Web lists-archives.com

Re: [Samba] mount.cfs mount error(13): Permission denied




On 4/22/19 2:01 PM, Paul Griffith via samba wrote:
On 4/22/19 10:18 AM, Rowland Penny via samba wrote:
On Mon, 22 Apr 2019 09:48:31 -0400
Paul Griffith via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi All,

     I am running into an issue mounting a Samba share from our Linux
server. We are running Samba 4.8.8 on CentOS  7.6.1810. I have done a
some testing, and I can't get the root cause of the error.

Testing:

CentOS 7.6 client -> Samba server, mounting fails - mount.cfs mount
error(13): Permission denied
CentOS 7.6 client -> Win10 desktop share, mounting works

Fedora 29 client  -> Samba  server, mounting fails - mount.cfs mount
error(13): Permission denied
Fedora 29 client  -> Win10 desktop share, mounting works

Are you using sssd ?

If so, then I suggest asking on the sssd-users mailing list, Samba
isn't doing the authentication.

If you aren't using sssd, then the Unix domain members smb.conf is
missing all the 'idmap config' lines, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

Thank you Rowland,

We are not using sssd, I was handed this Samba server. It  seems I some home work to do to make it work


Paul


I went away and followed the wiki on setting up Samba as a Domain Member. Connecting from Windows works. Linux is another story, it doesn't work. Updated Samba config at the end of the e-mail.

sudo mount -t cifs //xxx.xxx.yorku.ca/homes /tmp/1 -o user=paulg,domain=ad.xxxx.yorku.ca,uid=2381,gid=1000
[sudo] password for paulg:
Password for paulg@//xxx.xxxx.yorku.ca/homes:  *********
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


I don't undertand this error in the log file

SID S-1-5-21-1981678738-1545235886-4256466701-2508 -> getpwuid(12508) failed

The wbinfo command line util works as expected.

wbinfo -s 'S-1-5-21-1981678738-1545235886-4256466701-2508'
XXXXYORKUCA\paulg 1


A similar post on https://serverfault.com/questions/848660/samba-login-failure-getpwuid-failed points to SSSD as a solution.  I guess something is missing in my config file or sssd is causing a conflict.


I don't have sss in /etc/nsswitch.conf, do I still need to remove all SSSD rpms from my system to make windbind work?

rpm -qa | grep -i sssd
sssd-proxy-1.16.2-13.el7_6.5.x86_64
sssd-client-1.16.2-13.el7_6.5.x86_64
sssd-ad-1.16.2-13.el7_6.5.x86_64
sssd-krb5-common-1.16.2-13.el7_6.5.x86_64
sssd-krb5-1.16.2-13.el7_6.5.x86_64
sssd-ipa-1.16.2-13.el7_6.5.x86_64
sssd-common-1.16.2-13.el7_6.5.x86_64
sssd-1.16.2-13.el7_6.5.x86_64
sssd-ldap-1.16.2-13.el7_6.5.x86_64
sssd-common-pac-1.16.2-13.el7_6.5.x86_64
python-sssdconfig-1.16.2-13.el7_6.5.noarch



check_ntlm_password:  Checking password for unmapped user [ad.xxx.xxx.ca]\[paulg]@[] with the new password interface
check_ntlm_password:  mapped user is: [ad.xxxx.yorku.ca]\[paulg]@[]
auth_check_ntlm_password: winbind authentication for user [paulg] succeeded
 Auth: [SMB2,(null)] user [ad.xxxx.yorku.ca]\[paulg] at [Mon, 29 Apr 2019 10:48:33.964845 EDT] with [NTLMv2] status [NT_STATUS_OK] workstation [] remote host [ipv4:130.63.xx.xxx52088] became [XXXXXXXX\[paulg] [S-1-5-21-1981678738-1545235886-4256466701-2508]. local host [ipv4:130.63.XX.XX:445]   {"timestamp": "2019-04-29T10:48:33.965180-0400", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:130.63.XX.XX:445", "remoteAddress": "ipv4:130.63.XX.XX:52088", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ad.eecs.yorku.ca", "clientAccount": "paulg", "workstation": "", "becameAccount": "paulg", "becameDomain": "XXXXXXXX", "becameSid": "S-1-5-21-1981678738-1545235886-4256466701-2508", "mappedAccount": "paulg", "mappedDomain": "ad.eecs.yorku.ca", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 22122}} [2019/04/29 10:48:33.965387,  2, pid=3487, effective(0, 0), real(0, 0)] ../source3/auth/auth.c:316(auth_check_ntlm_password)   check_ntlm_password:  authentication for user [paulg] -> [paulg] -> [paulg] succeeded [2019/04/29 10:48:33.968098,  1, pid=3487, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:561(add_local_groups)   SID S-1-5-21-1981678738-1545235886-4256466701-2508 -> getpwuid(12508) failed [2019/04/29 10:48:33.968175,  3, pid=3487, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:400(create_local_nt_token_from_info3)
  Failed to add local groups
[2019/04/29 10:48:33.968252,  3, pid=3487, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:137 [2019/04/29 10:48:34.097050,  3, pid=3487, effective(0, 0), real(0, 0)] ../source3/smbd/server_exit.c:237(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)


---- files server ----
[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
server string = Samba Server
hostname lookups = yes

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999

winbind use default domain = yes
local master = No

#log files
debug timestamp = yes
debug uid = yes
debug pid = yes
debug level = 3
max log size = 0

username map = /xconf/samba/usermap

#ip networking
max connections = 0
interfaces = 127.0.0.1 130.xx.xx.xx
bind interfaces only = yes

#printing
load printers = no
printcap name = /xconf/lprng/printcap
printing = bsd
print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s
lpq command = /xsys/bin/lpq -P%p
lprm command = /xsys/bin/lprm -P%p %j
use client driver = yes


# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

# security settings
guest account = nobody
invalid users = root
nt acl support = yes
inherit permissions = yes
client lanman auth = no
client ntlmv2 auth = yes
wide links = no
unix extensions = no


[homes]
comment = Home Directories
browseable = yes
read only = no
valid users = %S
csc policy = disable
invalid users = activ8
oplocks = no
level2 oplocks = no
strict locking = no
posix locking = no

Thanks
Paul


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba