"becameDomain": "XXXXXXXX", "becameSid": 
"S-1-5-21-1981678738-1545235886-4256466701-2508", "mappedAccount": 
"paulg", "mappedDomain": "ad.eecs.yorku.ca", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 22122}}
[2019/04/29 10:48:33.965387,  2, pid=3487, effective(0, 0), real(0, 0)] 
../source3/auth/auth.c:316(auth_check_ntlm_password)
   check_ntlm_password:  authentication for user [paulg] -> [paulg] -> 
[paulg] succeeded
[2019/04/29 10:48:33.968098,  1, pid=3487, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:561(add_local_groups)
   SID S-1-5-21-1981678738-1545235886-4256466701-2508 -> getpwuid(12508) 
failed
[2019/04/29 10:48:33.968175,  3, pid=3487, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:400(create_local_nt_token_from_info3)
   Failed to add local groups
[2019/04/29 10:48:33.968252,  3, pid=3487, effective(0, 0), real(0, 0)] 
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:137
[2019/04/29 10:48:34.097050,  3, pid=3487, effective(0, 0), real(0, 0)] 
../source3/smbd/server_exit.c:237(exit_server_common)
   Server exit (NT_STATUS_END_OF_FILE)


---- files server ----
[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
server string = Samba Server
hostname lookups = yes

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999

winbind use default domain = yes
local master = No

#log files
debug timestamp = yes
debug uid = yes
debug pid = yes
debug level = 3
max log size = 0

username map = /xconf/samba/usermap

#ip networking
max connections = 0
interfaces = 127.0.0.1 130.xx.xx.xx
bind interfaces only = yes

#printing
load printers = no
printcap name = /xconf/lprng/printcap
printing = bsd
print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s
lpq command = /xsys/bin/lpq -P%p
lprm command = /xsys/bin/lprm -P%p %j
use client driver = yes


# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

# security settings
guest account = nobody
invalid users = root
nt acl support = yes
inherit permissions = yes
client lanman auth = no
client ntlmv2 auth = yes
wide links = no
unix extensions = no


[homes]
comment = Home Directories
browseable = yes
read only = no
valid users = %S
csc policy = disable
invalid users = activ8
oplocks = no
level2 oplocks = no
strict locking = no
posix locking = no

Thanks
Paul

More information about the samba mailing list