From: steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
To: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: cifs multiuser sends wrong uid:gid [solved]
Date: Fri, 12 Apr 2013 12:52:32 +0200 [thread overview]
Message-ID: <5167E770.10505@steve-ss.com> (raw)
In-Reply-To: <20130412062721.4768d904-4QP7MXygkU+dMjc06nkz3ljfA9RmPOcC@public.gmane.org>
On 12/04/13 12:27, Jeff Layton wrote:
> On Fri, 12 Apr 2013 11:20:15 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
>
>> Hi
>> samba 4.0.5
>> openSUSE 12.3 cifs-utils-5.9
>>
>> I have a share:
>> [users]
>> path = /home/users
>> read only = No
>>
>> I mount it as root:
>> h16:/tmp # kinit Administrator
>> Password for Administrator-UiqEU/D402Y@public.gmane.org:
>>
>> hh16:/tmp # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator-UiqEU/D402Y@public.gmane.org
>>
>> Valid starting Expires Service principal
>> 04/12/13 11:06:37 04/12/13 21:06:37 krbtgt/HH3.SITE-UiqEU/D402Y@public.gmane.org
>> renew until 04/13/13 11:06:30
>>
>> hh16:/tmp # mount.cifs //hh16.hh3.site/users /mnt --verbose
>> -osec=krb5,multiuser
>> mount.cifs kernel mount options:
>> ip=192.168.1.16,unc=\\hh16.hh3.site\users,sec=krb5,multiuser,user=steve,pass=********
>>
>> .
>> 2013-04-12T11:05:49.678122+02:00 hh16 cifs.upcall: key description:
>> cifs.spnego;0;0;3f000000;ver=0x2;host=hh16.hh3.site;ip4=192.168.1.16;sec=krb5;uid=0x0;creduid=0x0;user=steve;pid=0xaa9
>> 2013-04-12T11:05:49.678807+02:00 hh16 cifs.upcall: ver=2
>> 2013-04-12T11:05:49.678950+02:00 hh16 cifs.upcall: host=hh16.hh3.site
>> 2013-04-12T11:05:49.681949+02:00 hh16 cifs.upcall: ip=192.168.1.16
>> 2013-04-12T11:05:49.681974+02:00 hh16 cifs.upcall: sec=1
>> 2013-04-12T11:05:49.681981+02:00 hh16 cifs.upcall: uid=0
>> 2013-04-12T11:05:49.681986+02:00 hh16 cifs.upcall: creduid=0
>> 2013-04-12T11:05:49.681991+02:00 hh16 cifs.upcall: user=steve
>> 2013-04-12T11:05:49.682443+02:00 hh16 cifs.upcall: pid=2729
>> 2013-04-12T11:05:49.683046+02:00 hh16 cifs.upcall: find_krb5_cc: scandir
>> error on directory '/run/user/0': No such file or directory
>> 2013-04-12T11:05:49.683488+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_1000
>> 2013-04-12T11:05:49.683902+02:00 hh16 cifs.upcall: find_krb5_cc:
>> /tmp/krb5cc_1000 is owned by 1000, not 0
>> 2013-04-12T11:05:49.684385+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_3000034
>> 2013-04-12T11:05:49.684779+02:00 hh16 cifs.upcall: find_krb5_cc:
>> /tmp/krb5cc_3000034 is owned by 3000034, not 0
>> 2013-04-12T11:05:49.685567+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_3000032
>> 2013-04-12T11:05:49.686041+02:00 hh16 cifs.upcall: find_krb5_cc:
>> /tmp/krb5cc_3000032 is owned by 3000032, not 0
>> 2013-04-12T11:05:49.686352+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_0
>> 2013-04-12T11:05:49.686638+02:00 hh16 cifs.upcall: find_krb5_cc:
>> FILE:/tmp/krb5cc_0 is valid ccache
>> 2013-04-12T11:05:49.686919+02:00 hh16 cifs.upcall: handle_krb5_mech:
>> getting service ticket for hh16.hh3.site
>> 2013-04-12T11:05:49.687248+02:00 hh16 cifs.upcall: handle_krb5_mech:
>> obtained service ticket
>> 2013-04-12T11:05:49.687523+02:00 hh16 cifs.upcall: Exit status 0
>>
>>
>> hh16:/tmp # su steve2
>> steve2@hh16:/tmp> kinit steve2
>> Password for steve2-UiqEU/D402Y@public.gmane.org:
>> steve2@hh16:/tmp> cd /mnt/steve2
>> steve2@hh16:/mnt/steve2> touch j
>> touch: cannot touch ‘j’: Permission denied
>> 2
>> 2013-04-12T11:10:48.599379+02:00 hh16 cifs.upcall: key description:
>> cifs.spnego;3000034;20513;3f000000;ver=0x2;host=hh16.hh3.site;ip4=192.168.1.16;sec=krb5;uid=0x2dc6e2;creduid=0x2dc6e2;pid=0xb5a
>> 2013-04-12T11:10:48.599412+02:00 hh16 cifs.upcall: ver=2
>> 2013-04-12T11:10:48.601816+02:00 hh16 cifs.upcall: host=hh16.hh3.site
>> 2013-04-12T11:10:48.601840+02:00 hh16 cifs.upcall: ip=192.168.1.16
>> 2013-04-12T11:10:48.601847+02:00 hh16 cifs.upcall: sec=1
>> 2013-04-12T11:10:48.601852+02:00 hh16 cifs.upcall: uid=3000034
>> 2013-04-12T11:10:48.601857+02:00 hh16 cifs.upcall: creduid=3000034
>> 2013-04-12T11:10:48.602956+02:00 hh16 cifs.upcall: pid=2906
