[Samba] permission denied with windows acls
Peter Carlson
peter at howudodat.com
Sun Jan 28 18:23:35 UTC 2024
On 1/28/24 10:06, Rowland Penny via samba wrote:
> On Sun, 28 Jan 2024 09:40:22 -0800
> Peter Carlson via samba<samba at lists.samba.org> wrote:
>
>> On 1/28/24 09:27, Rowland Penny via samba wrote:
>>> On Sun, 28 Jan 2024 08:47:28 -0800
>>> Peter Carlson via samba<samba at lists.samba.org> wrote:
>>>
>>>> On 1/27/24 03:19, Rowland Penny via samba wrote:
>>>>> You are close, but are missing a parameter, try opening a terminal
>>>>> on u2gui (which I take it is the hostname for the domain joined
>>>>> client you are trying to mount the share to). Then type this:
>>>>>
>>>>> sudo mount -t cifs //fs.carlson.lab/test /mnt/test -o
>>>>> sec=krb5,username=U2GUI$,multiuser
>>>>>
>>>>> Now go and look at /mnt/test
>>>>>
>>>>> Rowland
>>>>>
>>>> I am still getting permission denied. Does the machine need a user
>>>> account? I thought that with multiuser it just needed a computer
>>>> account
>>> It does just need a computer account and a computer account is just
>>> a user account with an extra objectclass.
>> except that the computer isn't normally a member of Domain Users, but
>> Domain Computers...so...that got me thinking and I added the computer
>> to Domain Users and now it can mount. But is that the right thing to
>> do?
> I come back to the fact that it works for myself without doing anything
> like that:
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b
> dc=samdom,dc=example,dc=com
> '(&(objectCategory=computer)(primaryGroupID=515))' dn | grep TESTDM12
> dn: CN=TESTDM12,CN=Computers,DC=samdom,DC=example,DC=com
>
> Rowland
>
By any chance does your share permission for the share allow Domain
Computers? Mine is only setup for Domain Admins and Domain Users
so here goes with a huge dump of data. Let's see if there is something
bizarre in all of this (BTW, I have a 2nd VM that is only cli and it
behaves the same way. Its config is similar except it does KDC via DNS
lookup).
root at nc1:/var/log/samba# ldbsearch -H /var/lib/samba/private/sam.ldb -P
-b dc=carlson,dc=lab '(&(objectCategory=computer)(primaryGroupID=515))'
dn memberOf
...
# record 2
dn: CN=U2GUI,CN=Computers,DC=carlson,DC=lab
memberOf: CN=Domain Users,CN=Users,DC=carlson,DC=lab
root at u2gui:~# klist
Ticket cache: FILE:/tmp/krb5cc_2001107
Default principal: U2GUI$@CARLSON.LAB
Valid starting Expires Service principal
01/28/2024 08:37:39 01/28/2024 18:37:39 krbtgt/CARLSON.LAB at CARLSON.LAB
renew until 01/29/2024 08:37:38
----------------------------------------------------------------------------
root at u2gui:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
apply group policies = yes
--------------------------------------------------------------------------
root at u2gui:~# cat /etc/krb5.conf
[libdefaults]
default_realm = CARLSON.LAB
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_ccache_name = FILE:/tmp/krb5cc_%{euid}
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
CARLSON.LAB = {
kdc = nc1.carlson.lab
}
[domain_realm]
--------------------------------------- File Server Config
------------------------------------------------
root at fs1:/var/log/samba# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
log level = 3
kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
apply group policies = yes
#======================= Share Definitions =======================
[Test]
path = /data/test
comment = test
writable = yes
getfacl: Removing leading '/' from absolute path names
# file: data/test
# owner: root
# group: CARLSON\\domain\040admins
# flags: --t
user::rwx
user:root:rwx
user:CARLSON\\domain\040admins:rwx
user:CARLSON\\domain\040users:r-x
group::rwx
group:CARLSON\\domain\040admins:rwx
group:CARLSON\\domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:CARLSON\\domain\040admins:rwx
default:user:CARLSON\\domain\040users:r-x
default:group::---
default:group:CARLSON\\domain\040admins:rwx
default:group:CARLSON\\domain\040users:r-x
default:mask::rwx
default:other::---
More information about the samba
mailing list