[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Tue Jan 30 00:42:20 UTC 2024


On 1/29/24 13:08, Rowland Penny via samba wrote:
> On Mon, 29 Jan 2024 12:51:37 -0800
> Peter Carlson via samba<samba at lists.samba.org>  wrote:
>
>
>> Just did a quick test, the big T comes after setting permissions in
>> windows
>>
>> root at fs1:/var/log# cd /data
>> root at fs1:/data# mkdir -m 1777 test2
> No it doesn't, you are setting it.
>
> I set the permissions on the share directory like this:
>
> mkdir -p /srv/mtest1
> chown root:"Domain Admins" /srv/mtest1
> chmod 0770 /srv/mtest1
>
> Which is what it shows here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
>> root at fs1:/data# vi /etc/samba/smb.conf
>> root at fs1:/data# systemctl restart smbd.service
>> root at fs1:/data# ls -ald /data/*
>> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test
>> drwxrwxrwt  2 root CARLSON\domain admins 4096 Jan 29 20:43 /data/test2
> No, I take it back (slightly), you set the permissions with 't' (which
> shows the sticky bit is set) and then when you change the permissions
> from Windows, acl_xattr removes the 'rwx' from 'others', this changes
> the 't' to a 'T'
>
> At least that is what I think is happening.
>
> The cure, stop setting the permissions to '1777' in the first place,
> use '0770'
>
> Rowland
>
ok so I reset it and used mode 0770 and it still doesn't mount without 
domain users (or computers) as a permission

root at fs1:/data# rm -fr test2
root at fs1:/data# mkdir -m 0777 test2
root at fs1:/data# chown root:"CARLSON\\domain admins" test2
root at fs1:/data# ls -ald /data/*
drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test
drwxrwx---+ 2 root CARLSON\domain admins 4096 Jan 30 00:30 /data/test2

---------------  Set Windows ACLs ---------------------

Jan 30 00:34:43 U2CLI2 cifs.upcall: handle_krb5_mech: getting service 
ticket for fs1.carlson.lab
Jan 30 00:34:43 U2CLI2 cifs.upcall: handle_krb5_mech: obtained service 
ticket
Jan 30 00:34:43 U2CLI2 cifs.upcall: Exit status 0
Jan 30 00:34:43 U2CLI2 kernel: [   20.357105] CIFS: VFS: cifs_mount 
failed w/return code = -13
Jan 30 00:34:43 U2CLI2 mount[652]: mount error(13): Permission denied
Jan 30 00:34:43 U2CLI2 mount[652]: Refer to the mount.cifs(8) manual 
page (e.g. man mount.cifs) and kernel log messages (dmesg)
Jan 30 00:34:43 U2CLI2 systemd[1]: mnt-test2.mount: Mount process 
exited, code=exited, status=32/n/a
Jan 30 00:34:43 U2CLI2 systemd[1]: mnt-test2.mount: Failed with result 
'exit-code'.
Jan 30 00:34:43 U2CLI2 systemd[1]: Failed to mount /mnt/test2.


More information about the samba mailing list