[Samba] permission denied with windows acls
Peter Carlson
peter at howudodat.com
Fri Jan 26 17:34:38 UTC 2024
On 1/26/24 02:35, Rowland Penny via samba wrote:
> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba
> <samba at lists.samba.org> wrote:
>> The share mounts and I am a member of the correct groups
>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test /mnt/test
>> cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0
> I think that could be part of your problem, even though you are using
> 'multiuser', you are mounting as root. try reading 'man mount.cifs'
> and pay particular attention to 'sec=krb5' and 'multiuser', that way
> you will not require a password. Rowland
ok I am a bit confused on mounting using service tickets and krb5. I
created the ticket on the client linux machine:
root at u2gui:~# kinit -k U2GUI$
root at u2gui:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: U2GUI$@CARLSON.LAB
Valid starting Expires Service principal
01/26/2024 09:13:19 01/26/2024 19:13:19 krbtgt/CARLSON.LAB at CARLSON.LAB
renew until 01/27/2024 09:13:18
and the fstab:
//fs.carlson.lab/test /mnt/test cifs
vers=3.0,multiuser,sec=krb5,_netdev 0 0
then when I mount:
root at u2gui:~# mount -a
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
kernel log messages (dmesg)
root at u2gui:~# mount -t cifs -o multiuser,sec=krb5
//192.168.1.52/Test /mnt/test
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
kernel log messages (dmesg)
The log seems to indicate it is getting a service ticket for the file
server. I think I am missing an important step somewhere, but I feel a
bit like I'm stabbing. Information on the highly reliable web
</sarcasm> conflicts, some say it works with a computer service account
others say you need a user account added to the keytab. is there a
reliable guide that helps a starter like me?
LOG:
Jan 26 09:24:56 u2gui kernel: [1214460.606344] CIFS: Attempting to mount
\\fs.carlson.lab\test
Jan 26 09:24:56 u2gui cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x24e63
Jan 26 09:24:56 u2gui cifs.upcall: ver=2
Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52
Jan 26 09:24:56 u2gui cifs.upcall: sec=1
Jan 26 09:24:56 u2gui cifs.upcall: uid=0
Jan 26 09:24:56 u2gui cifs.upcall: creduid=0
Jan 26 09:24:56 u2gui cifs.upcall: user=root
Jan 26 09:24:56 u2gui cifs.upcall: pid=151139
Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pid == 0
Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is
FILE:/tmp/krb5cc_0
Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: getting service
ticket for fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: cifs_krb5_get_req: unable to get
credentials for fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: handle_krb5_mech: failed to obtain
service ticket (-1765328377)
Jan 26 09:24:56 u2gui cifs.upcall: Unable to obtain service ticket
Jan 26 09:24:56 u2gui cifs.upcall: Exit status -1765328377
Jan 26 09:24:56 u2gui kernel: [1214460.675126] CIFS: VFS: Verify user
has a krb5 ticket and keyutils is installed
Jan 26 09:24:56 u2gui kernel: [1214460.675136] CIFS: VFS:
\\fs.carlson.lab Send error in SessSetup = -126
Jan 26 09:24:56 u2gui kernel: [1214460.675166] CIFS: VFS: cifs_mount
failed w/return code = -126
Jan 26 09:24:56 u2gui kernel: [1214460.677668] CIFS: Attempting to mount
\\fs.carlson.lab\test
Jan 26 09:24:56 u2gui cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x1e88d3;user=root;pid=0x24e63
Jan 26 09:24:56 u2gui cifs.upcall: ver=2
Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab
Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52
Jan 26 09:24:56 u2gui cifs.upcall: sec=1
Jan 26 09:24:56 u2gui cifs.upcall: uid=0
Jan 26 09:24:56 u2gui cifs.upcall: creduid=2001107
Jan 26 09:24:56 u2gui cifs.upcall: user=root
Jan 26 09:24:56 u2gui cifs.upcall: pid=151139
Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env:
pathname=/proc/151139/environ
Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is
FILE:/tmp/krb5cc_2001107
Jan 26 09:24:56 u2gui cifs.upcall: get_tgt_time: unable to get principal
Jan 26 09:24:56 u2gui cifs.upcall: krb5_get_init_creds_keytab: -1765328378
Jan 26 09:24:56 u2gui cifs.upcall: Exit status 1
Jan 26 09:24:56 u2gui kernel: [1214461.218431] CIFS: VFS: Verify user
has a krb5 ticket and keyutils is installed
Jan 26 09:24:56 u2gui kernel: [1214461.218443] CIFS: VFS:
\\fs.carlson.lab Send error in SessSetup = -126
Jan 26 09:24:56 u2gui kernel: [1214461.218466] CIFS: VFS: cifs_mount
failed w/return code = -126
Jan 26 09:30:01 u2gui CRON[151161]: (root) CMD ([ -x /etc/init.d/anacron
] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron
start >/dev/null; fi)
Jan 26 09:31:28 u2gui systemd[1]: Started Run anacron jobs.
Jan 26 09:31:28 u2gui anacron[151162]: Anacron 2.3 started on 2024-01-26
Jan 26 09:31:28 u2gui anacron[151162]: Normal exit (0 jobs run)
Jan 26 09:31:28 u2gui systemd[1]: anacron.service: Deactivated successfully.
More information about the samba
mailing list