Web lists-archives.com

Re: [Samba] Samba CIFS Mounts with Kerberos Security: Write Access denied




Am 06.11.2018 um 09:37 schrieb Kraus, Sebastian via samba:
Hi all,


I am testing different setups for Samba home share mounts via the

CIFS protocol on Linux clients with and without Keberos security (both

krb5 and krb5i). I am experiencing some strange behaviour in case of

Kerberos authentication:


In case of mounts (by root or the user itself) without Kerberos security (only

NTLMv2 authentication), local root and the owning user on the Linux client is

granted read and write access for the files within the mounted tree. However,

while using Kerberos security, ever user - even the owner of the files on the

mount - is denied write access to the files on the mount. Reading access is still

granted as expected/supposed.

The logging for the client machine on the Samba server side shows errors of

the following type, while a user owned smbd process tries to access files in a

writing manner:


[2018/11/06 08:39:49.839769,  5, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/open.c:317(check_parent_access)
   check_parent_access: access check on directory . for path yess for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED
[...]
[2018/11/06 08:39:49.840334,  3, pid=15886, effective(1166435, 8875), real(1166435, 0)] ../source3/smbd/error.c:82(error_packet_set)
   NT error packet at ../source3/smbd/error.c(165) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED


Any suggestions about the possible root cause of the problem?

Hi

we had problems too, while upgrading to ubuntu 18.04 changed behave of cifs-upcall and kerberos tickets, "perhaps" this is your problem too

if you want to do cifs (auto)mount with kerberos
check logs how cifs-upcall looks for your kerberos tickets

a ticket i.e looks like this

/tmp/krb5cc_3449004_1Kyv9d

where 3449004 is uid

with cifs upcall 16.04 ubuntu "searches" for the "right" ticket

Nov 6 10:21:51 tueilnt-lab11 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_3449004_WOMgon is valid ccache

in ubuntu 18.04 its hardcoded to look only for krb5cc_3449004

 cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_3449004


Regards


Best

Sebastian



Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin

Email: sebastian.kraus@xxxxxxxxxxxx



--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba