[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Sun Jan 28 20:18:34 UTC 2024


Ok, so I started with a clean slate.  Same thing, only works if I add 
the computer account to Domain users.  smbd Version 4.15.13-Ubuntu

root at u2cli:~# getent passwd CARLSON\\peter
CARLSON\peter:*:2001107:2000513::/home/peter at CARLSON:/bin/bash

root at u2cli:~# mkdir -m 1777 /mnt/test

root at u2cli:~# kinit -V -k U2CLI$
Using default cache: /tmp/krb5cc_0
Using principal: U2CLI$@CARLSON.LAB
Authenticated to Kerberos v5

root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o 
sec=krb5,username=U2CLI$,multiuser
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel 
log messages (dmesg)

root at u2cli:~# reboot

root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o 
sec=krb5,username=U2CLI$,multiuser
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel 
log messages (dmesg)

------------  add U2CLI to Domain Users ------------------
root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o 
sec=krb5,username=U2CLI$,multiuser

root at u2cli:~# mount | grep fs1
//fs1.carlson.lab/test on /mnt/test type cifs 
(rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.52,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
root at u2cli:~#

------------------ Full History -------------------------
     1  apt update && apt upgrade
     2  apt install htop qemu-guest-agent mlocate
     3  apt install acl attr samba winbind libpam-winbind libnss-winbind 
krb5-config krb5-user dnsutils python3-setproctitle smbclient cifs-utils
     4  vi /etc/hosts
     5  cat > /etc/samba/smb.conf
     6  cat > /etc/krb5.conf
     7  net ads join -U peter
     8  pam-auth-update
     9  systemctl restart smbd.service nmbd.service winbind.service
    10  wbinfo --ping-dc
    11  getent passwd CARLSON\\peter
    12  history
    13  getent passwd CARLSON\\peter
    14  vi /etc/nsswitch.conf
    15  getent passwd CARLSON\\peter
    16  mkdir -m 1777 /mnt/test
    17  kinit -V -k U2CLI$
    18  mount -t cifs //fs1.carlson.lab/test /mnt/test -o 
sec=krb5,username=U2CLI$,multiuser
    19  reboot
    20  mount -t cifs //fs1.carlson.lab/test /mnt/test -o 
sec=krb5,username=U2CLI$,multiuser
    21  mount | grep fs1
    22  history

--------------- Configs ---------------------------------
root at u2cli:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    panic action = /usr/share/samba/panic-action %d

kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

vfs objects = acl_xattr
map acl inherit = yes

winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

apply group policies = yes
root at u2cli:~#
root at u2cli:~#
root at u2cli:~# cat /etc/krb5.conf
[libdefaults]
     default_realm = CARLSON.LAB
     dns_lookup_realm = false
     dns_lookup_kdc = true
root at u2cli:~#
root at u2cli:~#
root at u2cli:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


More information about the samba mailing list