[Samba] mount.cfs mount error(13): Permission denied
Paul Griffith
paulg at eecs.yorku.ca
Mon Apr 29 15:16:03 UTC 2019
On 4/22/19 2:01 PM, Paul Griffith via samba wrote:
> On 4/22/19 10:18 AM, Rowland Penny via samba wrote:
>> On Mon, 22 Apr 2019 09:48:31 -0400
>> Paul Griffith via samba <samba at lists.samba.org> wrote:
>>
>>> Hi All,
>>>
>>> I am running into an issue mounting a Samba share from our Linux
>>> server. We are running Samba 4.8.8 on CentOS 7.6.1810. I have done a
>>> some testing, and I can't get the root cause of the error.
>>>
>>> Testing:
>>>
>>> CentOS 7.6 client -> Samba server, mounting fails - mount.cfs mount
>>> error(13): Permission denied
>>> CentOS 7.6 client -> Win10 desktop share, mounting works
>>>
>>> Fedora 29 client -> Samba server, mounting fails - mount.cfs mount
>>> error(13): Permission denied
>>> Fedora 29 client -> Win10 desktop share, mounting works
>>>
>> Are you using sssd ?
>>
>> If so, then I suggest asking on the sssd-users mailing list, Samba
>> isn't doing the authentication.
>>
>> If you aren't using sssd, then the Unix domain members smb.conf is
>> missing all the 'idmap config' lines, see here:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> Rowland
>>
> Thank you Rowland,
>
> We are not using sssd, I was handed this Samba server. It seems I
> some home work to do to make it work
>
>
> Paul
>
I went away and followed the wiki on setting up Samba as a Domain
Member. Connecting from Windows works. Linux is another story, it
doesn't work. Updated Samba config at the end of the e-mail.
sudo mount -t cifs //xxx.xxx.yorku.ca/homes /tmp/1 -o
user=paulg,domain=ad.xxxx.yorku.ca,uid=2381,gid=1000
[sudo] password for paulg:
Password for paulg@//xxx.xxxx.yorku.ca/homes: *********
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
I don't undertand this error in the log file
SID S-1-5-21-1981678738-1545235886-4256466701-2508 -> getpwuid(12508) failed
The wbinfo command line util works as expected.
wbinfo -s 'S-1-5-21-1981678738-1545235886-4256466701-2508'
XXXXYORKUCA\paulg 1
A similar post on
https://serverfault.com/questions/848660/samba-login-failure-getpwuid-failed
points to SSSD as a solution. I guess something is missing in my config
file or sssd is causing a conflict.
I don't have sss in /etc/nsswitch.conf, do I still need to remove all
SSSD rpms from my system to make windbind work?
rpm -qa | grep -i sssd
sssd-proxy-1.16.2-13.el7_6.5.x86_64
sssd-client-1.16.2-13.el7_6.5.x86_64
sssd-ad-1.16.2-13.el7_6.5.x86_64
sssd-krb5-common-1.16.2-13.el7_6.5.x86_64
sssd-krb5-1.16.2-13.el7_6.5.x86_64
sssd-ipa-1.16.2-13.el7_6.5.x86_64
sssd-common-1.16.2-13.el7_6.5.x86_64
sssd-1.16.2-13.el7_6.5.x86_64
sssd-ldap-1.16.2-13.el7_6.5.x86_64
sssd-common-pac-1.16.2-13.el7_6.5.x86_64
python-sssdconfig-1.16.2-13.el7_6.5.noarch
check_ntlm_password: Checking password for unmapped user
[ad.xxx.xxx.ca]\[paulg]@[] with the new password interface
check_ntlm_password: mapped user is: [ad.xxxx.yorku.ca]\[paulg]@[]
auth_check_ntlm_password: winbind authentication for user [paulg] succeeded
Auth: [SMB2,(null)] user [ad.xxxx.yorku.ca]\[paulg] at [Mon, 29 Apr
2019 10:48:33.964845 EDT] with [NTLMv2] status [NT_STATUS_OK]
workstation [] remote host [ipv4:130.63.xx.xxx52088] became
[XXXXXXXX\[paulg] [S-1-5-21-1981678738-1545235886-4256466701-2508].
local host [ipv4:130.63.XX.XX:445]
{"timestamp": "2019-04-29T10:48:33.965180-0400", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:130.63.XX.XX:445",
"remoteAddress": "ipv4:130.63.XX.XX:52088", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "ad.eecs.yorku.ca",
"clientAccount": "paulg", "workstation": "", "becameAccount": "paulg",
"becameDomain": "XXXXXXXX", "becameSid":
"S-1-5-21-1981678738-1545235886-4256466701-2508", "mappedAccount":
"paulg", "mappedDomain": "ad.eecs.yorku.ca", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 22122}}
[2019/04/29 10:48:33.965387, 2, pid=3487, effective(0, 0), real(0, 0)]
../source3/auth/auth.c:316(auth_check_ntlm_password)
check_ntlm_password: authentication for user [paulg] -> [paulg] ->
[paulg] succeeded
[2019/04/29 10:48:33.968098, 1, pid=3487, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:561(add_local_groups)
SID S-1-5-21-1981678738-1545235886-4256466701-2508 -> getpwuid(12508)
failed
[2019/04/29 10:48:33.968175, 3, pid=3487, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:400(create_local_nt_token_from_info3)
Failed to add local groups
[2019/04/29 10:48:33.968252, 3, pid=3487, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:137
[2019/04/29 10:48:34.097050, 3, pid=3487, effective(0, 0), real(0, 0)]
../source3/smbd/server_exit.c:237(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
---- files server ----
[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
server string = Samba Server
hostname lookups = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999
winbind use default domain = yes
local master = No
#log files
debug timestamp = yes
debug uid = yes
debug pid = yes
debug level = 3
max log size = 0
username map = /xconf/samba/usermap
#ip networking
max connections = 0
interfaces = 127.0.0.1 130.xx.xx.xx
bind interfaces only = yes
#printing
load printers = no
printcap name = /xconf/lprng/printcap
printing = bsd
print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s
lpq command = /xsys/bin/lpq -P%p
lprm command = /xsys/bin/lprm -P%p %j
use client driver = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U
# security settings
guest account = nobody
invalid users = root
nt acl support = yes
inherit permissions = yes
client lanman auth = no
client ntlmv2 auth = yes
wide links = no
unix extensions = no
[homes]
comment = Home Directories
browseable = yes
read only = no
valid users = %S
csc policy = disable
invalid users = activ8
oplocks = no
level2 oplocks = no
strict locking = no
posix locking = no
Thanks
Paul
More information about the samba
mailing list