[Samba] permission denied with windows acls
Peter Carlson
peter at howudodat.com
Sun Jan 28 20:18:34 UTC 2024
Ok, so I started with a clean slate. Same thing, only works if I add
the computer account to Domain users. smbd Version 4.15.13-Ubuntu
root at u2cli:~# getent passwd CARLSON\\peter
CARLSON\peter:*:2001107:2000513::/home/peter at CARLSON:/bin/bash
root at u2cli:~# mkdir -m 1777 /mnt/test
root at u2cli:~# kinit -V -k U2CLI$
Using default cache: /tmp/krb5cc_0
Using principal: U2CLI$@CARLSON.LAB
Authenticated to Kerberos v5
root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o
sec=krb5,username=U2CLI$,multiuser
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel
log messages (dmesg)
root at u2cli:~# reboot
root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o
sec=krb5,username=U2CLI$,multiuser
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel
log messages (dmesg)
------------ add U2CLI to Domain Users ------------------
root at u2cli:~# mount -t cifs //fs1.carlson.lab/test /mnt/test -o
sec=krb5,username=U2CLI$,multiuser
root at u2cli:~# mount | grep fs1
//fs1.carlson.lab/test on /mnt/test type cifs
(rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.52,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
root at u2cli:~#
------------------ Full History -------------------------
1 apt update && apt upgrade
2 apt install htop qemu-guest-agent mlocate
3 apt install acl attr samba winbind libpam-winbind libnss-winbind
krb5-config krb5-user dnsutils python3-setproctitle smbclient cifs-utils
4 vi /etc/hosts
5 cat > /etc/samba/smb.conf
6 cat > /etc/krb5.conf
7 net ads join -U peter
8 pam-auth-update
9 systemctl restart smbd.service nmbd.service winbind.service
10 wbinfo --ping-dc
11 getent passwd CARLSON\\peter
12 history
13 getent passwd CARLSON\\peter
14 vi /etc/nsswitch.conf
15 getent passwd CARLSON\\peter
16 mkdir -m 1777 /mnt/test
17 kinit -V -k U2CLI$
18 mount -t cifs //fs1.carlson.lab/test /mnt/test -o
sec=krb5,username=U2CLI$,multiuser
19 reboot
20 mount -t cifs //fs1.carlson.lab/test /mnt/test -o
sec=krb5,username=U2CLI$,multiuser
21 mount | grep fs1
22 history
--------------- Configs ---------------------------------
root at u2cli:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
apply group policies = yes
root at u2cli:~#
root at u2cli:~#
root at u2cli:~# cat /etc/krb5.conf
[libdefaults]
default_realm = CARLSON.LAB
dns_lookup_realm = false
dns_lookup_kdc = true
root at u2cli:~#
root at u2cli:~#
root at u2cli:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
More information about the samba
mailing list