>> 2013-04-12T11:10:48.602978+02:00 hh16 cifs.upcall: find_krb5_cc: scandir
>> error on directory '/run/user/3000034': No such file or directory
>> 2013-04-12T11:10:48.603432+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_1000
>> 2013-04-12T11:10:48.604677+02:00 hh16 cifs.upcall: find_krb5_cc:
>> /tmp/krb5cc_1000 is owned by 1000, not 3000034
>> 2013-04-12T11:10:48.605262+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_3000034
>> 2013-04-12T11:10:48.605779+02:00 hh16 cifs.upcall: find_krb5_cc:
>> FILE:/tmp/krb5cc_3000034 is valid ccache
>> 2013-04-12T11:10:48.607568+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_3000032
>> 2013-04-12T11:10:48.608414+02:00 hh16 cifs.upcall: find_krb5_cc:
>> /tmp/krb5cc_3000032 is owned by 3000032, not 3000034
>> 2013-04-12T11:10:48.608948+02:00 hh16 cifs.upcall: find_krb5_cc:
>> considering /tmp/krb5cc_0
>> 2013-04-12T11:10:48.609470+02:00 hh16 cifs.upcall: find_krb5_cc:
>> /tmp/krb5cc_0 is owned by 0, not 3000034
>> 2013-04-12T11:10:48.610854+02:00 hh16 cifs.upcall: handle_krb5_mech:
>> getting service ticket for hh16.hh3.site
>> 2013-04-12T11:10:48.615154+02:00 hh16 cifs.upcall: handle_krb5_mech:
>> obtained service ticket
>> 2013-04-12T11:10:48.615189+02:00 hh16 cifs.upcall: Exit status 0
>> hh16:/tmp #
>>
>> That seems fine except that the wrong uid:gid has been sent to the mount
>> for steve2 so he can't write to his cifs mounted folder.
>>
>> To investigate this, I made his folder 0777 and then created a file in
>> the share:
>>
>> hh16:/home/users # chmod 0777 steve2/
>> hh16:/home/users # su steve2
>> steve2@hh16:/home/users> cd /mnt/steve2
>> steve2@hh16:/mnt/steve2> touch testfile
>> steve2@hh16:/mnt/steve2> ls -l
>> total 1024
>> -rw-r--r-- 1 steve2 Domain Users 0 Apr 12 09:58 j
>> -rwxrwxr-x+ 1 3000019 users 0 Apr 12 11:14 testfile
>>
>> cifs has sent 3000019:100 as the uid:gid It should send 3000034:20513
>>
>> Question:
>> - why is user=steve specified on the mount command? (I am unix user
>> steve. steve2 is a domain user, but I'm doing the mount as root)
> Probably because you're su'ing to root without clearing your
> environment. If you don't specify a username, then mount.cifs will
> scrape the value of $USER out of your environment and stuff that into
> the field. It really matters little here though -- the username is
> ignored when you use kerberos. All that matters is the ticket.
>
>> - What am I doing wrong?
> At first glance, I have to wonder whether "steve2" is mapped to the
> same uid on the client and server. It seems likely that on the client
> that this krb5 user maps to 3000034, but on the server it maps to
> 3000019.
>
Hi Jeff
Yes. That was it. The server got the uid from idmap.ldb and the client
from AD. Or maybe the other way around. Anyway,I tried to force this with:
idmap_ldb use:rfc2307 = Yes
but that's the wrong syntax; but not identified by testparm:(
So, for the record, to pull uid:gid from AD and _not_ idmap:
[global] in smb.conf needs this syntax:
idmap_ldb:use rfc2307 = Yes
Personally, I think that all uid:gid should come from AD by default.
Thanks for your time,
Steve
next prev parent reply other threads:[~2013-04-12 10:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-12 9:20 cifs multiuser sends wrong uid:gid steve
[not found] ` <5167D1CF.2080708-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
2013-04-12 10:27 ` Jeff Layton
[not found] ` <20130412062721.4768d904-4QP7MXygkU+dMjc06nkz3ljfA9RmPOcC@public.gmane.org>
2013-04-12 10:42 ` cifs multiuser sends wrong uid:gid [SOLVED] steve
2013-04-12 10:52 ` steve [this message]
[not found] ` <5167E770.10505-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
2013-04-12 21:42 ` cifs multiuser sends wrong uid:gid [solved] Jeff Layton
[not found] ` <20130412174256.0a2ace02-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-04-12 22:00 ` steve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5167E770.10505@steve-ss.com \
--to=steve-dz4o0aztnmbwk0htik3j/w@public.gmane.org \
--cc=jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.