[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Fri Jan 26 20:27:52 UTC 2024


On 1/26/24 09:34, Peter Carlson via samba wrote:
>
> On 1/26/24 02:35, Rowland Penny via samba wrote:
>> On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba 
>> <samba at lists.samba.org> wrote:
>>> The share mounts and I am a member of the correct groups 
>>> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test 
>>> /mnt/test cifs 
>>> credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 
>> I think that could be part of your problem, even though you are using 
>> 'multiuser', you are mounting as root. try reading 'man mount.cifs' 
>> and pay particular attention to 'sec=krb5' and 'multiuser', that way 
>> you will not require a password. Rowland 
> ok I am a bit confused on mounting using service tickets and krb5. I 
> created the ticket on the client linux machine:
>
>    root at u2gui:~# kinit -k U2GUI$
>    root at u2gui:~# klist
>    Ticket cache: FILE:/tmp/krb5cc_0
>    Default principal: U2GUI$@CARLSON.LAB
>
>    Valid starting       Expires              Service principal
>    01/26/2024 09:13:19  01/26/2024 19:13:19 
> krbtgt/CARLSON.LAB at CARLSON.LAB
>         renew until 01/27/2024 09:13:18
>
> and the fstab:
>
>    //fs.carlson.lab/test /mnt/test cifs
>    vers=3.0,multiuser,sec=krb5,_netdev 0 0
>
>
ok, I did figure out the required key not available, but now it's 
permission denied

    root at u2gui:~# mount -a
    mount error(13): Permission denied

The logs seem to indicate that it is trying to connect as user u2gui.  I 
thought it mounted with a service account?


[2024/01/26 20:19:59.402444,  3] 
../../source3/auth/auth_generic.c:173(auth3_generate_session_info_pac)
   Kerberos ticket principal name is [U2GUI$@CARLSON.LAB]
[2024/01/26 20:19:59.404439,  3] 
../../source3/param/loadparm.c:3998(lp_load_ex)
   lp_load_ex: refreshing parameters
[2024/01/26 20:19:59.404550,  3] 
../../source3/param/loadparm.c:560(init_globals)
   Initialising global parameters
[2024/01/26 20:19:59.404675,  3] 
../../source3/param/loadparm.c:2900(lp_do_section)
   Processing section "[global]"
[2024/01/26 20:19:59.404926,  2] 
../../source3/param/loadparm.c:2917(lp_do_section)
   Processing section "[Test]"
[2024/01/26 20:19:59.404992,  3] 
../../source3/param/loadparm.c:1684(lp_add_ipc)
   adding IPC service
[2024/01/26 20:19:59.405125,  3] 
../../source3/smbd/password.c:84(register_homes_share)
   Adding homes service for user 'CARLSON\u2gui$' using home directory: 
'/home/u2gui_ at CARLSON'
[2024/01/26 20:19:59.405903,  3] ../../lib/util/access.c:372(allow_access)
   Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/26 20:19:59.405993,  3] 
../../source3/smbd/smb2_service.c:584(make_connection_snum)
   make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/01/26 20:19:59.406045,  3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
   Initialising default vfs hooks
[2024/01/26 20:19:59.406058,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/26 20:19:59.406066,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [acl_xattr]
[2024/01/26 20:19:59.407376,  3] 
../../lib/util/modules.c:167(load_module_absolute_path)
   load_module_absolute_path: Module 
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2024/01/26 20:19:59.407438,  2] 
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service IPC$
[2024/01/26 20:19:59.407562,  3] 
../../source3/smbd/smb2_service.c:814(make_connection_snum)
   192.168.1.54 (ipv4:192.168.1.54:57442) signed connect to service IPC$ 
initially as user CARLSON\u2gui$ (uid=2001115, gid=2000515) (pid 42056)
[2024/01/26 20:19:59.408091,  3] ../../lib/util/access.c:372(allow_access)
   Allowed connection from 192.168.1.54 (192.168.1.54)
[2024/01/26 20:19:59.408163,  3] 
../../source3/smbd/smb2_service.c:584(make_connection_snum)
   make_connection_snum: Connect path is '/data/test' for service [Test]
[2024/01/26 20:19:59.408185,  3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
   Initialising default vfs hooks
[2024/01/26 20:19:59.408194,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/26 20:19:59.408201,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [acl_xattr]
[2024/01/26 20:19:59.408212,  2] 
../../source3/modules/vfs_acl_xattr.c:206(connect_acl_xattr)
   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service Test
[2024/01/26 20:19:59.408321,  2] 
../../source3/smbd/smb2_service.c:814(make_connection_snum)
   192.168.1.54 (ipv4:192.168.1.54:57442) signed connect to service Test 
initially as user CARLSON\u2gui$ (uid=2001115, gid=2000515) (pid 42056)
[2024/01/26 20:19:59.408773,  0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
   chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115 
2000515 10003 10004 10006
[2024/01/26 20:19:59.408817,  3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.409054,  3] 
../../source3/smbd/msdfs.c:984(get_referred_path)
   get_referred_path: |test| in dfs path \fs1.carlson.lab\test is not a 
dfs root.
[2024/01/26 20:19:59.409083,  3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/01/26 20:19:59.409380,  0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
   chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115 
2000515 10003 10004 10006
[2024/01/26 20:19:59.409436,  3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.409825,  0] 
../../source3/smbd/smb2_service.c:117(chdir_current_service)
   chdir_current_service: vfs_ChDir(/data/test) failed: Permission 
denied. Current token: uid=2001115, gid=2000515, 5 groups: 2001115 
2000515 10003 10004 10006
[2024/01/26 20:19:59.409882,  3] 
../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3322
[2024/01/26 20:19:59.410197,  3] 
../../source3/smbd/smb2_service.c:907(close_cnum)
   192.168.1.54 (ipv4:192.168.1.54:57442) closed connection to service IPC$
[2024/01/26 20:19:59.410303,  2] 
../../source3/smbd/smb2_service.c:907(close_cnum)
   192.168.1.54 (ipv4:192.168.1.54:57442) closed connection to service Test
[2024/01/26 20:19:59.546220,  3] 
../../source3/smbd/server_exit.c:229(exit_server_common)
   Server exit (NT_STATUS_END_OF_FILE)


More information about the samba mailing list